About compliance score calculation for SCAP assets

CCS uses the XCCDF's Default scoring model to calculate the weighted compliance scores for the profiles that are evaluated against the assets. The Default scoring model that is supported in XCCDF 1.0 lets you calculate the weighted compliance scores for every benchmark profile. The Default scoring model is indicated implicitly for all the SCAP benchmarks. Weights are assigned to every rule of a profile that are used for calculating the weighted compliance score. If a specific rule is not selected, then the weight of that rule is not considered for the compliance score calculation of the profile. Ensure that you provide weights appropriately to the rules for correct computation of the weighted compliance score using the Default scoring model.

CCS defines the following attributes to calculate the compliance scores of the rules:

  • Count

    This attribute is set to either 1 or 0 based on the evaluation result values. The value 1 is set for the result value, Pass, Fail, Error, and Unknown. The value 0 is set for the result values, NotApplicable, NotChecked, NotSelected, Informational, and Fixed.

    The evaluation result values of the SCAP benchmark rules and their contribution to the compliance score calculation are as follows:

    • Pass

      This means that the asset has satisfied all the conditions of the rule. A pass result contributes to the weighted score and maximum possible compliance score.

    • Fail

      This means that the asset did not satisfy all the conditions of the rule. A fail result contributes to the maximum possible compliance score.

    • Error

      This means that the CCS has encountered a system error and is not able to complete the evaluation. Hence, the status of the asset's compliance with the rule is uncertain. For example, if CCS runs with insufficient privileges on the asset, then an error can occur.

    • Unknown

      This means that CCS has encountered some problem and the result is unknown. For example, if CCS was unable to interpret the output of the evaluation.

    • Not Applicable

      This means that the rule is not applicable for the asset that is evaluated. For example, if a rule is specific to an operating system version to which the asset does not belong, then the evaluation result is not applicable. Such kind of evaluation result values do not contribute to the compliance score.

    • Not Checked

      This means that the rule is not evaluated by CCS. Such a result value is designed for the rules that have a role as, unchecked and for the rules that have no properties. Such type of evaluation result values do not contribute to the benchmark compliance score.

    • Not Selected

      This means that the rule is not selected in the benchmark. Such type of evaluation result values do not contribute to the benchmark compliance score.

    • Informational

      This means that the rule's result value is simple information that an auditor or administrator uses. Such result is the default value for rules that have a role as, unscored. This result value is designed for rules that can extract information from the asset. This kind of evaluation result values do not contribute to the benchmark compliance score.

    • Fixed

      This means that the rule has failed, but is fixed. Such kind of evaluation result values must contribute to the compliance score similar to the result value, pass.

  • Score

    This attribute is set to 100 or 0 based on the evaluation result values. For all the result values whose count is 1, the score is set. No score is set for the result values whose count is 0.

  • Accumulator

    This attribute value is the sum total of weights of the rules.

CCS calculates the compliance score for the rules based on the weights that you assign to the rules. CCS also lets you compute the scores for the group to which the rule belongs.

The formula that CCS uses to calculate the compliance score for a rule and group against which an asset is evaluated is as follows

  • Rule

    compliance score of a rule = (score of a rule) * (weight of the rule)

  • Group

    The normalized score of a group = (Sum of the scores of the rules or groups under the group) / (sum of the weights of the rule or groups under the group)

    Compliance score of a group = (Normalized score)* (Weight of the group)

Note:

Even when the data is not available for an asset, the CCS still considers the compliance score(that is zero) for the non-available asset. This is so that the user is informed of the probable risk that might be involved due to the unavailability of the asset.

The formula that CCS uses to calculate the weighted compliance score of a profile is as follows:

  • Weighted compliance score of a profile for a single asset

    Weighted compliance score of a profile = (compliance score of the rules) / (sum of weights of the rules)

  • Weighted compliance score of a profile for multiple assets

    Weighted compliance score of the profile = (sum total of the compliance scores of the profiles evaluated against every asset) / (total number of assets)

  • Weighted compliance score of a profile using weights of the group in which the rule exists

    Weighted compliance score of the profile = (Sum of the scores of the rules or groups under the profile) / (sum of the weights of the rule or groups under the profile)

Note:

If no weight attribute is set for a rule or group, then the weight is considered as 1. No weight is assigned to a profile.

For example, you calculate the compliance scores (CS) of every asset, A1, A1, A3 against which you evaluate the profile P1. The weighted compliance score that you derive for the assets is as follows:

CS(P1A1)+CS(P1A2)+CS(P1A3)/3

See About risk score calculation for SCAP assets

See About adjusted base score calculation for SCAP assets

Imported Document ID: HOWTO76554
Legacy ID: v66116390_v74603629

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.