This table provides a matrix of SCAP content requirements is provided implemented in the SCAP Content Validation tool v1.1. The matrix indicates which requirements are checked by SCAP Content Validation tool. The section numbers in the matrix refer to SP 800-126 which is available here .
GENERAL |
|||||||
|---|---|---|---|---|---|---|---|
| Requirement ID | 800-126 Section | 800-126 Statement | Note | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category |
| 1 | An SCAP Benchmark document validates against the XCCDF schema (http://nvd.nist.gov/scap/xccdf/docs/xccdf-1.1.4.xsd) and conforms to all relevant content requirements as outlined in the XCCDF Specification [QUI08]. | 4.1 | For all SCAP XCCDF documents a validating parse must be run with no errors prior to performing any other processing is performed. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 2 | In cases where localized text is used, US English is the default language. If a @lang attribute is omitted, the @lang attribute of the nearest ancestor <xccdf:Benchmark>, <xccdf:Value>, <xccdf:Group> and <xccdf:Rule> element should be consulted. If this value is omitted, then a value of lang="en-US" SHALL be used by default. | 4.1 | For all XCCDF documents, if a value other than "en-US" is specified, a warning will be generated because not all SCAP-compliant tools can necessarily process information in other languages/encodings. Clearer guidance on this issue is expected in 800-126 v1.1. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 3 | The REQUIRED @id attribute SHALL be used to uniquely identify all revisions of a benchmark globally. | 4.1.1 | SCHEMA | ERROR | SKIPPED | ||
| 4 | The @style attribute, if provided, SHALL have the value "SCAP_1.0". If not provided, its value SHALL be assumed to be "SCAP_1.0". | 4.1.1 | For all a) XCCDF documents whose @style attribute is specified whose value is anything by SCAP_1.0 flag as a error; and b) XCCDF documents whose @style attribute is not specified, process as if SCAP_1.0 was specified. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 5 | The <xccdf:status> element indicates the current status of the benchmark document. The associated text value MUST be "draft" for documents released in public draft state and "accepted" for documents that have been officially released by an organization. It is RECOMMENDED that the date attribute be populated with the date of the status change. Additional <xccdf:status> elements MAY be included to indicate historic status transitions. | 4.1.1 | For all a) XCCDF documents whose <xccdf:status> element is anything but draft or accepted shall be considered to be in error; and b) XCCDF documents whose <xccdf:status> elements date attribute that is missing or not populated will generate a warning. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| For all a) XCCDF documents whose <xccdf:status> element is anything but draft or accepted shall be considered to be in error; and b) XCCDF documents whose <xccdf:status> elements date attribute that is missing or not populated will generate a warning. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| 6 | The <xccdf:version> element SHALL uniquely identify the particular revision of the benchmark. | 4.1.1 | For al XCCDF documents that do not have the <xccdf:version> element flag as an error. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 8 | The <xccdf:metadata> element MAY be provided. It is RECOMMENDED that this element contains the following Dublin Core terms: <dc:creator>, <dc:publisher> and <dc:contributor>. | 4.1.1 | For all a)XCCDF documents that do not contain the <xccdf:metadata> element, flag as a warning; and b) XCCDF documents that do contain the <xccdf:metadata> element and whose contents are not consistent with the Dublin Core terms flag as a warning. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| For all a)XCCDF documents that do not contain the <xccdf:metadata> element, flag as a warning; and b) XCCDF documents that do contain the <xccdf:metadata> element and whose contents are not consistent with the Dublin Core terms flag as a warning. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| 9 | One or more instances of the <xccdf:title> element SHALL be provided. Each instance MUST contain text values that indicate the purpose of the benchmark delimited by an OPTIONAL language attribute. If more than one <xccdf:title> element is provided then the language attribute SHALL be provided. An <xccdf:title> element SHALL be provided that represents an "en-US" title. | 4.1.1 | For all XCCDF documents, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| For all XCCDF documents, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| For all XCCDF documents, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 10 | One or more instances of the <xccdf:description> element SHALL be provided. Each instance MUST contain text values that represent the purpose and intended audience of the benchmark delimited by an OPTIONAL language attribute. If more than one <xccdf:description> element is provided then the language attribute SHALL be provided. An <xccdf:description> element SHALL be provided that represents an "en-US" description. | 4.1.1 | For all XCCDF documents, check for the existence of <xccdf:description>; if not found, the content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| For all XCCDF documents, check for the existence of <xccdf:description>; if not found, the content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| For all XCCDF documents, check for the existence of <xccdf:description>; if not found, the content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 12 | The following metadata elements SHALL be included in an SCAP XCCDF document: <xccdf:version> - an indicator of a particular revision of the benchmark. | 4.1.1 | For all XCCDF documents, check for the existence of <xccdf:version>; if not found, the content shall be considered to be in error. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 13 | One or more instances of the <xccdf:reference> element MAY be included. These elements SHALL provide a cross reference to additional information, preferably including a URL, to obtain additional information regarding the benchmark. | 4.1.1 | For all XCCDF documents, check for the existence of <xccdf:reference>; if not found, the content shall be considered to be in error. If reference does not contain a URL, flag as a warning and continue processing. