Secure Configuration Evaluation, Remediation, and Reporting Tool (SCERRT)

US 20180091558A1
Filed: 08/09/2017
Published: 03/29/2018
Est. Priority Date: 08/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer system for developing, configuring, and using a secure configuration evaluation, remediation, and reporting system which can be exported to a plurality of target computer systems, the computer systems comprising:

a configuration baseline developer system and a user or operator system;

wherein said configuration baseline developer system comprises;

a first processor, the first processor being a hardware component of a computer system;

a first user input device, the first user input device being in communication with the processor;

a first graphical user interface (GUI) display, the first graphical user interface being in communication with the processor; and

a first memory, the first memory being in communication with the first processor and storing a first plurality of non-transitory machine readable instructions executed by the first processor comprising;

a vulnerability scanning system that searches one or more user selected or designated operating system (OS) or application files for one or more STIG file elements comprising one or more certified patch files, data lists, or configuration settings and generates a matching list of OS or application files, settings or data which match the one or more STIG file elements and a non-matching list of OS or application files, settings, or data which do not match the one or more STIG file elements;

a first program generator that generates a first program comprising a machine interpreted script that comprises instructions to update or replace the user selected or designated OS or application file or files referenced in the non-matching list with the one or more STIG file elements comprising one or more of the certified patch files, data lists, or configuration settings;

a second program generator that generates a second program by translating the first program into machine readable instructions that the one or more target machines will execute and saving the second program; and

a third program generator that generates a third program by encrypting the second program into an encrypted file and saving the third program;

wherein the user or operator system comprises;

a second processor, the second processor being a hardware component of a computer system;

a second user input device, the second user input device being in communication with the processor;

a second graphical user interface (GUI) display, the second graphical user interface being in communication with the processor; and

a memory, the memory being in communication with the processor and storing a plurality of non-transitory machine readable instructions executed by the processor comprising;

a fourth program comprising machine instructions that unencrypt and read the third program and its list of STIG elements that might be installed on the one or more target machines and generates a first user interface on the second display that includes a picklist that enables selection of one, some, or all of the STIG elements that the third program includes as well as adding one or more additional STIG elements;

wherein the fourth program;

enables a user to selectively modify the STIG elements by adding to or removing one or more of the STIG elements from the third program;

encrypts and selectively saves a modified form of the third program as a sixth program if one or more of the STIG elements from the third program are removed or added to;

generates a fifth program, wherein the fifth program comprises a host system capable of securely executing the sixth program on one or more target machines;

includes a user execution operation section that enables the user to selectively execute the fifth and sixth programs on the selected one or more target machines.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments and related methods are provided that can include or operate a variety of modular systems such as, a group of user interfaces and software modules which receive inputs from the user interfaces to perform Secure Configuration Evaluation, Remediation, and Reporting Tool tasks. Exemplary modules can include a scan or current state module to populate and/or identify a current state configuration as well as collecting available information on available vulnerability patches or system updates, a software, update, and/or patch configuration selection module that generates a “picklist” user interface for all available software, patches or updates or optionally patches or updates that meet one or more search criteria associated with a baseline data, a data store with install files for all selected or available software, patches or updates selected with the picklist user interface, an installer export package system to generate install packages, and an access/use verification system.

Citations

10 Claims

1. A computer system for developing, configuring, and using a secure configuration evaluation, remediation, and reporting system which can be exported to a plurality of target computer systems, the computer systems comprising:
- a configuration baseline developer system and a user or operator system;
  
  wherein said configuration baseline developer system comprises;
  
  a first processor, the first processor being a hardware component of a computer system;
  
  a first user input device, the first user input device being in communication with the processor;
  
  a first graphical user interface (GUI) display, the first graphical user interface being in communication with the processor; and
  
  a first memory, the first memory being in communication with the first processor and storing a first plurality of non-transitory machine readable instructions executed by the first processor comprising;
  
  a vulnerability scanning system that searches one or more user selected or designated operating system (OS) or application files for one or more STIG file elements comprising one or more certified patch files, data lists, or configuration settings and generates a matching list of OS or application files, settings or data which match the one or more STIG file elements and a non-matching list of OS or application files, settings, or data which do not match the one or more STIG file elements;
  
  a first program generator that generates a first program comprising a machine interpreted script that comprises instructions to update or replace the user selected or designated OS or application file or files referenced in the non-matching list with the one or more STIG file elements comprising one or more of the certified patch files, data lists, or configuration settings;
  
