Hello All,One of the tasks being considered by the SCAP v2 XCCDF & Authoring group is making improvements to XCCDF.By “improvements”, I mean incremental changes to the current schema/model that—ideally—would be backwards compatible. This task does not include wholesale changes to the model or switching from XML to another format; those types of changes are being considered as a part of a different task.As a first step, we are compiling a list of RFEs (requests for enhancement).Please respond to this email to add RFEs of your own! These can be problems to solve, opportunities to realize or any other specific wish list item for XCCDF.Here are a few that have been mentioned on various mailings lists to get the ball rolling:
- Better support for automation-friendly remediations, for example:
- A well-specified way to reference external remediations in well-known formats (Chef, Ansible, PowerShell, etc.), including common remediation-relevant metadata for each remediation (e.g. applicability, restart behavior, user input requirements, uninstall steps, etc.)
- Expand Profiles/Tailoring to allow:
- Customizing the XCCDF metadata (titles, descriptions, etc.)
- Adding external rules and/or checks
- Overriding arbitrary OVAL elements and/or values
- A way TBD to describe how multiple benchmarks should be applied to a system composed of devices with different roles (production DB server, web server, etc.). This might be a meta-benchmark or catalog of some sort or a way for benchmarks to reference other benchmarks, mapping them by role, tier, OS, etc.
--
To unsubscribe from this group, send email to scap-dev-author...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev-authoring
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev-author...@list.nist.gov.
Hi,
here is some “small” annoyances with XCCDF which shoud be ironed out in a future
release of XCCDF:
Mostly rather small stuff … but stuff that would save our organization a lot of time in dealing with externally available XCCDF benchmarks.
Kind regards,
Bernd
--
This information categorizes the list of proposed enhancements to XCCDF compiled by David Ries in his Aug 15 email and supplemented by additional suggestions from the August 16 XCCDF and Content Authoring teleconference. It is noted that all of these represent incremental changes to XCCDF (or to other standards) rather than major revisions.
This covers efforts to better support human-readable information within SCAP content. The utilization of such mechanisms would help users of SCAP to better render instructions/descriptions to make it easier to understand what the automation checks and how to interpret the results.
These enhancements would primarily be used by Content Developers who were intending to build content for a wide audience, and thus one for which clear context would need to be applied. Content Authors would be less likely to do this as their documentation focus would generally be on functional automation and any description would be more along the lines of code documentation, intended for those who shared a given context, and do not generally need significant power or flexibility in the presentation thereof.
•Support Markdown instead/alongside HTML for human-readable content
•Human-readable check info
This covers efforts to make SCAP content and content elements easier to track within a content management environment. They would make it easier to find specific content, track how that content has changed, and thus better reuse and manage the implications of reuse of content.
These enhancements would primarily be used by Content Developers who focus on development of larger SCAP Content corpuses that are intended to have a long lifetime. It would allow Content Developers to maintain large bodies of existing content from which they could pull existing elements for reuse, as well as to better managed changes to content elements that impact their content collections.
Content Authors might also benefit from these changes if it allowed them to quickly locate and apply content elements needed to address a specific task.
•Lifetime identifiers
•Identifier format improvements
•Rule-specific History information
This covers extensions to mechanisms that allow parties to modify the behaviors of existing content through changes to elements of it or by combining it with other existing content. It makes SCAP content more flexible by allowing parties to modify behavior without altering low level structures of the content.
These enhancements will benefit both Content Developers and Content Authors. Content Developers will benefit because it will allow them to create content bodies that are applicable to more scenarios, making the content more immediately usable by their customers. Content Authors will benefit from these enhancements because it will make it easier to tweak existing content to account for local variations and needs.
•Extension point for applicability information
•Profile-based rule ordering
•Enhanced profile extension (apply profiles to multiple benchmarks)
•Expand Profiles/Tailoring to allow customizing of XCCDF Metadata, adding external checks, overriding arbitrary OVAL elements and values
•Express a system composed of multiple devices with different roles/benchmarks
This covers enhancements to move SCAP beyond assessment and enable it to initiate responses to this assessment in an automated manner. Both Content Developers and Content Authors are likely to make use of this feature. Content Authors might be slightly more likely to employ this because they will have an awareness of local needs and nuances that make it safer to invoke automated responses to detected conditions. By contrast, Content Developers might be concerned about automatically changing system configurations due to the potential for unintended consequences. (Even automated application of missing patches, which is a fairly straightforward process, might be considered too risky to write into content when one doesn't know the enterprise's policy for vetting patches prior to application.)
•Better support for automation-friendly remediations
On Aug 29, 2019, at 5:49 PM, Charles Schmidt <schmidt....@gmail.com> wrote:Hi all,Per my action item from the last call, I've taken a stab at organizing the incremental improvements identified in David's compilation. I felt that they fell into four distinct buckets. Comments are welcome.Charles----------This information categorizes the list of proposed enhancements to XCCDF compiled by David Ries in his Aug 15 email and supplemented by additional suggestions from the August 16 XCCDF and Content Authoring teleconference. It is noted that all of these represent incremental changes to XCCDF (or to other standards) rather than major revisions.
Standardizing Documentation Capture
This covers efforts to better support human-readable information within SCAP content. The utilization of such mechanisms would help users of SCAP to better render instructions/descriptions to make it easier to understand what the automation checks and how to interpret the results.
These enhancements would primarily be used by Content Developers who were intending to build content for a wide audience, and thus one for which clear context would need to be applied. Content Authors would be less likely to do this as their documentation focus would generally be on functional automation and any description would be more along the lines of code documentation, intended for those who shared a given context, and do not generally need significant power or flexibility in the presentation thereof.
•Support Markdown instead/alongside HTML for human-readable content
•Human-readable check info
Content Management for Authors
This covers efforts to make SCAP content and content elements easier to track within a content management environment. They would make it easier to find specific content, track how that content has changed, and thus better reuse and manage the implications of reuse of content.
These enhancements would primarily be used by Content Developers who focus on development of larger SCAP Content corpuses that are intended to have a long lifetime. It would allow Content Developers to maintain large bodies of existing content from which they could pull existing elements for reuse, as well as to better managed changes to content elements that impact their content collections.
Content Authors might also benefit from these changes if it allowed them to quickly locate and apply content elements needed to address a specific task.
•Lifetime identifiers
•Identifier format improvements
•Rule-specific History information
Content Execution Control
This covers extensions to mechanisms that allow parties to modify the behaviors of existing content through changes to elements of it or by combining it with other existing content. It makes SCAP content more flexible by allowing parties to modify behavior without altering low level structures of the content.
These enhancements will benefit both Content Developers and Content Authors. Content Developers will benefit because it will allow them to create content bodies that are applicable to more scenarios, making the content more immediately usable by their customers. Content Authors will benefit from these enhancements because it will make it easier to tweak existing content to account for local variations and needs.
•Extension point for applicability information
•Profile-based rule ordering
•Enhanced profile extension (apply profiles to multiple benchmarks)
•Expand Profiles/Tailoring to allow customizing of XCCDF Metadata, adding external checks, overriding arbitrary OVAL elements and values
•Express a system composed of multiple devices with different roles/benchmarks
Remediation
This covers enhancements to move SCAP beyond assessment and enable it to initiate responses to this assessment in an automated manner. Both Content Developers and Content Authors are likely to make use of this feature. Content Authors might be slightly more likely to employ this because they will have an awareness of local needs and nuances that make it safer to invoke automated responses to detected conditions. By contrast, Content Developers might be concerned about automatically changing system configurations due to the potential for unintended consequences. (Even automated application of missing patches, which is a fairly straightforward process, might be considered too risky to write into content when one doesn't know the enterprise's policy for vetting patches prior to application.)
•Better support for automation-friendly remediations
--
To unsubscribe from this group, send email to scap-dev-author...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev-authoring
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev-author...@list.nist.gov.
--
To unsubscribe from this group, send email to scap-dev-author...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev-authoring
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev-author...@list.nist.gov.
--
To unsubscribe from this group, send email to scap-dev-author...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev-authoring
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev-author...@list.nist.gov.
<XCCDF - Incremental Improvements for XCCDF.pptx>