Hello Everyone!
By now hopefully everyone reading this is aware of the upcoming Security Automation Developer Days event to be held in Bedford, MA June 8 - 12. On Wednesday, June 10, I will be leading a discussion of XCCDF. Since version 1.1.4 was released in 2007, the SCAP standards have undergone many significant developments. I would like to use this session to review some of the capabilities of XCCDF that support its current use cases and talk about some additional use cases as brought forward by the community. Current topics include:
* Checker control - As XCCDF is currently structured, it provides input to a checking tool, but does not control that tool's actions: Tools may execute Rules in any order, may arbitrarily select from multiple checking mechanisms in a single Rule, and determine whether complex checks are complete or short-circuit. Requests have been made to have XCCDF provide more direct control in how the document is processed by tools. Possible features include making processing more deterministic as well as more sophisticated control structures to coordinate the activity of checks
* Enhanced tailoring capabilities - An important use case of XCCDF is the ability for users to tailor existing content. Currently, XCCDF supports a manual process for in-place tailoring. Requests have been made for the ability to tailor an XCCDF document without altering the document itself (not-in-place tailoring) as well as automation of some of the tailoring capabilities (possibly based on initial sets of checks).
* Remediation support - Another use case of XCCDF is to provide a wrapper for remediation actions. Currently, remediation content is provided in a mixed content "fixtext" field. Recent efforts, such as the nascent OVRL (Open Vulnerability Remediation Language) have sought to add more structure to the remediation process. Request have been made to make XCCDF better support this new standards-based approach to remediation.
Certainly these do not cover all the open XCCDF issues, but they seem to be the primary issues that are at a use-case level. (If you feel that I am neglecting an important issue regarding support of use cases - new, existing, or obsolete - please email me at
[hidden email].)
The XCCDF session will be an open forum to discuss these and other issues. The purpose of these discussions will be to create a framework for possible technical solutions and help understand the needs of the community for the next release of XCCDF. The opinions expressed in the session will be captured in a summary document and distributed on the mailing list so people unable to attend can view the discussion and contribute their own voice. The results of this conversation will provide guidance to subsequent, community-based technical discussions.
I hope you will be able to join us for these discussions.
Charles Schmidt
The MITRE Corp.
---------------------------------------------------------------
To unsubscribe from this mailing list, please send an e-mail to
[hidden email] with the words "unsubscribe xccdf-dev" in the
body. You will need to send this from the email account that you
used to initially subscribe to xccdf-dev.