  a second program generator that generates a second program by translating the first program into machine readable instructions that the one or more target machines will execute and saving the second program; and
  
  a third program generator that generates a third program by encrypting the second program into an encrypted file and saving the third program;
  
  wherein the user or operator system comprises;
  
  a second processor, the second processor being a hardware component of a computer system;
  
  a second user input device, the second user input device being in communication with the processor;
  
  a second graphical user interface (GUI) display, the second graphical user interface being in communication with the processor; and
  
  a memory, the memory being in communication with the processor and storing a plurality of non-transitory machine readable instructions executed by the processor comprising;
  
  a fourth program comprising machine instructions that unencrypt and read the third program and its list of STIG elements that might be installed on the one or more target machines and generates a first user interface on the second display that includes a picklist that enables selection of one, some, or all of the STIG elements that the third program includes as well as adding one or more additional STIG elements;
  
  wherein the fourth program;
  
  enables a user to selectively modify the STIG elements by adding to or removing one or more of the STIG elements from the third program;
  
  encrypts and selectively saves a modified form of the third program as a sixth program if one or more of the STIG elements from the third program are removed or added to;
  
  generates a fifth program, wherein the fifth program comprises a host system capable of securely executing the sixth program on one or more target machines;
  
  includes a user execution operation section that enables the user to selectively execute the fifth and sixth programs on the selected one or more target machines.
- View Dependent Claims (3, 4, 6, 7, 8, 9)
- - 3. A method of operating a secure configuration evaluation, remediation, and reporting system comprising as in claim 8, wherein the user securely transfers the third program from the baseline developer system to the user or operator system.
  - 4. A method of operating a secure configuration evaluation, remediation, and reporting system comprising as in claim 8, wherein the user securely transfers the fifth and sixth programs to the selected one or more target machine.
  - 6. A secure configuration evaluation, remediation, and reporting system as in claim 1, wherein the first vulnerability scanner selectively searches one or more user selected or designated operating system (OS) or application files for one or more STIG file elements comprising one or more certified patch files, data lists, or configuration settings and generates a matching list of OS or application files, settings or data which match the one or more STIG file elements and a non-matching list of OS or application files, settings, or data which do not match the one or more STIG file elements.
  - 7. A secure configuration evaluation, remediation, and reporting system as in claim 1, wherein the update script generator generates a machine interpreted script that comprises instructions to update or replace the user selected or designated OS or application file or files referenced in the non-matching list with the one or more STIG file elements comprising one or more of the certified patch files, data lists, or configuration settings.
  - 8. A secure configuration evaluation, remediation, and reporting system as in claim 1, wherein the configuration baseline developer system securely transfers the encrypted target machine update file is securely transferred to the second non-transitory computer readable storage medium.
  - 9. A secure configuration evaluation, remediation, and reporting system as in claim 1, wherein the target machine update control system securely transfers the modified encrypted target machine update file and another vulnerability scanner to the one or more target machines.

2. A method of operating a secure configuration evaluation, remediation, and reporting system comprising:
- using a baseline developer system to generate a first, a second, and a third program;
  
  exporting the third program to a user or operator system, which comprises a fourth program capable of decrypting the third program;
  
  using the user or operator system to decrypt and edit the third program and generate a fifth and sixth program; and
  
  remotely operating the fifth and sixth programs on one or more of a plurality of target machines;
  
  wherein the baseline developer system comprises;
  
  a vulnerability scanning system that searches one or more user selected or designated operating system (OS) or application files for one or more STIG file elements comprising one or more certified patch files, data lists, or configuration settings and generates a matching list of OS or application files, settings or data which match the one or more STIG file elements and a non-matching list of OS or application files, settings, or data which do not match the one or more STIG file elements;
  
  a first program generator that generates the first program comprising a machine interpreted script that comprises instructions to update or replace the user selected or designated OS or application file or files referenced in the non-matching list with the one or more STIG file elements comprising one or more of the certified patch files, data lists, or configuration settings;
  
  a second program generator that generates the second program by translating the first program into machine readable instructions that the one or more target machines will execute and saving the second program; and
  
  the third program generator that generates a third program by encrypting the second program into an encrypted file and saving the third program;
  
  wherein the user or operator system comprises;
  
  a fourth program comprising machine instructions that unencrypt and read the third program and its list of STIG elements that might be installed on the one or more target machines and generates a first user interface on the second display that includes a picklist that enables selection of one, some, or all of the STIG elements that the third program includes as well as adding one or more additional STIG elements;
  
  wherein the fourth program;
  
  enables a user to selectively modify the STIG elements by adding to or removing one or more of the STIG elements from the third program;
  
  encrypts and selectively saves a modified form of the third program as a sixth program if one or more of the STIG elements from the third program are removed or added to;
  
  generates a fifth program, wherein the fifth program comprises a host system capable of securely executing the sixth program on one or more target machines;
  
  includes a user execution operation section that enables the user to selectively execute the fifth and sixth programs on the selected one or more target machines.

