April 11, 2012

Introduction to XCCDF

XCCDF (The Extensible Configuration Checklist Description Format) is a specification language based on XML for description of security configuration checklists and other similar documents. XCCDF is one of the languages of Security Content Automation Protocol (SCAP) and an important instrument for specialists engaged in automation of information security processes. This language, for instance, is used to describe configuration requirements for the USA federal agencies’ and their contractors’ workstations (FDCC/USGCB program).

This article considers the way of describing security configuration checklists in the XCCDF language in terms of USGCB content for RedHat Enterprise Linux.

An XCCDF document consists of one or several XCCDF rules. A rule is a high level representation of a technical system check. For example: ‘Minimum user password length should be 12 characters.’ Let’s consider this rule in the XCCDF language:

<Rule id="usgcb-rhel5desktop-rule-2.3.1.7.a" selected="false" weight="10.0"
prohibitChanges="false" abstract="false" hidden="false" role="full" severity="unknown">
  <status date="2010-07-01">accepted</status>
  <version update="1"/>
  <title override="0">CCE-4154-1:Set password minimum length</title>
  <description xml:lang="en-US" override="0">The password minimum length should be set
  appropriately</description>
  <ident system="cce.mitre.org">CCE-4154-1</ident>
  <check system="oval.mitre.org/XMLSchema/oval-definitions-5" selector="">
    <check-export value-id="usgcb-rhel5desktop-var-2.3.1.7.a" 
    export-name="oval:gov.nist.usgcb.rhel:var:20071"/>
    <check-content-ref href="usgcb-rhel5desktop-oval.xml" 
    name="oval:gov.nist.usgcb.rhel:def:20071"/>
  </check>
</Rule>

The XCCDF rule does not directly describe how to check the system. Instead, it contains a reference to other XML documents (for instance, OVAL definitions) which in their turn contain actual instructions on this check. The OVAL language has been in detail considered in our article ‘OVAL®, Or ‘Myth about an Ideal Scanner’ (available in Russian only).

The XCCDF rule in this example refers to OVAL definition with ID oval:gov.nist.usgcb.rhel:def:20071. Required value of the verified parameter is transferred via variables. The value of XCCDF variable usgcb-rhel5desktop-var-2.3.1.7.a is transferred to the external OVAL variable oval:gov.nist.usgcb.rhel:var:20071 (transferred value is 12). See the way of this XCCDF variable initialization below.

There is ‘ССЕ-4154-1’ substring (check number under the Common Configuration Enumeration, CCE) in the title of the XCCDF rule. This enumeration allows keeping a unified register of issues relating to systems configuration.

Parameter weight characterizes the importance of the XCCDF rule; its default value is 1. Weights are used to calculate final metrics identifying system compliance with the standard requirements.

The method of ХCCDF rules enumeration should be noted (in this case the rule number is 2.3.1.7.a). XCCDF rules enumeration replicates clauses enumeration of the standard document. Furthermore, correspondence between the standard document and its XCCDF representation is achieved by the XCCDF rules grouping. XCCDF groups may contain one or several rules or groups.

A group containing the rule usgcb-rhel5desktop-var-2.3.1.7.a will be as follows:
<Group id="usgcb-rhel5desktop-group-2.3.1.7" hidden="false" prohibitChanges="false"
abstract="false" selected="true" weight="1.0">
  <title xml:lang="en-US" override="0">Set Password Expiration Parameters</title>
  <description xml:lang="en-US" override="0"> Edit the file /etc/login.defs to specify
  password expiration settings for new accounts.
  …
  </description>
  <Value id="usgcb-rhel5desktop-var-2.3.1.7.a" type="string" operator="equals" 
  prohibitChanges="false" abstract="false" hidden="false" interactive="0">
    <title xml:lang="en-US" override="0">minimum password length</title>
    <description xml:lang="en-US" override="0">Minimum number of characters in 
    password</description>
    <warning override="0" category="general">This will only check new 
    passwords</warning>
    <value selector="">14</value>
    <value selector="6">6</value>
    <!-- NIST 800-53 requires 1 in a million using brute force which translates to six 
    numbers -->
    <value selector="8">8</value>
    <value selector="10">10</value>
    <value selector="12">12</value>
    <value selector="14">14</value>
  </Value>
  <Rule id="usgcb-rhel5desktop-rule-2.3.1.7.a" selected="false" weight="10.0" 
  prohibitChanges="false" abstract="false" hidden="false" role="full" severity="unknown">
    <status date="2010-07-01">accepted</status>
    <version update="1"/>
    <title override="0">CCE-4154-1:Set password minimum length</title>
    <description xml:lang="en-US" override="0">The password minimum length should be 
    set appropriately</description>
    <ident system="cce.mitre.org">CCE-4154-1</ident>
    <check system="oval.mitre.org/XMLSchema/oval-definitions-5" selector="">
      <check-export value-id="usgcb-rhel5desktop-var-2.3.1.7.a"
      export-name="oval:gov.nist.usgcb.rhel:var:20071"/>
      <check-content-ref href="usgcb-rhel5desktop-oval.xml" 
      name="oval:gov.nist.usgcb.rhel:def:20071"/>
    </check>
  </Rule>
  <Rule id="usgcb-rhel5desktop-rule-2.3.1.7.b" selected="false" weight="10.0" 
  prohibitChanges="false" abstract="false" hidden="false" role="full" severity="unknown">
  …
  </Rule>
  <Rule id="usgcb-rhel5desktop-rule-2.3.1.7.c" selected="false" weight="10.0" 
  prohibitChanges="false"
  ...
  </Rule>
  <Rule id="usgcb-rhel5desktop-rule-2.3.1.7.d" selected="false" weight="10.0" 
  prohibitChanges="false" 
  ...
  </Rule>
</Group>

In this example we should note how the XCCDF rules are grouped and how the values of the XCCDF variables are initialized. The usgcb-rhel5desktop-group-2.3.1.7 group besides already considered rule usgcb-rhel5desktop-rule-2.3.1.7.a contains the rules usgcb-rhel5desktop-rule-2.3.1.7.b, usgcb-rhel5desktop-rule-2.3.1.7.c, and usgcb-rhel5desktop-rule-2.3.1.7.d. Exact variable value is selected depending on the selector value associated with the variable.

The rules of an XCCDF document may be organized in profiles. Profiles may be used to describe several policies within one XCCDF document. A profile contains a list of rules applicable to this standard, and values of selectors that are necessary to verify compliance of the system state with the standard requirements.

A profile for the rule usgcb-rhel5desktop-var-2.3.1.7.a will be as follows:

<Profile id="united_states_government_configuration_baseline" abstract="false"
prohibitChanges="false">
  <title xml:lang="en-US" override="0">United States Government Configuration
  Baseline 1.0.5.0title>
  <description xml:lang="en-US" override="0">This profile represents guidance
  outlined in United States Government Configuration Baseline for desktop 
  systems with Redhat Enterprise Linux 5 installed.

<description>  …
  <select idref="usgcb-rhel5desktop-rule-2.3.1.7.a" selected="true"/>
  <refine-value idref="usgcb-rhel5desktop-var-2.3.1.7.a" selector="12"/>
  …
< Profile>
Thus, the rule 2.3.1.7.a with selector 12 must be checked in the profile united_states_government_configuration_baseline. The general structure of an XCCDF document is represented in fig. 1.


Figure 1. XCCDF Document Structure

Thus an XCCDF document represents a structured set of security configuration rules for a set of target systems.

You can find detailed information on the XCCDF structure in XCCDF and SCAP specifications.

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete