8.2. Defining Compliance Policy
- Languages — This group consists of SCAP languages that define standard vocabularies and conventions for expressing compliance policy.
- The eXtensible Configuration Checklist Description Format (XCCDF) — A language designed to express, organize, and manage security guidance.
- Open Vulnerability and Assessment Language (OVAL) — A language developed to perform logical assertion about the state of the scanned system.
- Open Checklist Interactive Language (OCIL) — A language designed to provide a standard way to query users and interpret user responses to the given questions.
- Asset Identification (AI) — A language developed to provide a data model, methods, and guidance for identifying security assets.
- Asset Reporting Format (ARF) — A language designed to express the transport format of information about collected security assets and the relationship between assets and security reports.
- Enumerations — This group includes SCAP standards that define naming format and an official list or dictionary of items from certain security-related areas of interest.
- Common Configuration Enumeration (CCE) — An enumeration of security-relevant configuration elements for applications and operating systems.
- Common Platform Enumeration (CPE) — A structured naming scheme used to identify information technology (IT) systems, platforms, and software packages.
- Common Vulnerabilities and Exposures (CVE) — A reference method to a collection of publicly known software vulnerabilities and exposures.
- Metrics — This group comprises of frameworks to identify and evaluate security risks.
- Common Configuration Scoring System (CCSS) — A metric system to evaluate security-relevant configuration elements and assign them scores in order to help users to prioritize appropriate response steps.
- Common Vulnerability Scoring System (CVSS) — A metric system to evaluate software vulnerabilities and assign them scores in order to help users prioritize their security risks.
- Integrity — An SCAP specification to maintain integrity of SCAP content and scan results.
- Trust Model for Security Automation Data (TMSAD) — A set of recommendations explaining usage of existing specification to represent signatures, hashes, key information, and identity information in context of an XML file within a security automation domain.
8.2.1. The XCCDF File Format
Main XML Elements of the XCCDF Document
<xccdf:Benchmark>— This is a root element that encloses the whole XCCDF document. It may also contain checklist metadata, such as a title, description, list of authors, date of the latest modification, and status of the checklist acceptance.
<xccdf:Rule>— This is a key element that represents a checklist requirement and holds its description. It may contain child elements that define actions verifying or enforcing compliance with the given rule or modify the rule itself.
<xccdf:Value>— This key element is used for expressing properties of other XCCDF elements within the benchmark.
<xccdf:Group>— This element is used to organize an XCCDF document to structures with the same context or requirement domains by gathering the
<xccdf:Profile>— This element serves for a named tailoring of the XCCDF benchmark. It allows the benchmark to hold several different tailorings.
<xccdf:Profile>utilizes several selector elements, such as
<xccdf:refine-rule>, to determine which elements are going to be modified and processed while it is in effect.
<xccdf:Tailoring>— This element allows defining the benchmark profiles outside the benchmark, which is sometimes desirable for manual tailoring of the compliance policy.
<xccdf:TestResult>— This element serves for keeping the scan results for the given benchmark on the target system. Each
<xccdf:TestResult>should refer to the profile that was used to define the compliance policy for the particular scan and it should also contain important information about the target system that is relevant for the scan.
<xccdf:rule-result>— This is a child element of
<xccdf:TestResult>that is used to hold the result of applying a specific rule from the benchmark to the target system.
<xccdf:fix>— This is a child element of
<xccdf:Rule>that serves for remediation of the target system that is not compliant with the given rule. It can contain a command or script that is run on the target system in order to bring the system into compliance the rule.
<xccdf:check>— This is a child element of
<xccdf:Rule>that refers to an external source which defines how to evaluate the given rule.
<xccdf:select>— This is a selector element that is used for including or excluding the chosen rules or groups of rules from the policy.
<xccdf:set-value>— This is a selector element that is used for overwriting the current value of the specified
<xccdf:Value>element without modifying any of its other properties.
<xccdf:refine-value>— This is a selector element that is used for specifying constraints of the particular
<xccdf:Value>element during policy tailoring.
<xccdf:refine-rule>— This selector element allows overwriting properties of the selected rules.
Example 8.1. An Example of an XCCDF Document
<?xml version="1.0" encoding="UTF-8"?> <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_com.example.www_benchmark_test"> <status>incomplete</status> <version>0.1</version> <Profile id="xccdf_com.example.www_profile_1"> <title>Profile title is compulsory</title> <select idref="xccdf_com.example.www_group_1" selected="true"/> <select idref="xccdf_com.example.www_rule_1" selected="true"/> <refine-value idref="xccdf_com.example.www_value_1" selector="telnet service"/> </Profile> <Group id="xccdf_com.example.www_group_1"> <Value id="xccdf_com.example.www_value_1"> <value selector="telnet_service">telnet-server</value> <value selector="dhcp_servide">dhcpd</value> <value selector="ftp_service">tftpd</value> </Value> <Rule id="xccdf_com.example.www_rule_1"> <title>The telnet-server Package Shall Not Be Installed </title> <rationale> Removing the telnet-server package decreases the risk of the telnet service’s accidental (or intentional) activation </rationale> <fix platform="cpe:/o:redhat:enterprise_linux:6" reboot="false" disruption="low" system="urn:xccdf:fix:script:sh"> yum -y remove <sub idref="xccdf_com.example.www_value_1"/> </fix> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export value-id="xccdf_com.example.www_value_1" export-name="oval:com.example.www:var:1"/> <check-content-ref href="examplary.oval.xml" name="oval:com.example.www:def:1"/> </check> <check system="http://open-scap.org/page/SCE"> <check-import import-name="stdout"/> <check-content-ref href="telnet_server.sh"/> </check> </Rule> </Group> </Benchmark>