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| For all XCCDF documents, check for the existence of <xccdf:reference>; if not found, the content shall be considered to be in error. If reference does not contain a URL, flag as a warning and continue processing. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| 14 | For all SCAP content, the applicability of XCCDF <xccdf:Benchmark> elements to specific IT platforms SHALL be specified using Common Platform Enumeration (CPE) Names. | 4.1.2 | All SCAP XCCDF documents used for vulnerability assessment whose <xccdf:Benchmark> element does not contains at least one CPE reference shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 15 | CPE Names used within an XCCDF benchmark, SHALL match the names of existing Official CPE Dictionary entries where possible. If multiple matches are found within the dictionary (e.g., deprecated and current CPE Names), the most current CPE Name SHOULD be used. | 4.1.2 | For all a) XCCDF documents, verify the existence of a valid CPE, and if not found, the content shall be considered to be in error; b) XCCDF documents, if any CPEs other than the one located above are specified, and if not, the content shall be considered to be in error; and c)XCCDF documents if the CPE name referenced is deprecated, flag as an warning indicating that the more current CPE name should be used. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| For all a) XCCDF documents, verify the existence of a valid CPE, and if not found, the content shall be considered to be in error; b) XCCDF documents, if any CPEs other than the one located above are specified, and if not, the content shall be considered to be in error; and c)XCCDF documents if the CPE name referenced is deprecated, flag as an warning indicating that the more current CPE name should be used. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| For all a) XCCDF documents, verify the existence of a valid CPE, and if not found, the content shall be considered to be in error; b) XCCDF documents, if any CPEs other than the one located above are specified, and if not, the content shall be considered to be in error; and c)XCCDF documents if the CPE name referenced is deprecated, flag as an warning indicating that the more current CPE name should be used. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| 16 | Use of CPEs bound to <xccdf:Profile>, <xccdf:Group>, and <xccdf:Rule> elements SHALL NOT be allowed. | 4.1.2 | For all a) Rules in all XCCDF documents that contain CPE bindings shall be considered to be in error; b) Profiles in all XCCDF documents that contain CPE bindings shall be considered to be in error; and c) Groups in all XCCDF documents that contain CPE bindings shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| For all a) Rules in all XCCDF documents that contain CPE bindings shall be considered to be in error; b) Profiles in all XCCDF documents that contain CPE bindings shall be considered to be in error; and c) Groups in all XCCDF documents that contain CPE bindings shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 17 | When defining the @id attribute it is important to take into consideration the long-term use of the Rule. As most Rule identifiers are generated by humans today, there is a tendency to encode meaning in the identifier. This can create contradictions within the @id attribute relative to the containing document or policy as content is re-used and re-purposed. It is RECOMMENDED that information is omitted in the identifier that references: the target platform, assessed values, and/or security guide context. | 4.1.3 | DISCUSSION: Is there some pattern that we can look for based on CPE, Title, or other meta data that we could trigger off of? | NOT_CHECKED | WARNING | STYLE | |
| 18 | The @weight attribute SHALL be provided on <xccdf:Rule> elements. The value for this element SHALL be defined as "10.0" as a place__holder for Common Configuration Scoring System (CCSS) scores to indicate the highest possible weight. Once the CCSS is adopted into a future version of SCAP and CCSS scores are available, these values will be replaced with appropriate CCSS scores. | 4.1.3 | All a)rules in all XCCDF documents that do not have a @weight attribute shall be considered in error; and b) rules in all XCCDF documents whose @weight attribute value is anything but "10.0" shall be considered in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 19 | Each OVAL inventory class definition referenced from the dictionary stream SHOULD be specified in the required CPE inventory stream. | 4.1.4 | Flag as errors all OVAL definitions referenced in the CPE dictionary that do not have corresponding entries in the CPE inventory stream. | SCHEMATRON | ERROR | SKIPPED | |
| 24 | The <xccdf:complex-check> element SHALL NOT be used. | 4.1.6 | Any XCCDF documents containing the <xccdf:complex-check> element shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 25 | The <xccdf:check-content> element SHALL NOT be used to embed check content directly into XCCDF content. | 4.1.6 | Any XCCDF document containing the <xccdf:check-content> to embed check content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 27 | If multiple <xccdf:check-content-ref> elements are provided, then processing SHALL: 1. Evaluate each <xccdf:check-content-ref> element in the order that it appears in the <xccdf:check> element. The first resolvable <xccdf:check-content-ref> element SHALL be used to determine the <xccdf:Rule> status. 2. For each <xccdf:check-content-ref> element, a tool will attempt to retrieve the document referenced by the @href attribute. If not resolvable, the next available <xccdf:check-content-ref> element SHALL be evaluated. If none of the <xccdf:check-content-ref> elements are resolvable, then the result of the rule evaluation SHALL be the XCCDF "error" status and processing of the <xccdf:Rule> SHALL end. Please note that it is acceptable to map a remote URL to a local copy of the file in cases where remote access is not available, not allowed or not practical. 3. Once a resolvable <xccdf:check-content-ref> element is found, then check system processing SHALL proceed. | 4.1.6 | SCAP TOOL REQUIREMENTS | NOT_CHECKED | ERROR | TOOL | |
| 28 | XCCDF <xccdf:Rule> elements may be used to define a policy such as requiring compliance with a specific configuration setting, vulnerability assessment, or patch validation. When a configuration setting is represented in this way and has one or more associated CCE Identifiers from the CCE List, an <xccdf:ident> element reference within the <xccdf:Rule> element SHALL be provided | 4.1.5 | All rules in SCAP XCCDF documents that have CCE references not in an <xccdf:ident> element within the <xccdf:Rule> element shall be considered to be in error. | NOT_CHECKED | ERROR | SKIPPED | |
| 29 | The system attribute for the <xccdf:ident> element SHALL be defined using the CCE Version 5 system identifier "http://cce.mitre.org". | 4.1.5 | All rules in SCAP XCCDF documents that have CCE references but do not have the CCE Version 5 system identifier http://cce.mitre.org shall be considered in error | NOT_CHECKED | ERROR | SKIPPED | |
| 31 | Embedded OVAL definitions are not supported by SCAP XCCDF. | 4.1.7 | All rules in SCAP XCCDF documents that have embedded OVAL definitions are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 32 | OVAL references from SCAP compliant XCCDF SHALL use the form: <check-content-ref href="OVAL_Source_URI" [name="OVAL_Definition_Id"]/> | 4.1.7 | All rules in SCAP XCCDF documents that have OVAL references that are not of the form <check-content-ref href="OVAL_Source_URI" [name="OVAL_Definition_Id"]/> are considered to be in error. In addition, the reference must resolve to an OVAL definition in the data stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 33 | When a rule references a specific OVAL definition by designating the OVAL_Definition_ID, an OVAL definitions source SHALL be used to resolve the reference refer to section 4.4. | 4.1.7 | All rules in SCAP XCCDF documents that refer to a specific OVAL definition by using the OVAL-ID that do not use the OVAL definitions source consistent with section 4.4 of 800-126 are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 34 | It is an SCAP stylistic convention not to specify the optional name attribute when the rule is evaluating the current patch level of the target platform. | 4.1.7 | All rules in SCAP XCCDF documents that are evaluating the current patch level of a target system that contain a name attribute are considered to be a warning. | SCHEMATRON | WARNING | SKIPPED | |
| 35 | If any <xccdf:Rule> references an OVAL patch definition, a patch scan source SHALL be used to resolve the reference. | 4.1.7 | All rules in SCAP XCCDF documents that reference an OVAL patch definition that are not resolvable in a patch scan source are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 36 | it is recommended that content authors refrain from hard coding assessment values into the OVAL rules themselves, instead using OVAL variables, an OVAL variables file or XCCDF parameter capabilities. | 4.1.8 | Nothing to check, guidance to be provided in the SCAP Content Authoring Guide | NOT_CHECKED | ERROR | STYLE | |
| 37 | When the OVAL definition(s) referenced from a rule require one or more external variable bindings, the rule content SHALL precede the check-content-ref element with a check-export element for each required OVAL binding. | 4.1.8 | All SCAP OVAL definitions referenced by Rules in SCAP XCCDF documents that require one or more external variables bindings whose corresponding rule that does contain check-content-ref and check-export element for each required binding are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 38 | The type and value binding of the specified XCCDF Value is constrained to match that lexical representation of the indicated OVAL Variable Data Type | 4.1.8 | All values bound to variables in all rules in SCAP XCCDF documents that do not match the lexical representation (as defined in Table 4.1 of SP 800-126) in the corresponding OVAL definition shall be flagged as an error | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| All values bound to variables in all rules in SCAP XCCDF documents that do not match the lexical representation (as defined in Table 4.1 of SP 800-126) in the corresponding OVAL definition shall be flagged as an error | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| All values bound to variables in all rules in SCAP XCCDF documents that do not match the lexical representation (as defined in Table 4.1 of SP 800-126) in the corresponding OVAL definition shall be flagged as an error | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 39 | The test results SHALL embed a <xccdf:Profile> element and that element SHALL identify the non-abstract profile in the associated benchmark whose evaluation results are reported by the test results. | 4.1.8 | All SCAP XCCDF documents that contain test results that do not contain <xccdf:Profile> elements that identifies the non-abstract profile whose evaluation results are reported in the test results shall be considered in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 40 | < Reported rule results SHALL include all those rules that are selected by the specified Profile. | 4.1.9 | All SCAPXCCDF documents that contain test results that do not include all of the rules that are selected in the specified profile shall be considered in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 41.1 | < Reported value-settings SHALL include all those values that are exported by the reported rules. The specific settings are those determined by the reported Profile. | 4.1.9 | All SCAP XCCDF documents that contain test results whose reported value do not contain all the values exported by the reported rules shall be considered in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 42 | The <identity> tag identifies the security principal used to access rule evaluation on the target(s). | 4.1.9 | NOT_CHECKED | ERROR | RESULT_CONTENT | ||
