The XCCDF language is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The language is mostly descriptive and does not contain any commands to perform security scans. However, an XCCDF document can refer to other SCAP components, and as such it can be used to craft a
compliance policy that is portable among all the target platforms with the exception of the related assessment documents (OVAL, OCIL).
The common way to represent a compliance policy is a set of XML files where one of the files is an XCCDF checklist. This XCCDF file usually points to the assessment resources, multiple OVAL, OCIL and the Script Check Engine (SCE) files. Furthermore, the file set can contain a CPE dictionary file and an OVAL file defining objects for this dictionary.
Being an XML-based language, the XCCDF defines and uses a vast selection of XML elements and attributes. The following list briefly introduces the main XCCDF elements; for more details about XCCDF, consult the NIST Interagency Report 7275 Revision 4.
Main XML Elements of the XCCDF Document
<xccdf:Benchm ark> — This is a root element that encloses the whole XCCDF document. It may
also contain checklist metadata, such as a title, description, list of authors, date of the latest modification, and status of the checklist acceptance.
<xccdf:Rule> — This is a key element that represents a checklist requirement and holds its
description. It may contain child elements that define actions verifying or enforcing compliance with the given rule or modify the rule itself.
<xccdf:Value> — This key element is used for expressing properties of other XCCDF elements
within the benchmark.
<xccdf:Group> — This element is used to organize an XCCDF document to structures with the
same context or requirement domains by gathering the <xccdf:Rule>, <xccdf:Value>, and
<xccdf:Group> elements.
<xccdf:Profile> — This element serves for a named tailoring of the XCCDF benchmark. It allows
the benchmark to hold several different tailorings. <xccdf:Profile> utilizes several selector elements, such as <xccdf:select> or <xccdf:refine-rule>, to determine which elements are going to be modified and processed while it is in effect.
<xccdf:T ailoring> — This element allows defining the benchmark profiles outside the
benchmark, which is sometimes desirable for manual tailoring of the compliance policy.
on the target system. Each <xccdf:TestResult> should refer to the profile that was used to define the compliance policy for the particular scan and it should also contain important information about the target system that is relevant for the scan.
<xccdf:rule-result> — This is a child element of <xccdf:T estResult> that is used to hold the
result of applying a specific rule from the benchmark to the target system.
<xccdf:fix> — This is a child element of <xccdf:Rule> that serves for remediation of the target
system that is not compliant with the given rule. It can contain a command or script that is run on the target system in order to bring the system into compliance the rule.
<xccdf:check> — This is a child element of <xccdf:Rule> that refers to an external source which
defines how to evaluate the given rule.
<xccdf:select> — This is a selector element that is used for including or excluding the chosen
rules or groups of rules from the policy.
<xccdf:set-value> — This is a selector element that is used for overwriting the current value of
the specified <xccdf:Value> element without modifying any of its other properties.
<xccdf:refine-value> — This is a selector element that is used for specifying constraints of the
particular <xccdf:Value> element during policy tailoring.
Example 6.1. An Example of an XCCDF Document
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_com.example.www_benchmark_test">
<status>incomplete</status>
<version>0.1</version>
<Profile id="xccdf_com.example.www_profile_1">
<title>Profile title is compulsory</title>
<select idref="xccdf_com.example.www_group_1" selected="true"/>
<select idref="xccdf_com.example.www_rule_1" selected="true"/>
<refine-value idref="xccdf_com.example.www_value_1" selector="telnet service"/>
</Profile>
<Group id="xccdf_com.example.www_group_1">
<Value id="xccdf_com.example.www_value_1">
<value selector="telnet_service">telnet-server</value>
<value selector="dhcp_servide">dhcpd</value>
<value selector="ftp_service">tftpd</value>
</Value>
<Rule id="xccdf_com.example.www_rule_1">
<title>The telnet-server Package Shall Not Be Installed </title>
<rationale>
Removing the telnet-server package decreases the risk
of the telnet service’s accidental (or intentional) activation </rationale>
<fix platform="cpe:/o:redhat:enterprise_linux:6" reboot="false"
disruption="low"
system="urn:xccdf:fix:script:sh">
yum -y remove
<sub idref="xccdf_com.example.www_value_1"/>
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export value-id="xccdf_com.example.www_value_1" export-name="oval:com.example.www:var:1"/>
<check-content-ref href="examplary.oval.xml" name="oval:com.example.www:def:1"/>
</check>
<check system="http://open-scap.org/page/SCE">
<check-import import-name="stdout"/>
<check-content-ref href="telnet_server.sh"/>
</check>
</Rule>
</Group>
</Benchmark>