SCAP based configuration analytics for comprehensive compliance checking

Computing systems today have large number of security configuration settings that are designed to offer flexible and robust services. However, incorrect configuration increases the potential of vulnerability and attacks. Security Content Automation Protocol provides a unified mean to automate the process of checking the desktop system compliance using standard interfaces. However, misconfiguration can be identified only if global checking that includes network and desktop configuration is performed, as many of these configurations are highly interdependent. In this work we present a SCAP-based tool that integrates host and network configuration compliance checking in one model and allows for executing comprehensive analysis queries in order to verify security and risk requirements across the end-to-end network as a single system. Our proposed tool translates XCCDF reports generated from SCAP tools into logical objects that can be further composed to create global logical analysis using more advanced security analytic tools such as ConfigChecker and PROLOG-based tools. This project also shows the value of building on the effort of standard tools to improve the state of the art.