This table provides a matrix of SCAP content requirements is provided implemented in the SCAP Content Validation tool v1.1. The matrix indicates which requirements are checked by SCAP Content Validation tool. The section numbers in the matrix refer to SP 800-126 Rev 1 which is available here .
GENERAL |
|||||||
|---|---|---|---|---|---|---|---|
| Requirement ID | 800-126 Section | 800-126 Statement | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category | |
| 2 | 3.2.1 | The following general restrictions apply to SCAP XCCDF content:~The <xccdf:Benchmark> element SHALL have an @xml:lang attribute.~~If an @xml:lang attribute is omitted within the content model, the @xml:lang attribute of the nearest ancestor element that has the attribute defined SHALL be consulted. Possible ancestor elements are <xccdf:Value>, <xccdf:Group>, <xccdf:Rule>, and <xccdf:Benchmark>. | @xml:lang attribute SHALL be provided on <xccdf:Benchmark> elements. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 3 | 3.2.3 | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The REQUIRED @id attribute SHALL be used to uniquely identify all revisions of a benchmark. Multiple revisions of a single benchmark SHOULD have identical identifiers, so that someone who reviews the revisions can readily identify them as multiple versions of a single benchmark. | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The REQUIRED @id attribute SHALL be used to uniquely identify all revisions of a benchmark. Multiple revisions of a single benchmark SHOULD have identical identifiers, so that someone who reviews the revisions can readily identify them as multiple versions of a single benchmark. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 4 | 3.2.3 | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The @style attribute SHALL have the value “SCAP_1.1”. | The style attribute of the <xccdf:Benchmark> element SHALL contain the value "SCAP_1.1". | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 5 | 3.2.3 | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The <xccdf:status> element SHALL indicate the current status of the benchmark document. The associated text value SHALL be “draft” for documents released in public draft state and “accepted” for documents that have been officially released by an organization. The @date attribute SHALL be populated with the date of the status change. Additional <xccdf:status> elements MAY be included to indicate historic status transitions. | The <xccdf:status> element SHALL have value 'draft' or 'accepted' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| The "date" attribute of the <xccdf:status> element SHALL be populated with the date of the last status change. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 6 | 3.2.3 | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The <xccdf:version> element SHALL uniquely identify the particular revision of the benchmark. Also, these revisions SHOULD have version values that indicate the revision sequence, so that the history of changes from the original benchmark can be determined. The @time attribute of the <xccdf:version> element SHOULD be used for a timestamp of when the benchmark was defined. The @update attribute of the <xccdf:version> element SHOULD be used for a URI that specifies where updates to the benchmark can be obtained. | The <xccdf:version> SHALL be provided on the <xccdf:Benchmark> element. | SCHEMA | ERROR | SOURCE_CONTENT | |
| The @time attribute should be provided on the <xccdf:version> element. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| The @update attribute should be provided on the <xccdf:version> element. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| 8 | 3.2.3 | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The <xccdf:metadata> element SHALL be provided and SHALL, at minimum, contain the Dublin Core terms from Table 3. Additional Dublin Core terms SHALL follow the required terms within the element sequence.~Table 3. Use of Dublin Core Terms in XCCDF Metadata~Dublin Core Term~Description of Use~~<dc:creator>~The person, organization, and/or service that created the XCCDF XML instance~~<dc:publisher>~The person, organization, and/or service that published the XCCDF XML instance~~<dc:contributor>~The person, organization, and/or service that contributed to the creation of the XCCDF XML instance~~<dc:source>~An identifier that indicates the organizational context of the <xccdf:Benchmark> element’s @id attribute. An organizationally specific URI SHOULD be used.