XCCDF Evolution
Wolfkiel, Joseph L CIV DISA ID (USA)
SCAP Devs,
I’m not sure if this list is still active, but I’d like some feedback on the level of interest for putting together requirements for a language that either extends or replaces XCCDF.
For background, we’ve been using XCCDF in the Continuous Monitoring and Risk Scoring (CMRS) system for over a decade now and have derived a lot of value from XCCDF in terms of leveraging the concept that benchmarks can be defined using a benchmark identifier, version, and profile, then each benchmark check has a rule ID and a result that resolves to one of the values in the XCCDF enumerations (pass/fail/fixed/error/notapplicable/notchecked). We have also used XCCDF to encode the checks we need to run to calculate compliance within the system so that each check is included in a benchmark with a target population of devices that is specified using a set of “platform” definitions that consisting of a set of logical combinations of software and OS strings in CPE format.
Recently, though, we’ve pushed the limits of what XCCDF is structured to do. Most recently, we set out to use the XCCDF policy XML to encode checks where we need to capture check results per rule, but we also need to roll rule results up to the group level using logical and/or statements, then pass or fail at the benchmark level by completing a logical “or” of the groups so that if any group passes, then the device passes for the group.
The specific use case here is to address the “readiness” concept for endpoint protection products. For example, if a device is protected using either the built-in firewall or a 3rd party firewall, and one or the other meets the criteria of being enabled, and not having any permit any-any connections in its ACL, then the device will “pass” for device firewall.
At an even higher level, we then need to say if the device has pass results for firewall, anti-malware, data loss prevention, and data-at-rest encryption, then it passes for “readiness”. However, we need to retain and expose the full drilldown from the multi-benchmark evaluation, the multi-group evaluation, and the multi-rule evaluation so users can determine what specific things need to be fixed to attain “readiness.”
In our next iteration, we want to be able to look at results that come in pre-calculated from other benchmarks, so if the OS STIG already checks for firewall compliance, we can just re-use its pass/fail results versus having to compute them in the system. Further, we need to run checks against device populations that contain IP ranges or text in their host names, then apply specific text strings versus the standard XCCDF compliance values—but still use the XCCDF value enumeration when we’re evaluating compliance.
My developers have requested we abandon XCCDF for encoding these checks because they don’t like “XCCDF” and would like to use JSON or some other alternative. XCCDF is also limited with respect to the depth of logical nesting it can carry and the value assignments that can be made to the resulting logical results. I would like to have an XML implementation so I can leverage the security properties of XML schema to ease implementation of things like static code analysis and using cross-domain tools to transfer data across different classifications of networks. Ideally, we’d have both JSON and XML implementations and an easy way to transition back and forth.
Given the DOD, and DISA’s commitment to leverage standards when they’re available, I’m wondering if the SCAP community (if that’s a “thing” anymore) would like to try to find a standard way to encode the expanded capabilities in some new XML, JSON, or other encoding methodology so “policies” can be shared among multiple tools instead of having to be re-encoded every time the evaluation needs to be conducted on a new tool or across multiple different tools.
If I don’t hear anything back, we’ll come up with a methodology and tech solution regardless.
Joseph L. Wolfkiel, GS-14
Endpoint SCM Engineering Lead
DISA ID33
Fort Meade DISA Acquisition Bldg Cube A4A58E
Work: (301) 225-8820
Gov Cell: (571) 814-8231
DSN: (312) 375-8820
