Specification for the Extensible Configuration Checklist ...

Bebag - Neal Ziring , Stephen Quinn

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

132 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Sujets

NIST Interagency Report 7275 Revision 3 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4 Neal Ziring Stephen D. Quinn NIST Interagency Report 7275 Specification for the Extensible Revision 3 Configuration Checklist Description Format (XCCDF) Version 1.1.4 Neal Ziring Stephen D. Quinn C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 January 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology James M. Turner, Acting Director SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Interagency Report discusses ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Interagency Report 7275 Revision 3 132 pages (January 2008) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply reco mmendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. iii SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4 Abstract This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of security guidance or checklist compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices. Purpose and Scope The XCCDF standardized XML format enables an automated provisioning of recommendations for minimum security controls for information systems categorized in accordance with NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, and Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, to support Federal Information Security Management Act (FISMA) compliance efforts. To promote the use, standardization, and sharing of effective security checklists, NIST and the National Security Agency (NSA) have collaborated with representatives of private industry to develop the XCCDF specification. The specification is vendor-neutral, flexible, and suited for a wide variety of checklist applications. Audience The primary audience of the XCCDF specification is government and industry security analysts, and industry security management product developers. NIST and NSA welcome feedback from these groups on improving the XCCDF specification. iv SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4 Table of Contents 1. Introduction............................................................................................................................ 1 1.1. Background..................................................................................................................... 2 1.2. Vision for Use................................................................................................................. 2 1.3. Summary of Changes since Version 1.0......................................................................... 3 2. Requirements ......................................................................................................................... 6 2.1. Structure and Tailoring Requirements............................................................................ 8 2.2. Inheritance and Inclusion Requirements 9 2.3. Document and Report Formatting Requirements ........................................................... 9 2.4. Rule Checking Requirements ......................................................................................... 9 2.5. Test Results Requirements............................................................................................ 10 2.6. Metadata and Security Requirements ........................................................................... 11 3. Data Model........................................................................................................................... 12 3.1. Benchmark Structure .................................................................................................... 13 3.2. Object Content Details.................................................................................................. 14 3.3. Processing Models ........................................................................................................ 33 4. XML Representation............................................................................................................ 43 4.1. XML Document General Considerations ..................................................................... 43 4.2. XML Element Dictionary ............................................................................................. 44 4.3. Handling Text and String Content ................................................................................ 77 5. Conclusions.......................................................................................................................... 79 6. Appendix A – XCCDF Schema........................................................................................... 80 7. Appendix B – Sample Benchmark File ............................................................................. 113 8. Appendix C – Pre-Defined URIs ....................................................................................... 120 9. Appendix D – References .................................................................................................. 124 10. Appendix E – Acronym List.............................................................................................. 125 v SPECIFICATION FOR THE EXTENSIBLE CONFIGURATION CHECKLIST DESCRIPTION FORMAT (XCCDF) VERSION 1.1.4 Acknowledgements The authors of this report, Neal Ziring of the National Security Agency (NSA) and Stephen D. Quinn of the National Institute of Standards and Technology (NIST), would like to acknowledge the following individuals who contributed to the initial definition and development of the Extensible Configuration Checklist Description Format (XCCDF): David Proulx, Mike Michnikov, Andrew Buttner, Todd Wittbold, Adam Compton, George Jones, Chris Calabrese, John Banghart, Murugiah Souppaya, John Wack, Trent Pitsenbarger, and Robert Stafford. Peter Mell, Matthew Wojcik, and Karen Scarfone contributed to Revisions 1, 2, and 3 of this report. David Waltermire was instrumental in supporting the development of XCCDF; he contributed many important concepts and constructs, performed a great deal of proofreading on this specification report, and provided critical input based on implementation experience. Ryan Wilson of Georgia Institute of Technology also made substantial contributions. Thanks also go to the Defense Information Systems Agency (DISA) Field Security Office (FSO) Vulnerability Management System (VMS)/Gold Disk team for extensive review and many suggestions. Trademark Information Cisco and IOS are registered trademarks of Cisco Systems, Inc. in the USA and other countries. Windows and Windows XP are registered trademarks of Microsoft Corporation in the USA and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. OVAL and CPE are trademarks of The MITRE Corporation. All other names are registered trademarks or trademarks of their respective companies. Warnings SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THI