~~ | xccdf:Benchmark/xccdf:metadata SHALL contain, at minimum, one of each of the Dublin Core terms <dc:creator>, <dc:publisher>, <dc:contributor>, <dc:source> | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| The <xccdf:metadata> element SHALL be provided in the <xccdf:Benchmark> element. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| xccdf:metadata/dc:source SHOULD contain a URI as defined in RFC 2396 | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| 9 | 3.2.1 | The following metadata requirements and conventions apply to the <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> elements:~One or more instances of the <xccdf:title> element SHALL be provided. Each instance MUST contain a text value that indicates the purpose of the containing element and MAY include the OPTIONAL @xml:lang attribute. If more than one <xccdf:title> element is provided, the @xml:lang attribute SHALL be provided. | For all XCCDF Benchmark, Profile, Value, Group, and Rule, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| For all XCCDF Benchmark, Profile, Value, Group, and Rule, if more than one <xccdf:title> exists, then every <xccdf:title> must have a @xml:lang. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 10 | 3.2.1 | The following metadata requirements and conventions apply to the <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> elements:~One or more instances of the <xccdf:description> element SHALL be provided. Each instance MUST contain text values that represent the purpose of the containing element and MAY include the OPTIONAL @xml:lang attribute. If more than one <xccdf:description> element is provided, the @xml:lang attribute SHALL be provided. | For each <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> element, a <xccdf:description> SHALL be provided. If more than one <xccdf:description> element is specified for any <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, or <xccdf:Rule> element, then the @xml:lang attribute SHALL be specified for all of the sibling <xccdf:description> elements. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 14 | 3.2.2 | For all SCAP content, the applicability of <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Group>, and <xccdf:Rule> elements to specific IT platforms MAY be specified using one or more <xccdf:platform> @idref attributes. Each instance of the @idref attribute SHALL reference either a CPE Name or the @id attribute of a <cpe-lang:platform-specification/cpe-lang:platform> element. | If one or more <xccdf:platform> elements are specified for any <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Group>, or <xccdf:Rule> element, then the @idref attribute for each <xccdf:platform> element must contain a CPE name or reference a <cpe-lang:platform> element in the XCCDF component. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 15 | 3.2.2 | CPE Names used within an XCCDF document SHALL match the names of existing Official CPE Dictionary entries where names for the desired platform exist. The matching algorithm from [CPE] to be used SHALL be CPE_Name_Match for a single CPE Name and CPE_Language_Match for a compound CPE Name. If multiple matches are found within the dictionary (e.g., deprecated and current CPE Names), the most current CPE Name SHOULD be used. | The <xccdf:platform> element of the <xccdf:Benchmark> element that contains a CPE SHOULD reference a non-deprecated CPE name in the Official CPE Dictionary. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| The <xccdf:platform> element of the <xccdf:Benchmark> element that contains a CPE SHALL contain a reference to a CPE name in the Official CPE Dictionary if such a name exists for the indicated platform. Issue a warning if the CPE name specified in <xccdf:platform> does not match a CPE name in the Official CPE Dictionary. | SCHEMATRON | WARNING | SOURCE_CONTENT | ||||