| 43 | < The <rule-result> elements SHALL report the result of the application of each selected rule against all specified targets. The rule_idref attribute of the <xccdf:rule-result> SHALL identify the selected rule and each <xccdf:instance> elements SHALL identify the corresponding <xccdf:target> element. | 4.1.9 | All SCAP XCCDF documents that contain <rule-result> elements that do not contain the rule_idref attribute that identify the selected rule and each <xccdf:instance> elements that identify the corresponding <xccdf: target> element shall be consider to be in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 44 | If the target XCCDF <xccdf:Rule> identified by the <rule-result> rule-idref attribute has one or more <ident> elements with the "http://cve.mitre.org" system identifier, then each <xccdf:ident> element SHOULD also appear within the <xccdf:rule-result> element. | 4.1.10 | All SCAP XCCDF documents that contain <rule-result> elements (whose corresponding <xccdf:Rule> element has at least one idref attribute having <ident> elements containing http://cve.mitre.org system identifier) that do not contain corresponding <xccdf:ident> withint the <xccdf:rule-result> shall be considered in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 45 | If the target XCCDF <xccdf:Rule> identified by the <xccdf:rule-result> rule-idref attribute has one or more <xccdf:ident> elements with the "http://cce.mitre.org" system identifier, then each <xccdf:ident> element SHOULD also appear within the <rule-result> element | Results are not validated | NOT_CHECKED | ERROR | RESULT_CONTENT | ||
| 46 | Users of multiple OVAL definition classes should exercise caution to ensure that the appropriate rules produce the desired results. | 4.1.11 | Nothing to Check Consider addressing in SCAP Content Authoring Guide | NOT_CHECKED | ERROR | STYLE | |
| 47 | OVAL SCAP content SHALL comply with <ovaldef:oval_definitions> document A specification of OVAL definitions, tests, objects, states and variables. This document may optionally be used as a component of an SCAP data source. | 4.2 | All SCAP OVAL documents that contain OVAL definitions shall pass a validating parse against the appropriate version of the OVAL definitions schema. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 48 | OVAL SCAP content SHALL comply with <ovalvar:oval_variables> document A specification of OVAL external variable bindings. This document may optionally be used as a component of an SCAP data source. | 4.2 | All SCAP OVAL documents that contain OVAL external variable binding shall pass a validating parse against the appropriate version of the OVAL variable schema | NOT_CHECKED | ERROR | SOURCE_CONTENT | |
| 49 | OVAL SCAP content SHALL comply with <ovalsys:oval_system_characteristics> document A specification of target system characteristics, that is, the specification of OVAL object values queried from a target system | 4.2 | All SCAP OVAL documents that contain OVAL systems characteristics shall pass a validating parse against the appropriate version of the OVAL systems characteristics schema | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 50 | OVAL SCAP content SHALL comply with <ovalres:oval_results> document The evaluation results of specified definitions and tests, as well as a copy of the OVAL system characteristics from which the results can be derived. | 4.2 | All SCAP OVAL documents that contain OVAL results shall pass a validating parse against the appropriate version of the OVAL results schema. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 51 | OVAL SCAP content SHALL validate against OVAL schema bundle version 5.3 or 5.4. In support of OVAL upward compatibility, content that validates against schema with a bundle version of 5.3 SHALL validate against a version 5.4 bundle schema | 4.2.1 | All SCAP OVAL asserted to be OVAL 5.3 that fails a validation parse using OVAL 5.4 shall be considered to be in error. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 52 | All of the OVAL SCAP document types require <ovalcom:generator> content. The bundle version of any particular document instance SHALL be specified using the <ovalcom:schema_version> content element of the <ovalcom:generator> | 4.2.1 | All SCAP OVAL content that does not make use of the <ovalcom:generator>, <ovalcom:schema_version>, conventions specified in section 4.2.1 of SP 800-126 shall be considered to be in error. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 53 | The bundle version of an <ovaldef:oval_definitions> document SHOULD be chosen as 5.3 if the content validates against the 5.3 schema bundle. | 4.2.1 | The OVAL content version is OVAL 5.4, but the content validates against OVAL 5.3 schema. Following the least version principle content creators should use the lowest version of OVAL possible. | APPLICATION | WARNING | SOURCE_CONTENT | |
| 54 | The bundle version of an <ovalvar:oval_variables> document SHALL be the same as that of the <ovaldef:oval_definitions> document whose external variables are bound by the variables document. | 4.2.1 | All SCAP OVAL variables content that does not match the <ovalcom:schema_version> of it corresponding OVAL definitions source it shall be considered in error. | NOT_CHECKED | ERROR | SOURCE_CONTENT | |
| 55 | If an <ovalsys:oval_system_characteristics> or <ovalres:oval_results> document is generated as a consequence of the application of a <ovaldef:oval_definitions> document, then the bundle version of the generated document SHALL be the same as that of the <ovaldef:oval_definitions> document | 4.2.1 | All SCAP OVAL systems characteristics data that does not match the <ovalcom:schema_version> of it corresponding OVAL definitions source it shall be considered in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 56 | The <ovaldef:metadata> element of an <ovaldef:definition> optionally identifies platforms affected by including <ovaldef:affected> elements. One or more of these elements SHALL be present whenever the class of the <ovaldef:definition> is "vulnerability", "compliance", "patch", or "inventory". | 4.2.2 | All SCAP OVAL definitions of type: vulnerability, compliance, patch, or inventory that do not contain the <ovaldef: metadata> element containing the <ovaldef:affected> elements shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 57 | <ovaldef:affected> elements MAY be used when the definition class is "miscellaneous". | 4.2.2 | NOT_CHECKED | ERROR | STYLE | ||
