This appendix provides information about how the SCAP standards are implemented for an Unauthenticated Scanner:
During scans,
Within the database, CPE names are continually kept up to date with changes to the National Institute of Standards (NIST) CPE dictionary. With every revision to the dictionary, the application maps newly available CPE names to application descriptions that previously did not have CPE names.
The Security Console Web interface displays CPE names in scan data tables. You can view these names in listings of assets, software, and operating systems, as well as on pages for specific assets. CPE names also appear in reports in the XML Export format.
When
You can view CVE identifiers on vulnerability detail pages in the Security Console Web interface. Each listed identifier is a hypertext link to the CVE online database at nvd.nist.gov, where you can find additional relevant information and links.
You can search for vulnerabilities in the application interface by using CVE identifiers as search criteria.
CVE identifiers also appear in the Discovered Vulnerabilities sections of reports.
The application uses the most up-to-date CVE listing from the CVE mailing list and changelog. Since the application always uses the most up-to-date CVE listing, it does not have to list CVE version numbers. The application updates its vulnerability definitions every six hours through a subscription service that maintains existing definitions and links and adds new ones continuously.
For every vulnerability that it discovers,
The application incorporates the CVSS score in the PCI Executive Summary and PCI Vulnerability Details reports, which provide detailed Payment Card Industry (PCI) compliance results. Each discovered vulnerability is ranked according to its CVSS score.
The application also includes the CVSS score in report sections that appear in various report templates. The Highest Risk Vulnerability Details section lists highest risk vulnerabilities and includes their categories, risk scores, and their CVSS scores. The Index of Vulnerabilities section includes the severity level and CVSS rating for each vulnerability.
The PCI Vulnerability Details section contains in-depth information about each vulnerability included in a PCI Audit (legacy) report. It quantifies the vulnerability according to its severity level and its CVSS rating.
Every listed policy is a hyperlink to a page about that policy, which includes a table of its constituent rules. Each listed rule is a hyperlink to a page about that rule. The rule page includes detailed technical information about the rule and lists its CCE identifier.
CCE entries can be found via the search feature. See Using the Search feature in the user’s guide.
Four tables appear on the SCAP page:
Each table lists the most recent content update that included new SCAP data and the most recent date that NIST generated new data.
On the SCAP page you also can view a list of Open Vulnerability and Assessment Language (OVAL) files that it has imported during configuration policy checks. In compliance with an FDCC requirement, each listed file name is a hyperlink that you can click to download the XML-structured check content.