| 25 | 3.2.5 | The following requirements and recommendations apply to the use of the <xccdf:check> and <xccdf:complex-check> elements:~The <xccdf:check-content> element SHALL NOT be used to embed check content directly into XCCDF content. | A XCCDF document SHALL NOT contain an <xccdf:check-content> element | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 31 | 3.2.5 | If multiple <xccdf:check-content-ref> elements occur within an <xccdf:check> element, the <xccdf:check-content-ref> elements are evaluated in the order they appear. The first resolvable <xccdf:check-content-ref> element is used to determine the <xccdf:Rule> status. For each <xccdf:check-content-ref> element, an implementation attempts to retrieve the document referenced by the element’s @href attribute. If not resolvable, the next available <xccdf:check-content-ref> element is evaluated. If none of the <xccdf:check-content-ref> elements are resolvable, then the result of the rule evaluation is the XCCDF “unchecked” status and processing of the <xccdf:Rule> ends. The @href attribute MAY map a remote URL to a local copy of the file in cases where remote access is not available, allowed, or practical. | All rules in SCAP XCCDF documents that have embedded OVAL definitions are considered to be in error. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 32 | 3.2.5.1 | References from SCAP compliant XCCDF to OVAL Definitions SHALL use the form:~<check-content-ref href="OVAL_Source_URI" [name="OVAL_Definition_Id"]/> | References from SCAP compliant XCCDF to OVAL Definitions SHALL use the form:~<check-content-ref href="OVAL_Source_URI" [name=”OVAL_Definition_Id"]/>, and the OVAL definition SHALL be resolvable in the current SCAP data stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 38 | 3.2.5.2 | The type and value binding of the specified XCCDF Value is constrained to match that lexical representation of the indicated OVAL Variable Data Type. Table 4 summarizes the constraints regarding data type usage. Additional information regarding OVAL and XCCDF data types can be found in the OVAL Common Schema documentation and the XCCDF specification [XCCDF].~Table 4. XCCDF-OVAL Data Export Matching Constraints~OVAL Data Type~Matching XCCDF Data Type~~int~number~~float~number~~boolean~boolean~~string, evr_string, version, ios_version, fileset_revision, binary~string~~ | Values of XCCDF datatype 'number', when bound to OVAL variables, the OVAL variables must be of the following OVAL types: int, float | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| Values of XCCDF datatype 'boolean', when bound to OVAL variables, the OVAL variables must be the following OVAL type: boolean | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| Values of XCCDF datatype 'string', when bound to OVAL variables, the OVAL variables must be of the following OVAL types: string, evr_string, version, ios_version, fileset_revision, binary | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 39 | 4.7 | Regarding the definition and use of <xccdf:Profile> elements:~When using a profile during the processing of XCCDF content, the test results SHALL embed an <xccdf:profile> element that contains the name of the utilized profile. | If a profile is selected, that profile SHALL be included in the @idref of an <xccdf:profile> element inside the <xccdf:TestResult> element. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 40 | 4.7 | Regarding the definition and use of <xccdf:Profile> elements:~Reported rule results SHALL include all selected rules within the specified Profile. | For all of the <xccdf:Profile> elements referenced in <xccdf:TestResults>, all <xccdf:Rule> elements referenced from those profiles SHALL have a corresponding <xccdf:rule-result> | SCHEMATRON | ERROR | RESULT_CONTENT | |
| If a profile is specified when running a scan, then a <xccdf:profile> SHALL be included under <xccdf:TestResult> with that profile referenced. | SCHEMATRON | ERROR | RESULT_CONTENT | ||||
| 41 | 4.7 | Regarding the definition and use of <xccdf:Profile> elements:~Reported value-settings SHALL include all those values that are exported by the reported rules. The specific settings are those determined by the reported Profile. | For each <xccdf:rule-result>, there SHALL be a <xccdf:set-value> as a sibling of the <xccdf:rule-result> for each <xccdf:check-export> in the original <xccdf:Rule> in the source content corresponding to the <xxcdf:rule-result> | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 42 | 4.7 | The <xccdf:identity> element SHALL identify the security principal used to access rule evaluation on the target(s). | At least one <xccdf:identity> element SHALL be provided. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 43 | 4.7 | The <xccdf:rule-result> elements SHALL report the result of the application of each selected rule against all specified targets.~The @idref attribute of the <xccdf:rule-result> SHALL identify the selected rule. | The @idref of <xccdf:rule-result> SHALL reference a <xccdf:Rule> in the source content. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 44 | 4.7.1 | If the target <xccdf:Rule> identified by the <xccdf:rule-result idref=""> attribute has one or more <ident> elements with the “http://cve.mitre.org” or “CVE” system identifiers, then each <xccdf:ident> element SHALL also appear within the <xccdf:rule-result> element. | If the target <xccdf:Rule> identified by the <xccdf:rule-result idref=""> attribute has one or more <ident> elements with the "http://cve.mitre.org" or "CVE" system identifier, then each <xccdf:ident> element SHALL also appear within the <xccdf:rule-result> element. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 45 | 4.7.2 | If the target <xccdf:Rule> identified by the <xccdf:rule-result> @idref attribute has one or more <xccdf:ident> elements with the “http://cce.mitre.org” or “CCE” system identifiers, then each <xccdf:ident> element SHALL also appear within the <rule-result> element. | If the target <xccdf:Rule> identified by the <xccdf:rule-result> @idref attribute has one or more <xccdf:ident> elements with the "http://cce.mitre.org" or "CCE" system identifier, then each <xccdf:ident> element SHALL also appear within the <rule-result> element. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 51 | 3.3 | While the default version of OVAL used in SCAP 1.1 SHALL be OVAL version 5.8, content authors SHOULD utilize the earliest SCAP-supported version of OVAL (5.3 at minimum) that includes all required tests and is necessary to properly address the content's purpose or use case. | If OVAL content is marked as a particular version, but it validates against an earlier version, it SHOULD be marked as the earlier version. The content validated against OVAL version {0}. | APPLICATION | WARNING | SOURCE_CONTENT | |
| OVAL content marked as a particular version SHALL validate for that particular version as well as the default version of OVAL for this version of SCAP. The content failed validation against OVAL version {0}. | APPLICATION | ERROR | SOURCE_CONTENT | ||||
| 52 | 3.3 | All of the OVAL content MUST contain an <oval:generator> element. The version of any particular document instance SHALL be specified using the <oval:schema_version> content element of the <oval:generator> as in this example: ~ <oval:generator>~ <oval:product_name>The OVAL Repository</oval:product_name>~ <oval:schema_version>5.8</oval:schema_version>~ </oval:generator> | OVAL content SHALL include the <oval:generator> and <oval:schema_version> elements. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 54 | 3.3 | The version of an <oval-var:oval_variables> document SHALL be the same as that of the <oval-def:oval_definitions> document whose external variables are bound by the variables document. | All SCAP OVAL variables content that does not match the <ovalcom:schema_version> of it corresponding OVAL definitions source it shall be considered in error. | NOT_CHECKED | ERROR | SOURCE_CONTENT | |
| 68 | 4.7.3 | SCAP-compliant content SHALL include full status reporting including Error, Unknown, Not Applicable, Not Evaluated, True, and False. | SCAP-compliant content SHALL include full status reporting including Error, Unknown, Not Applicable, Not Evaluated, True, and False. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 69 | 4.8 | An SCAP OVAL result data stream component SHALL include the results of every OVAL Definition used to generate the reported results. | OVAL Definition evaluation results returned MUST be compliant with version 5.8 of the OVAL Results schema regardless of the version of the OVAL Definitions document that was evaluated. | APPLICATION | ERROR | RESULT_CONTENT | |
| The <oval-res:generator>/<oval-com:schema_version> SHALL contain value '5.8'. | SCHEMATRON | ERROR | RESULT_CONTENT | ||||
| 70 | 4.8 | In order to support SCAP instances where OVAL thin content (only the ID of the definition and the results) is preferred, SCAP products SHALL support all valid values for the <oval-res:directives> controlling the expected content of the results file. | In order to support SCAP instances where OVAL thin content (only the ID of the definition and the results) is preferred, SCAP products SHALL support all valid values for the <oval-res:directives> controlling the expected content of the results file. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 71 | 3.5 | The referenced OVAL inventory definition SHALL specify the technical procedure for determining whether or not a specific target asset is an instance of the CPE Name specified by the <cpe_dict:cpe-item> element. This usage is encouraged for a CPE dictionary source data stream component. | The referenced OVAL inventory definition SHALL specify the technical procedure for determining whether or not a specific target asset is an instance of the CPE Name specified by the <cpe_dict:cpe-item> element. This usage is encouraged for a CPE dictionary source data stream component. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 72 | 3.5 | If a <cpe_dict:cpe-item> contained in a CPE dictionary data stream component references an OVAL “inventory” definition, then that definition SHALL be resolved by an @href attribute referencing a CPE Inventory source data stream component in the same data stream. | For all SCAP <cpe-dict:cpe-item>'s specified the CPE dictionary component of an SCAP datastream that contain a cpe-dict:check element, that cpe-dict:check element SHALL refer to an OVAL inventory definition in the same SCAP data stream | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 73 | 3.5 | the title of the <cpe_dict:cpe-item> SHALL match the title of an affected platform bound to the referenced definition. | The title of the <cpe_dict:cpe-item> SHALL match the title of an affected platform bound to the referenced definition. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 74 | 3.6 | SCAP content referencing a configuration setting SHALL use the official CCE identifier if a CCE entry for a particular configuration setting exists in the Official CCE Dictionary. | All CCE references SHOULD be in the official CCE dictionary. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 110 | 4.1 | Products supporting SCAP 1.1 SHALL process SCAP 1.0 content as described under the SCAP 1.0 version of NIST SP 800-126. | Products supporting SCAP 1.1 SHALL process SCAP 1.0 content as described under the SCAP 1.0 version of NIST SP 800-126. | NOT_CHECKED | NA | TOOL | |
| 111 | 3.2.1 | The following general restrictions apply to SCAP XCCDF content:~The use of the @xml:base attribute SHALL NOT be allowed. This attribute is not compatible with the SCAP data stream model. | @xml:base attribute SHALL NOT be included on any XCCDF element. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 112 | 3.2.2 | Each reference to a CPE Name SHALL be declared in the required CPE dictionary data stream component, and each OVAL inventory class definition referenced from the dictionary data stream component SHALL be specified in the required CPE inventory data stream component. | OVAL inventory class definition referenced from the dictionary stream SHALL be specified in the required CPE inventory stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| If an <xccdf:platform> element references a CPE name, that CPE name SHALL be included in the CPE Dictionary stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 113 | 3.2.2 | If compound CPE Name statements are necessary, a CPE Language <cpe-lang:platform-specification> element SHALL be defined as a child of the <xccdf:Benchmark> element. | |||||
| 118 | 3.2.5 | The following requirements and recommendations apply to the use of the <xccdf:check> and <xccdf:complex-check> elements:~~Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~~The following check systems are supported by SCAP:~Use of the OVAL check system SHALL be indicated by the http://oval.mitre.org/XMLSchema/oval-definitions-5 system identifier. | |||||
| 119 | 3.2.5 | The following requirements and recommendations apply to the use of the <xccdf:check> and <xccdf:complex-check> elements:~~Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~~The following check systems are supported by SCAP:~Use of the OCIL check system SHALL be indicated by the http://scap.nist.gov/schema/ocil/2 system identifier. | |||||
| 121 | 3.2.5 | The following requirements and recommendations apply to the use of the <xccdf:check> and <xccdf:complex-check> elements:~~Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~If a check system is used in XCCDF content that is not supported by SCAP, then this content SHALL NOT be considered well-formed with regards to SCAP. | |||||
