NIST Interagency Report 7275 Revision 3 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4 Neal Ziring Stephen D. Quinn
NIST Interagency Report 7275 Specification for the Extensible Revision 3 Configuration Checklist Description Format (XCCDF) Version 1.1.4
Neal Ziring Stephen D. Quinn C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930
January 2008
U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology James M. Turner, Acting Director SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified ...
NIST Interagency Report 7275
Revision 3
Specification for the
Extensible Configuration
Checklist Description Format
(XCCDF) Version 1.1.4
Neal Ziring
Stephen D. Quinn
NIST Interagency Report 7275 Specification for the Extensible Revision 3
Configuration Checklist
Description Format (XCCDF)
Version 1.1.4
Neal Ziring
Stephen D. Quinn
C O M P U T E R S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
January 2008
U.S. Department of Commerce
Carlos M. Gutierrez, Secretary
National Institute of Standards and Technology
James M. Turner, Acting Director SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Interagency Report discusses ITL’s
research, guidance, and outreach efforts in computer security and its collaborative activities with industry,
government, and academic organizations.
National Institute of Standards and Technology Interagency Report 7275 Revision 3
132 pages (January 2008)
Certain commercial entities, equipment, or materials may be identified in this
document in order to describe an experimental procedure or concept adequately.
Such identification is not intended to imply reco mmendation or endorsement by the
National Institute of Standards and Technology, nor is it intended to imply that the
entities, materials, or equipment are necessarily the best available for the purpose.
iii SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4
Abstract
This report specifies the data model and Extensible Markup Language (XML) representation for
the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. An
XCCDF document is a structured collection of security configuration rules for some set of target
systems. The XCCDF specification is designed to support information interchange, document
generation, organizational and situational tailoring, automated compliance testing, and
compliance scoring. The specification also defines a data model and format for storing results of
security guidance or checklist compliance testing. The intent of XCCDF is to provide a uniform
foundation for expression of security checklists and other configuration guidance, and thereby
foster more widespread application of good security practices.
Purpose and Scope
The XCCDF standardized XML format enables an automated provisioning of recommendations
for minimum security controls for information systems categorized in accordance with NIST
Special Publication (SP) 800-53, Recommended Security Controls for Federal Information
Systems, and Federal Information Processing Standards (FIPS) 199, Standards for Security
Categorization of Federal Information and Information Systems, to support Federal Information
Security Management Act (FISMA) compliance efforts.
To promote the use, standardization, and sharing of effective security checklists, NIST and the
National Security Agency (NSA) have collaborated with representatives of private industry to
develop the XCCDF specification. The specification is vendor-neutral, flexible, and suited for a
wide variety of checklist applications.
Audience
The primary audience of the XCCDF specification is government and industry security analysts,
and industry security management product developers. NIST and NSA welcome feedback from
these groups on improving the XCCDF specification.
iv SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4
Table of Contents
1. Introduction............................................................................................................................ 1
1.1. Background..................................................................................................................... 2
1.2. Vision for Use................................................................................................................. 2
1.3. Summary of Changes since Version 1.0......................................................................... 3
2. Requirements ......................................................................................................................... 6
2.1. Structure and Tailoring Requirements............................................................................ 8
2.2. Inheritance and Inclusion Requirements 9
2.3. Document and Report Formatting Requirements ........................................................... 9
2.4. Rule Checking Requirements ......................................................................................... 9
2.5. Test Results Requirements............................................................................................ 10
2.6. Metadata and Security Requirements ........................................................................... 11
3. Data Model........................................................................................................................... 12
3.1. Benchmark Structure .................................................................................................... 13
3.2. Object Content Details.................................................................................................. 14
3.3. Processing Models ........................................................................................................ 33
4. XML Representation............................................................................................................ 43
4.1. XML Document General Considerations ..................................................................... 43
4.2. XML Element Dictionary ............................................................................................. 44
4.3. Handling Text and String Content ................................................................................ 77
5. Conclusions.......................................................................................................................... 79
6. Appendix A – XCCDF Schema........................................................................................... 80
7. Appendix B – Sample Benchmark File ............................................................................. 113
8. Appendix C – Pre-Defined URIs ....................................................................................... 120
9. Appendix D – References .................................................................................................. 124
10. Appendix E – Acronym List.............................................................................................. 125
v SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4
Acknowledgements
The authors of this report, Neal Ziring of the National Security Agency (NSA) and Stephen D.
Quinn of the National Institute of Standards and Technology (NIST), would like to acknowledge
the following individuals who contributed to the initial definition and development of the
Extensible Configuration Checklist Description Format (XCCDF): David Proulx, Mike
Michnikov, Andrew Buttner, Todd Wittbold, Adam Compton, George Jones, Chris Calabrese,
John Banghart, Murugiah Souppaya, John Wack, Trent Pitsenbarger, and Robert Stafford. Peter
Mell, Matthew Wojcik, and Karen Scarfone contributed to Revisions 1, 2, and 3 of this report.
David Waltermire was instrumental in supporting the development of XCCDF; he contributed
many important concepts and constructs, performed a great deal of proofreading on this
specification report, and provided critical input based on implementation experience. Ryan
Wilson of Georgia Institute of Technology also made substantial contributions. Thanks also go
to the Defense Information Systems Agency (DISA) Field Security Office (FSO) Vulnerability
Management System (VMS)/Gold Disk team for extensive review and many suggestions.
Trademark Information
Cisco and IOS are registered trademarks of Cisco Systems, Inc. in the USA and other countries.
Windows and Windows XP are registered trademarks of Microsoft Corporation in the USA and
other countries.
Solaris is a registered trademark of Sun Microsystems, Inc.
OVAL and CPE are trademarks of The MITRE Corporation.
All other names are registered trademarks or trademarks of their respective companies.
Warnings
SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY
DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THI