Introduction to XCCDF

The Extensible Configuration Checklist Description Format ( XCCDF ) is an XML-based specification language for describing security configuration checklists and other similar documents. XCCDF is one of the Security Content Automation Protocol ( SCAP ) languages. XCCDF is an important tool for professionals involved in the automation of information security processes. This language describes, for example, the mandatory requirements for setting up workstations of US federal agencies and their counterparties (the FDCC / USGCB program ). In this article, we will look at how the XCCDF security checklists are described - using USGCB content for RedHat Enterprise Linux as an example.

An XCCDF document consists of one or more XCCDF rules. The rule is a high-level view of the system's technical verification. For example: "The minimum length of a user password must be 12 characters." Consider this rule in the XCCDF language:

<Rule id = "usgcb-rhel5desktop-rule-2.3.1.7.a" selected = "false" weight = "10.0"
prohibitChanges = "false" abstract = "false" hidden = "false" role = "full" severity = "unknown" >
<status date = "2010-07-01" > accepted </ status >
<version update = "1" />
<title override = "0" > CCE-4154-1: Set password minimum length </ title >
<description xml: lang = "en-US" override = "0" > The password minimum length should be set
appropriately </ description >
<ident system = " cce.mitre.org" > CCE-4154-1 </ ident >
<check system = " oval.mitre.org/XMLSchema/oval-definitions-5" selector = "" >
<check-export value-id = "usgcb-rhel5desktop-var-2.3.1.7.a"
export-name = "oval: gov.nist.usgcb.rhel: var: 20071" />
<check-content-ref href = "usgcb-rhel5desktop-oval.xml"
name = "oval: gov.nist.usgcb.rhel: def: 20071" />
</ check >
</ Rule >

The XCCDF rule does not directly describe how the check should be performed. Instead, it contains a link to other XML documents (for example, OVAL definitions), which, in turn, contain actual instructions for performing this check. More information about the OVAL language, we told in the article "OVAL, or" the myth of the ideal scanner. "

In this example, the XCCDF rule refers to the OVAL definition with the oval identifier: gov.nist.usgcb.rhel: def: 20071. The transfer of the required value of the parameter being checked is carried out through variables. The value of the XCCDF variable usgcb-rhel5desktop-var-2.3.1.7.a is passed to the external variable OVAL oval: gov.nist.usgcb.rhel: var: 20071 (the value to be transferred is 12). Below we show how this XCCDF variable is initialized.

In the header of the XCCDF rule, there is a substring CCE-4154-1 - the check number within the Common Configuration Enumeration ( CCE ). This numbering allows you to maintain a single registry of issues related to the configuration of systems.
')
The weight parameter weights the importance of the XCCDF rule; its default value is 1. Weighting factors are used when calculating the final metric, which determines the compliance of the system state with the requirements of the standard.

It is worth paying attention to the method of numbering the rules of the HCCDF (in our case it is number 2.3.1.7.a). The numbering of the rules XCCDF repeats the numbering of the items of the “paper” standard. In addition, the correspondence between the standard on paper and its presentation as XCCDF is achieved by grouping the rules XCCDF. XCCDF groups can contain one or more rules or groups.

The group that includes the usgcb-rhel5desktop-var-2.3.1.7.a rule will be:

<Group id = "usgcb-rhel5desktop-group-2.3.1.7" hidden = "false" prohibitChanges = "false"
abstract = "false" selected = "true" weight = "1.0" >
<title xml: lang = "en-US" override = "0" > Set Password Expiration Parameters </ title >
<description xml: lang = "en-US" override = "0" > Edit the file /etc/login.defs to specify
password expiration settings for new accounts.
...
</ description >
<Value id = "usgcb-rhel5desktop-var-2.3.1.7.a" type = "string" operator = "equals"
prohibitChanges = "false" abstract = "false" hidden = "false" interactive = "0" >
<title xml: lang = "en-US" override = "0" > minimum password length </ title >
<description xml: lang = "en-US" override = "0" > Minimum number of characters in
password </ description >
<warning override = "0" category = "general" > This will only check new
passwords </ warning >
<value selector = "" > 14 </ value >
<value selector = "6" > 6 </ value >
<! - NIST 800-53 requires 1 in a million using brute force which translates to six
numbers ->
<value selector = "8" > 8 </ value >
<value selector = "10" > 10 </ value >
<value selector = "12" > 12 </ value >
<value selector = "14" > 14 </ value >
</ Value >
<Rule id = "usgcb-rhel5desktop-rule-2.3.1.7.a" selected = "false" weight = "10.0"
prohibitChanges = "false" abstract = "false" hidden = "false" role = "full" severity = "unknown" >
<status date = "2010-07-01" > accepted </ status >
<version update = "1" />
<title override = "0" > CCE-4154-1: Set password minimum length </ title >
<description xml: lang = "en-US" override = "0" > The password minimum length should be
set appropriately </ description >
<ident system = " cce.mitre.org" > CCE-4154-1 </ ident >
<check system = " oval.mitre.org/XMLSchema/oval-definitions-5" selector = "" >
<check-export value-id = "usgcb-rhel5desktop-var-2.3.1.7.a"
export-name = "oval: gov.nist.usgcb.rhel: var: 20071" />
<check-content-ref href = "usgcb-rhel5desktop-oval.xml"
name = "oval: gov.nist.usgcb.rhel: def: 20071" />
</ check >
</ Rule >
<Rule id = "usgcb-rhel5desktop-rule-2.3.1.7.b" selected = "false" weight = "10.0"
prohibitChanges = "false" abstract = "false" hidden = "false" role = "full" severity = "unknown" >
...
</ Rule >
<Rule id = "usgcb-rhel5desktop-rule-2.3.1.7.c" selected = "false" weight = "10.0"
prohibitChanges = "false"
...
</ Rule >
<Rule id = "usgcb-rhel5desktop-rule-2.3.1.7.d" selected = "false" weight = "10.0"
prohibitChanges = "false"
...
</ Rule >
</ Group >

In this example, you should pay attention to how the XCCDF rules are grouped, and how the values ​​of the XCCDF variables are initialized. The usgcb-rhel5desktop-group-2.3.1.7 group, in addition to the usgcb-rhel5desktop-rule-2.3.1.7.a rule already reviewed, also includes the usgcb-rhel5desktop-rule-2.3.1.7.b, usgcb-rhel5desktop-rule-2.3.1.7 rules .c, usgcb-rhel5desktop-rule-2.3.1.7.d. The specific value of a variable is selected depending on the value of the selector associated with the variable.

The rules of the XCCDF document can be organized into profiles. Profiles can be used to describe multiple policies within a single XCCDF document. A profile contains a list of rules that are applicable to this standard, as well as selector values ​​that are necessary to determine whether the state of the system complies with the requirements of the standard.

The profile for the usgcb-rhel5desktop-var-2.3.1.7.a rule will be:

<Profile id = "united_states_government_configuration_baseline" abstract = "false"
prohibitChanges = "false" >
<title xml: lang = "en-US" override = "0" > United States Government Configuration
Baseline 1.0.5.0 </ title >
<description xml: lang = "en-US" override = "0" > This profile represents guidance
outlined in United States Government Configuration Baseline for desktop
systems with Redhat Enterprise Linux 5 installed. </ description >
...
<select idref = "usgcb-rhel5desktop-rule-2.3.1.7.a" selected = "true" />
<refine-value idref = "usgcb-rhel5desktop-var-2.3.1.7.a" selector = "12" />
...
</ Profile >

Thus, in the profile “united_states_government_configuration_baseline”, rule 2.3.1.7.a with the selector “12” should be implemented.

The general structure of the XCCDF document is presented in fig. one.


Figure 1. Structure of the XCCDF document

So an XCCDF document is a structured set of security configuration rules for a set of target systems.

Full details of the XCCDF structure are contained in the XCCDF specification and the SCAP specification.