| 58 | If more than one <ovaldef:affected> elements is included in definition metadata, then the family attribute of each of the <ovaldef:affected> elements SHALL be bound to the same value | 4.2.2 | All SCAP OVAL definitions of type vulnerability, compliance, patch, miscellaneous or inventory that have more than one <ovaldef:affected> element and whose family attribute do not bind to the same value shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 59 | If the family association of an OVAL definition is undefined, any definitions extended by that definition SHALL also have undefined family associations. If the family association of an OVAL definition is specified, then any definitions extended by that definition SHALL be the same as that of the extending definition or SHALL have an undefined family association. | 4.2.2 | All SCAP OVAL extended definitions (of SCAP OVAL definitions whose family association is undefined) that do not have undefined associations as well are considered to be in error. All SCAP OVAL extended definitions (of SCAP OVAL definitions whose family association are specified) that do not have the same association or an undefined associations are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 60 | An OVAL definitions family association also determines the kinds of tests that it can reference as <ovaldef:criterion>. Table 4 3 maps the family associations to the test subschemas allowed for the family. | For all OVAL definitions that have family associations that fall outside the associations defined in Table 4.3 of NIST SP800_126 shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||
| For all OVAL definitions that have family associations that fall outside the associations defined in Table 4.3 of NIST SP800_126 shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| For all OVAL definitions that have family associations that fall outside the associations defined in Table 4.3 of NIST SP800_126 shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| For all OVAL definitions that have family associations that fall outside the associations defined in Table 4.3 of NIST SP800_126 shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| For all OVAL definitions that have family associations that fall outside the associations defined in Table 4.3 of NIST SP800_126 shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 61 | An OVAL compliance component SHALL specify at least one definition of class "compliance." An OVAL compliance component may also include definitions of class "inventory" that are extended (transitive) by the "compliance" class definitions. | 4.2.3 | All SCAP content to be used for the SCAP configuration use case must have at least one OVAL definition of class compliance and no definitions of class patch or vulnerability, inventory classes are permitted when extended from the compliance definition. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| All SCAP content to be used for the SCAP configuration use case must have at least one OVAL definition of class compliance and no definitions of class patch or vulnerability, inventory classes are permitted when extended from the compliance definition. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| All SCAP content to be used for the SCAP configuration use case must have at least one OVAL definition of class compliance and no definitions of class patch or vulnerability, inventory classes are permitted when extended from the compliance definition. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 62 | If an OVAL "compliance" class definition maps to one or more CCE identifiers, the definition SHOULD include <ovaldef:reference> elements that reference those identifiers using the following format: <ovaldef:reference source="CCE" ref_id="CCE_identifier"/> | 4.2.3 | All SCAP OVAL compliance class definitions that maps to one or more CCE identifiers that do NOT include <ovaldef:reference> elements that reference those identifiers using the following format: <ovaldef:reference source="CCE" ref_id="CCE_identifier"/> are considered to be in error. | NOT_CHECKED | ERROR | SKIPPED | |
| 63 | An OVAL vulnerability component SHALL specify at least one definition of class "vulnerability" or "patch". An OVAL vulnerability component may also include definitions of class "inventory" or "compliance" that are extended (transitive) by the "vulnerability" class definitions. | 4.2.4 | OVAL Vulnerability components must contain one definition of class "vulnerability" or "patch". It may additional definitions of class "compliance" or "inventory" but those definitions must each be extended by at least one definition of class "vulnerability" or "patch" in the same component. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| OVAL Vulnerability components must contain one definition of class "vulnerability" or "patch". It may additional definitions of class "compliance" or "inventory" but those definitions must each be extended by at least one definition of class "vulnerability" or "patch" in the same component. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 64 | "If an OVAL "patch" or "vulnerability" class definition maps to one or more CVE identifiers, the definition SHOULD include <ovaldef:reference> elements that reference those identifiers using the following format: <ovaldef:reference source="CVE" ref_id="CVE_identifier"/> | 4.2.4 | All SCAP OVAL vulnerability class or patch class definitions that maps to one or more CVE identifiers that do NOT include <ovaldef:reference> elemens that reference those identifiers using the following format: <ovaldef:reference source="CVE" ref_id="CVE_identifier"/> are considered to be in error. | NOT_CHECKED | ERROR | SKIPPED | |
