CA Client Automation - 14.0

English

How Checklists Are Distributed

Contents
cla140
Contents
When DCS scans an Agent computer, ensure that the SCAP checklists are present on the Agent computer. The following process explains the automatic distribution of checklists to the Agent computers and the related actions:
  1. When DCS is installed on the Domain Manager, the
    CA Client Automation
     installer copies the bundled FDCC checklists to the 
    ITCM_installpath
    \SCAP_Checklists directory on the Domain Manager.
    If you have custom or updated checklists, manually copy the checklists to a new directory under SCAP_Checklists directory.
  2. The DSM Engine runs the Default SCAP Checklist Processing Job for the following tasks:
    • Monitor the SCAP_Checklists directory in the Domain Manager for new or updated checklists
    • Package the new or updated checklists in compressed archive files. Digitally sign the checklists to prevent data tampering and save under the \Documents and Settings\All Users\Application Data\CA\scap_checklists directory.
    • Update the MDB with the new and updated checklists.
    • Create or update inventory detection modules for new or updated checklists respectively.
  3. The DSM Engines run the Engine collect task to push the compressed archive files of the new or updated checklists to the Scalability Servers.
  4. The Agent runs the hardware inventory collect task that is configured to scan the checklists, pulls the required compressed archive files of the new or updated checklists from the Scalability Server, and stores them on the Agent computer.
  5. The Agent verifies the signature on the compressed archive files. If Agent is unable to verify the signature, a log entry is added to the TRC_AMAGENT*.log file. 
    If the signature verification failed because of a change in the DSM basic host identity certificate, redistribute the checklist files.
To distribute the checklist files to Scalability Servers, set the
Distribute SCAP checklists to Scalability Servers
 configuration policy to True. You can find this configuration under
Configuration Policy
,
Default Computer Policy
,
DSM
,
Manager
, and
Engines
 in the DSM Explorer tree.
Basic Host Identity Certificate for Signing the Compressed Checklists
The digital signature of the compressed checklist files is created using the DSM basic host identity certificate, also referred to as dsmcommon. The generated signature is sent with the compressed checklist file to the Scalability Server, from where the Asset Management Agent retrieves the checklist files when running a DCS scan. If the signature verification is successful, Agent verifies the signature on the compressed checklist files and proceeds with the scan.
Redistribute the Checklists When the Certificate Changes
If the basic host identity certificate changes after the checklist has been signed and distributed, the signature verification on the Agent fails and the configured DCS inventory module does not run. To resolve this issue, alter the version of the checklist for redistribution with a newly generated signature to the Scalability Server and the CA Asset Management Agent computer.
To redistribute the checklists when the certificate changes
  1. Open the 
    checklist
    _xccdf.xml
     file on the Domain Manager and locate the
    <version>
     tag.
  2. Change the version number to enable the redistribution of the checklist.
    Specify an earlier version number for reducing the chances of a version number conflict when a new checklist is released.
  3. Save the
    XCCDF
     file.
  4. Open the DSM Explorer and run the Default SCAP Checklist Processing Job so that the modified checklist is compressed and signed. 
    The checklist is now ready for redistribution to the Scalability Server.
How DCS Works
DCS is implemented as a CA Asset Management inventory detection module. You can configure this inventory detection module as part of a hardware inventory collect task. The following process helps you understand how the scanner works and the user actions for the working of the scanner:
  1. CA Client Automation
     automatically creates inventory detection modules for all the checklists that are placed under 
    ITCM_Installpath
    \SCAP_Checklists folder.
  2. Configure one or more hardware inventories collect tasks to schedule the scan and collect the results from the FDCC inventory detection modules. You can create a new collect task or can modify the existing one to schedule the scan.
  3. When the collect task runs at the Agent computer, the scanner starts the scan that is based on the checklists available on the Agent computer. Each checklist has an SCAP data stream. An SCAP data stream consists of the following files:
    • An eXtensible Configuration Checklist Description Format (XCCDF) file that defines a set of rules
    • One or more Open Vulnerability and Assessment Language (OVAL) files that specify how to verify for compliance, using the rules that are defined in the XCCDF file
    • (Optional) A Common Platform Enumeration (CPE) dictionary file that specifies how to verify whether the target computer has the required operating environment or applications. If the checklist is for Windows XP, the CPE dictionary file specifies how to verify whether the target computer has Windows XP.
  4. The scanner parses the rules in the XCCDF file and invokes an OVAL interpreter to evaluate the OVAL definitions that are referenced in the SCAP data stream.
  5. The interpreter produces OVAL result files that contain the values for each OVAL definition.
  6. The scanner then reads the result files and determines the outcome of compliance verification for each rule in the checklist and produces the following files:
    • XCCDF-compliant test result file in the XML format
    • Asset Management inventory file
    All the result files are stored in a subdirectory under the working directory of Asset Management Agent.
  7. The information in the inventory file is stored in the management database (MDB), and the results of the scan are displayed in the DSM Explorer and Web Console. You can create queries and reports that are based on this inventory information.
Collection of Result Files from the Agent Computer
The scanner stores the XCCDF and OVAL result files on the Agent computer by default. You can configure the FDCC inventory detection modules to enable the collection of result files from the Agent computer to the Scalability Server. When the Engine runs the collect task next time, the result files from the Scalability Server are collected and stored on the Domain Manager. Storing the result files on the Domain Manager helps you manage them centrally and retrieve the files quickly when required.
The result files are signed with a digital signature to prevent data tampering between the Agent and the Manager. If the Manager is unable to verify the signature, an event is raised and logged in the default event log.