5. A secure configuration evaluation, remediation, and reporting system comprising:
- a first non-transitory computer readable storage medium adapted to store a plurality of non-transitory machine instructions adapted to be read by a machine processor comprising;
  
  a configuration baseline developer system;
  
  wherein the configuration baseline developer system comprises;
  
  a vulnerability scanner that scans a plurality of developer machine files searching for one or more STIG file elements comprising a plurality of predetermined files, data, or settings then generates a matching or non-matching listan update script generator that generates an update script that includes machine instructions that are read by one or more target machines matching one or more configurations of the configuration baseline developer system to update or replace one or more of a plurality of user selected or designated target machine files, data, or settings files referenced in the non-matching list with the one or more STIG file elements;
  
  a compiler or translator program that translates the update script into target machine readable instructions that the one or more target machines will execute and then outputs a target machine update file; and
  
  an encryption program that encrypts the target machine update script into an encrypted target machine update file and outputs the encrypted target machine update file;
  
  a second non-transitory computer readable storage medium adapted to store a plurality of non-transitory machine instructions adapted to be read by another machine processor comprising;
  
  a picklist user interface system and a target machine update control system;
  
  wherein the picklist user interface system generates a picklist user interface that enables a user to select, deselect, or add to the STIG file elements in the encrypted target machine update file and save as a modified encrypted target machine update file;
  
  wherein the target machine update control system selectively sends the modified encrypted target machine update file and a second vulnerability scanner to one or more of the target machines where the modified encrypted target machine file update will be selectively executed by a respective said target machine'"'"'s processors based on a control message from the target machine update control system.

10. A secure configuration evaluation, remediation, and reporting system comprising:
- a non-transitory computer readable storage medium adapted to store a plurality of non-transitory machine instructions comprising;
  
  a configuration baseline developer system comprising a first, second, third program generator; and
  
  a user or operator system that enables a user to selectively modify and execute outputs from the third program generator on one or more target machines;
  
  wherein the configuration baseline developer system comprises;
  
  a vulnerability scanning system that searches one or more user selected or designated operating system (OS) or application files for one or more STIG file elements comprising one or more certified patch files, data lists, or configuration settings and generates a matching list of OS or application files, settings or data which match the one or more STIG file elements and a non-matching list of OS or application files, settings, or data which do not match the one or more STIG file elements;
  
  wherein the first program generator generates a first program comprising a machine interpreted script that comprises instructions to update or replace the user selected or designated OS or application file or files referenced in the non-matching list with the one or more STIG file elements comprising one or more of the certified patch files, data lists, or configuration settings;
  
  the second program generator generates a second program by translating the first program into machine readable instructions that the one or more target machines will execute and saving the second program; and
  
  the third program generator that generates a third program by encrypting the second program into an encrypted file and saving the third program;
  
  wherein a user or operator system comprises;
  
  a fourth program comprising machine instructions that unencrypts and reads the third program and its list of the STIG file elements that are designated or predetermined as potentially installable on one or a plurality of target machines and generates a first user interface on a display that includes a picklist that enables selection of one, some, or all of the STIG file elements that the third program includes as well as adding one or more additional STIG file elements, wherein the fourth program enables a user to selectively modify the STIG elements by adding to or removing one or more of the STIG file elements from the third program and selectively saving a modified form of the third program as a sixth program if one or more of the STIG file elements from the third program are removed or added to, wherein the fourth program further generates a fifth and sixth program where the sixth program is an encrypted version of the fourth program and the fifth program comprises a host system that executes the sixth program on one or more target machines, wherein the fourth program further comprises a user execution operation section that enables the user to selectively execute the fifth and sixth program on selected one or more target machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
the united states of america as represented by the secretary of the navy
Original Assignee
the united states of america as represented by the secretary of the navy
Inventors
Daugherty, Bryan, Meinhart, Michael A., Parker, Christopher A., Terrell, William

Granted Patent

US 10,462,186 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Secure Configuration Evaluation, Remediation, and Reporting Tool (SCERRT)

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Secure Configuration Evaluation, Remediation, and Reporting Tool (SCERRT)

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links