| 65 | An OVAL vulnerability component SHALL specify at least one definition of class "patch". An OVAL patch component may also include definitions of class "inventory" that are extended (transitive) by the "patch" class definitions. | 4.2.5 | All SCAP OVAL content that does not contain at least one definition class of patch and at least one definition of class compliance, vulnerability, misc., or (inventory that is NOT extended (transitive) by the patch class definition) are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| All SCAP OVAL content that does not contain at least one definition class of patch and at least one definition of class compliance, vulnerability, misc., or (inventory that is NOT extended (transitive) by the patch class definition) are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 66 | If an OVAL "patch" class definition is associated with a source specific identifier (for example KB numbers for Microsoft patches) these identifiers SHOULD be included in <reference> elements contained by the definition. | 4.2.5 | All SCAP OVAL patch class definitions that are NOT associated with source specific identifiers that are not contained in the <reference> element of the definition shall generate a warning. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 67 | An OVAL Inventory component is an <oval-def:oval_definitions> document that specifies only inventory class definitions for verifying CPE match conditions | 4.2.6 | All SCAP OVAL content that contains at least one definition class of inventory and at least on definition of class vulnerability, compliance, patch, or misc. are considered to be in error | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 68 | SCAP-compliant OVAL result content includes full status reporting including Error, Unknown, Not Applicable, Not Evaluated, True, and False. | 4.2.7 | SCAP TOOL REQUIREMENT | NOT_CHECKED | ERROR | TOOL | |
| 69 | Results returned SHALL be compliant with the OVAL results schema | 4.2.7 | RESULTS | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 70 | SCAP content SHALL support all valid values for the ContentEnumeration directives controlling the expected content of the results file | 4.2.7 | RESULTS | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 71 | The referenced OVAL inventory definition specifies the technical procedure for determining whether or not a specific target asset is an instance of the CPE Name specified by the <cpe_dict:cpe-item> element. This usage is encouraged for CPE dictionary components of SCAP expressed data streams. | 4.3 | All SCAP CPE entries that are inconsistent with the CPE specification 2.2 and the conventions set forth in 800-126 section 4.3 shall be marked with a warning. | NOT_CHECKED | ERROR | SKIPPED | |
| 72 | If a <cpe-dict:cpe-item> contained in a CPE dictionary component of an SCAP data stream references an OVAL "inventory" definition, then that definition SHALL be resolved by a CPE Inventory component in the same data stream | 4.3 | For all SCAP <cpe-dict:cpe-item>s specified the CPE dictionary component of an SCAP datastream that contain a cpe-dict:check element, that cpe-dict:check element SHALL refer to an OVAL inventory definition in the same SCAP data stream | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 73 | the title of the <cpe-dict:cpe-item> SHALL match the title of an affected platform bound to the referenced definition | 4.3 | All SCAP <cpe-dict:cpe-item> titles that do NOT match the title of the affected platform definition shall be considered in error. | SCHEMATRON | ERROR | SKIPPED | |
| 74 | if a CCE entry is referenced that matches a CCE identifier that exists in the Official CCE Dictionary, the tool SHALL use that official CCE. | 4.4 | Generate a warning for all CCE references that are not in the Official CCE dictionary. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 77 | If a CVSS Base Metric is provided, it SHALL reflect the current Base score as reflected in the official source. | 4.6 | All SCAP CVSS Base Metrics that do not reflect the current base score as reflected in the current source shall be considered to be in error. | NOT_CHECKED | ERROR | SKIPPED | |
| A1 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Working off-line, unable to download latest CCE and CPE dictionaries. | APPLICATION | WARNING | SOURCE_CONTENT | |
| A2 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Version not found in OVAL file, unable to apply OVAL schematron rules. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A3 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | A file that is required for the SCAP validation use case could not be located. Please ensure that the file is named in accordance with the NIST SP 800-126 and that the file is not contained within a sub folder. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A4 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Skipping unrecognized file in SCAP bundle. | APPLICATION | WARNING | SOURCE_CONTENT | |
| A5 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | SCAP use case not found in combined data stream. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A6 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | SCAP version not found in combined data stream. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A7 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | XCCDF document contains a reference to an unrecognized file type. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A8 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Working off-line, unable to resolve remote reference in XCCDF document. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A9 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Remote reference in XCCDF document could not be located. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A10 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Combined SCAP data stream failed schema validation. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A11 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Unrecognized schema reference. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A12 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | In certain instances, a newer XML schema may be substituted for an older one for schema validation. | APPLICATION | WARNING | SOURCE_CONTENT | |
| A13 | OVAL version 5.3 and 5.4 is supported in SCAP 1.0 | N/A | The version of OVAL SHALL be 5.3 or 5.4 | APPLICATION | ERROR | SOURCE_CONTENT | |
| A14 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Content failed validation against MITRE OVAL schematron validation. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A15 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | Unused OVAL definitions exist | APPLICATION | WARNING | SOURCE_CONTENT | |
