First we need to have a few meeting talking about known vulnerabilities and how to attack them. Then we can come back and find a vulnerable system and attack it. The vulnerable system should be virtualized on the Dell PowerEdge 2600 servers, ying and yang.
We should have separate events for varying experience levels so that beginners and experts do not ruin each other's fun. However, experts are more than welcome to help run the beginner's events!
SCAP is the collective name for the set of specifications used for automated vulnerability management. This set of specs is maintained between NIST and the Mitre Corporation. Basically, a SCAP-based tool will accept two inputs: a description of the computer system to be analyzed and a list of security checks you want performed against that system. The SCAP specification to describe a computer system is called OVAL and the specification to list security checks is called XCCDF. Two other specifications, CCE and CPE, support the creation of XCCDF and OVAL XML documents. CPE is an enumeration of platforms, packages, and software components. It is used to define the 'what' in the XCCDF and OVAL documents. For example, each checklist item in XCCDF document uses CPE to define what is being tested. CCE is an enumeration of software (mis)configurations. CCE does not describe hardware or physical configurations. Finally, the last specification part of SCAP 1.0 is the schema for the CVE database which we have discussed already above. SCAP 1.1 may include a sixth specification, OCIL, to handle non-automated analysis.
The main benefit of SCAP is the XCCDF XML document. It allows systems to be checked consistently against some standard security policy. This is a big deal with government agencies who need to prove compliance before their systems are allowed on the network or to operate.
Automated Analysis Tools