| A16 | This is an additional, common-sense check. | N/A | CCE number is expected, but missing as a reference | APPLICATION | WARNING | SOURCE_CONTENT | |
| A17 | This is an additional, common-sense check. | N/A | CCE number is in an invalid format or the check-digit does not match. It should be of format CCE-XXXX-X or CCE-XXXXX-X where each X is a digit, and the final X is a check-digit. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A18 | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | N/A | A file that is required for the SCAP results validation could not be located. Please ensure that the file is named in accordance with the NIST SP 800-126 and that the file is not contained within a sub folder. | APPLICATION | ERROR | RESULT_CONTENT | |
CONFIGURATION |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | Note | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category |
| 20 | XCCDF <xccdf:Rule> elements MAY be used to define a policy requiring compliance with a specific configuration setting. When a configuration setting having one or more associated CCE Identifiers from the CCE List is expressed as an XCCDF rule, an <xccdf:ident> element reference SHALL be provided within the <Rule> element. The <xccdf:ident> element provides a globally unique identifier for a specific configuration setting. | 4.1.4 | For all XCCDF rules (except those referencing an OVAL patch component) used for Configuration Verification that do not have CCE identifiers expressed using the <xccdf:ident> element shall be considered to be a warning. If no CCE exists for rule, suggest CCE be requested from MITRE. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 21 | The <xccdf:ident> element syntax SHALL be used as follows: 1. The system attribute for the <xccdf:ident> element SHALL be defined using the CCE Version 5 system identifier "http://cce.mitre.org". 2. The CCE Identifier SHALL be used for the <xccdf:ident> element content. | 4.1.5 | For all XCCDF rules used for Configuration Verification that use the <xccdf:ident> element and refer to a CCE, at least one xccdf:ident element must reference a CCE version 5 | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 80 | SCAP Configuration Verification Data Sources | 5.1 | Validate that the data sources asserted represent an SCAP Configuration verification are consistent with the specification in Table 5.1 of NIST Sp 800-126. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 81 | Each rule specified in the XCCDF benchmark SHALL include a CCE reference if such exists | 5.1 | For every rule selected in every XCCDF document used in SCAP configuration verification that does not have a valid CCE reference flag a warning. If no CCE exists for rule, suggest CCE be requested from MITRE. | NOT_CHECKED | WARNING | SKIPPED | |
| 82 | If CCE references are specified in an XCCDF benchmark rule, then those references SHALL be matched by CCE references in the referenced OVAL definition(s). | 5.1 | For every rule selected in every XCCDF document used in SCAP configuration verification whose CCE reference does not match the CCE reference in the corresponding OVAL definition, flag an error, continue processing, mark content as not valid. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 86 | The referenced 800-53 controls are represented by <xccdf:Group> elements. Note that ID of a control group is the control identifier specified in Appendix F of Special Publication 800-53. | No Check Required | NOT_CHECKED | ERROR | SKIPPED | ||
| 87 | Each <xccdf:Rule> SHALL be associated with one or more 800-53 controls by asserting the ID of the each associated control in a <xccdf:requires> element comprised by the rule. | Each <xccdf:Rule> SHALL be associated with one or more 800-53 controls by asserting the ID of the each associated control in a <xccdf:requires> element comprised by the rule. | SCHEMATRON | ERROR | SKIPPED | ||
| 88 | If this convention is followed for any of the rules in the benchmark it SHOULD be applied to all rules with 800-53 mappings | No Check Required | NOT_CHECKED | ERROR | SKIPPED | ||
| 89 | XCCDF configuration verification scanning processes SHALL generate XCCDF Results and OVAL Results expressed in compliance with the XCCDF and OVAL Results schema | 5.1 | SCAP TOOL REQUIREMENT | NOT_CHECKED | ERROR | TOOL | |
| 90 | The XCCDF Results document SHALL include a result for each rule that was applied by the scan. | 5.1 | For every SCAP XCCDF document used for configuration verification that contains SCAP XCCDF results every rule selected with no corresponding result in the result section shall be consider to be in error | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 91 | The OVAL Results document SHALL include the results of every definition application used to generate the reported rule results. | 5.1 | All SCAP OVAL results that do not include results for every definition evaluated to generate the reported result shall be considered to be in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 92 | If a rule in the benchmark references a specific OVAL definition, the definition SHALL be a compliance class definition. | 5.1 | All rules in SCAP XCCDF documents used for configuration verification that contain references to specific OVAL definitions that are not of the compliance class shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 93 | The XCCDF benchmark MAY also include a "patches up-to-date" rule that references an OVAL patch component stream. If such is the case, the OVAL patch component SHALL be included in the OVAL compliance data source. | 5.1 | All SCAP XCCDF documents used for configuration verification that contain a "patches-up-to-date" rule that references an SCAP OVAL patch component stream that is NOT included in the SCAP OVAL compliance data source shall be considered in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 94 | The XCCDF benchmark MAY also enumerate one patch per rule. If such is the case, it SHALL reference a specific OVAL definition of class "patch" in the OVAL Patch component stream. | 5.1 | The XCCDF benchmark MAY also enumerate one patch per rule. If such is the case, it SHALL reference a specific OVAL definition of class "patch" in the OVAL Patch component stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
VULNERABILITY_XCCDF_OVAL |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | Note | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category |
| 22 | XCCDF <xccdf:Rule> elements MAY be used to assess security related software flaws. When this assessment is associated with one or more associated CVE Identifiers from the CVE vulnerability feeds, an <xccdf:ident> element reference within the <xccdf:Rule> element SHALL be provided. | 4.1.5 | For all XCCDF rules used for Vulnerability Assessment whose references are not in the rules <xccdf:ident> element shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 23 | The <xccdf:ident> element syntax SHALL be used as follows: 1. The system attribute for the <xccdf:ident> element SHALL be defined using the CVE system identifier "http://cve.mitre.org". 2. The CVE Identifier SHALL be used for the <xccdf:ident> element content. | 4.1.5 | For all XCCDF rules used for Vulnerability Assessment that use the <xccdf:ident> element to reference a CVE, the system attribute must be 'http://cve.mitre.org' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 95 | SCAP Vulnerability Assessment Data Sources | 5.2.1 | Validate that the data sources asserted represent an SCAP Vulnerability Assessment are consistent with the specification in Table 5.2 of NIST SP 800-126. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 96 | The XCCDF <xccdf:Benchmark> element SHALL contain references to one or more CPEs | 5.2.1 | All SCAP XCCDF documents used for vulnerability assessment whose <xccdf:Benchmark> element does not contains at least one CPE reference shall be considered to be in error. | NOT_CHECKED | ERROR | SKIPPED | |
| 97 | The XCCDF Results document SHALL include a result for each rule that was applied by the scan. | 5.2.1 | All SCAP XCCDF documents used for vulnerability assessment that contains SCAP XCCDF results every rule selected with no corresponding result in the result section shall be consider to be in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 98 | Each rule specified in the XCCDF benchmark SHALL include CVE references if such exist | 5.2.1 | All rules in all SCAP XCCDF documents used for vulnerability assessments that do not included CVE references shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 99 | Except in cases where no automated mechanism exists to express a check in OVAL, every rule in the benchmark SHALL reference a specific OVAL "vulnerability", "patch", or "inventory" definition | 5.2.1 | All rules in all SCAP XCCDF documents used for vulnerability assessments that do not contain a reference to an SCAP OVAL definition of class vulnerability, patch or inventory shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 100 | If OVAL Results are generated - They SHALL be expressed in compliance with the OVAL Results schema AND - The OVAL Results document SHALL include the results of every definition application used to generate the reported rule results. | 5.2.1 | All SCAP OVAL results files that do not pass a validation parse shall be considered to be in error. All SCAP OVAL results that do not include results for every definition evaluated to generate the reported result shall be considered to be in error. | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 101 | If CVE references are specified in an XCCDF benchmark rule, then those references SHALL be matched by CVE references in the referenced OVAL definition. | 5.2.1 | For every rule selected in every SCAP XCCDF document used in vulnerability assessment whose CVE reference does not match the CVE reference in the corresponding OVAL definition, is considered to be in error | SCHEMATRON | ERROR | SOURCE_CONTENT | |
VULNERABILITY_OVAL |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | Note | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category |
| 102 | A Standalone OVAL Vulnerability Data Stream SHALL include an OVAL Vulnerability XML stream component which defines the applied OVAL vulnerability class definitions. | 5.2.2 | Addressed by SCAP OVAL Validation Parse that is part of the pipe line | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 103 | OVAL definitions SHALL include CVE references, if such exist | 5.2.2 | All SCAP OVAL definitions of class 'vulnerability' or 'patch' in an SCAP OVAL Vulnerability data stream that do not contain CVE references shall be issued a warning. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 104 | OVAL vulnerability data scanning SHALL generate an OVAL Results document that complies with the Oval Results schema | 5.2.2 | SCAP TOOL REQUIREMENT | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 105 | OVAL vulnerability data scanning SHALL generate an OVAL Results document that complies with the Oval Results schema | 5.2.2 | SCAP TOOL REQUIREMENT | NOT_CHECKED | ERROR | RESULT_CONTENT | |
SYSTEM_INVENTORY |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | Note | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category |
| 106 | SCAP Inventory Collection Data sources | 5.3 | Validate that the data sources asserted represent an SCAP Vulnerability Assessment are consistent with the specification in Table 5.3 of NIST SP 800-126 | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 107 | The inventory data source SHALL include an OVAL Inventory component that defines the applied OVAL inventory class definitions. | 5.3 | All SCAP OVAL definitions in a SCAP OVAL Inventory data source that are not of class definition inventory shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 108 | OVAL inventory data scanning SHALL generate an OVAL Results document that complies with the OVAL Results schema and includes the results of every OVAL definition used to generate the reported rule results. | 5.3 | Results are not validated | NOT_CHECKED | ERROR | RESULT_CONTENT | |
| 109 | The results document SHALL include a definition result with supporting system-characteristics data for every definition in the Inventory component | 5.3 | Results are not validated | NOT_CHECKED | ERROR | RESULT_CONTENT | |