| 122 | 4.5 | Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~SCAP scanning products SHALL implement the SCAP supported check systems that are required for the SCAP capability or capabilities that the products offer. The SCAP supported check systems are:~OVAL check system. Use of the OVAL check system SHALL be indicated by the http://oval.mitre.org/XMLSchema/oval-definitions-5 system identifier.~OCIL check system. Use of the OCIL check system SHALL be indicated by the http://scap.nist.gov/schema/ocil/2 system identifier. | The @system attribute of the <xccdf:check> element SHALL be 'http://oval.mitre.org/XMLSchema/oval-definitions-5' OR 'http://scap.nist.gov/schema/ocil/2' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 123 | 4.5 | Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~SCAP scanning tools MAY implement check systems that are not supported by SCAP. | Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~SCAP scanning tools MAY implement non-SCAP check systems that are not supported by SCAP. | NOT_CHECKED | NA | TOOL | |
| 124 | 4.5 | Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~Evaluation of an <xccdf:check> containing a reference to a non-SCAP check system SHALL produce an “unchecked” result if an SCAP scanning product does not implement the check system. | Use of XCCDF check systems as specified in the <xccdf:check> element’s @system attribute SHALL be restricted as follows:~Evaluation of an <xccdf:check> containing a reference to a non-SCAP check system SHALL produce an “unchecked” result if an SCAP scanning product does not implement the check system. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 125 | 3.2.5.2 | One or more <xccdf:check-export> elements MAY be used to define the binding of <xccdf:Value> elements to OVAL variables. The format of the <xccdf:check-export> element is:~<xccdf:check-export value-id="XCCDF_Value_id" _x000B_export-name="OVAL_External_Variable_id"/> | One or more <xccdf:check-export> elements MAY be used to define the binding of <xccdf:Value> elements to OVAL variables. The format of the <xccdf:check-export> element is:~<xccdf:check-export value-id="XCCDF_Value_id" _x000B_export-name="OVAL_External_Variable_id"/> | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 126 | 4.7.3 | SCAP compliant processors that generate XCCDF <xccdf:rule-result> elements SHALL apply the mapping illustrated in Table 7 when deriving <xccdf:Rule> results from OVAL Definition processing. The corresponding <xccdf:rule-result/xccdf:result> value SHALL be recorded based on the @class of the OVAL Definition where applicable.~Table 7. Deriving XCCDF Rule Results from OVAL Definition Results~OVAL Definition Result~XCCDF Rule Result~~error~error~~unknown~unknown~~not applicable~notapplicable~~not evaluated~notchecked~~Definition Class~Definition Result~~compliance~true~~vulnerability~false~~inventory~true~~patch~false~~~pass~~Definition Class~Definition Result~~compliance~false~~vulnerability~true~~inventory~false~~patch~true~~~fail~~ | If the <xccdf:result> value for a <xccdf:rule-result> is 'error', 'unknown', 'notapplicable', or 'notchecked', then the result of at least one OVAL definition referenced by that rule SHALL be 'error', 'unknown', 'not applicable', or 'not evaluated', respectively. If the <xccdf:result> value is 'fail' then the result of at least one of the OVAL definitions referenced SHALL match the fail category as defined in the SCAP table. If the <xccdf:result> value is 'pass' then the result of all of the OVAL definitions referenced SHALL match the pass category as defined in the SCAP table. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 131 | 4.7 | XCCDF test results SHALL be documented as the contents of an <xccdf:TestResult> element that either stands alone as the root of an XML document or is embedded as a child-element of an <xccdf:Benchmark> root element. In the former case, the <xccdf:TestResults> document requires an embedded <xccdf:benchmark> element that identifies the associated benchmark. In the latter case, the associated benchmark is the embedding benchmark; <xccdf:benchmark> elements SHALL be ignored in <xccdf:TestResult> elements that are embedded in their associated benchmark. | If the <xccdf:TestResult> is not embedded in a <xccdf:Benchmark>, then an <xccdf:Benchmark> SHALL be embedded in <xccdf:TestResult> | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 132 | 4.7 | One or more <xccdf:organization> elements SHALL be provided to indicate the organizational units responsible for applying the checklist. | One or more <xccdf:organization> elements SHALL be provided to indicate the organizational units responsible for applying the checklist. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 133 | 4.7 | The @start-time and @end-time attributes SHALL be provided to indicate when the scan started and completed, respectively. | The @start-time and @end-time attributes SHALL be provided to indicate when the scan started and completed, respectively. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 134 | 4.7 | The @test-system attribute SHALL be provided with a CPE Name value indicating the product that evaluated the checklist. | The @test-system attribute SHALL be provided with a CPE Name value indicating the product that evaluated the checklist. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 135 | 4.7 | Regarding the definition and use of <xccdf:Profile> elements:~If no <xccdf:Profile> was selected, then the <xccdf:Profile> SHALL be omitted. | If no profile was selected for a scan, then <xccdf:profile> SHALL be excluded from <xccdf:TestResult> | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 136 | 4.7 | Each IP address associated with the <xccdf:target> SHALL be enumerated using the <xccdf:target-address> element. | The same number of <xccdf:target> and <xccdf:target-address> elements SHALL be provided. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| The <xccdf:target-address> SHALL contain an IP address | SCHEMATRON | ERROR | RESULT_CONTENT | ||||
| 137 | 4.7 | Where applicable to the target system, each of the following <xccdf:fact> elements SHALL be provided:~Table 6. XCCDF Fact Descriptions~XCCDF Fact~Description of Use~~urn:scap:fact:asset:identifier:mac~Ethernet media access control address~~urn:scap:fact:asset:identifier:ipv4~Internet Protocol version 4 address~~urn:scap:fact:asset:identifier:ipv6~Internet Protocol version 6 address~~urn:scap:fact:asset:identifier:host_name~Host name of the asset, if assigned~~urn:scap:fact:asset:identifier:fqdn~Fully qualified domain name~~urn:scap:fact:asset:identifier:ein~Equipment identification number or other inventory tag number~~urn:scap:fact:asset:identifier:guid~Globally unique identifier for the asset, if assigned~~urn:scap:fact:asset:environmental_information:owning_organization~Organization that tracks the asset on its inventory~~urn:scap:fact:asset:environmental_information:current_region~Geographic region where the asset is located~~urn:scap:fact:asset:environmental_information:administration_unit~Name of the organization that does system administration for the asset~~ | Where applicable to the target system, each of the following <xccdf:fact> elements SHALL be provided:~Table 6. XCCDF Fact Descriptions~XCCDF Fact~Description of Use~~urn:scap:fact:asset:identifier:mac~Ethernet media access control address~~urn:scap:fact:asset:identifier:ipv4~Internet Protocol version 4 address~~urn:scap:fact:asset:identifier:ipv6~Internet Protocol version 6 address~~urn:scap:fact:asset:identifier:host_name~Host name of the asset, if assigned~~urn:scap:fact:asset:identifier:fqdn~Fully qualified domain name~~urn:scap:fact:asset:identifier:ein~Equipment identification number or other inventory tag number~~urn:scap:fact:asset:identifier:guid~Globally unique identifier for the asset, if assigned~~urn:scap:fact:asset:environmental_information:owning_organization~Organization that tracks the asset on its inventory~~urn:scap:fact:asset:environmental_information:current_region~Geographic region where the asset is located~~urn:scap:fact:asset:environmental_information:administration_unit~Name of the organization that does system administration for the asset~~ | NOT_CHECKED | NA | RESULT_CONTENT | |
| 138 | 4.7.1 | An <xccdf:rule-result> of “pass” SHALL indicate that the target platform satisfies all the conditions of the XCCDF rule and is unaffected by the vulnerability or exposure referenced by the CVE. | An <xccdf:rule-result> of “pass” SHALL indicate that the target platform satisfies all the conditions of the XCCDF rule and is unaffected by the vulnerability or exposure referenced by the CVE. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 139 | 4.7.2 | An <xccdf:rule-result> of “pass” SHALL indicate that the target platform complies with the configuration setting guidance expressed in the XCCDF rule. | An <xccdf:rule-result> of “pass” SHALL indicate that the target platform complies with the configuration setting guidance expressed in the XCCDF rule. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 141 | 4.8 | In order to be SCAP compliant, an SCAP scanning product SHALL be able to produce all the types of OVAL Results output described below. The specific result output SHALL be configurable within the SCAP product. | In order to be SCAP compliant, an SCAP scanning product SHALL be able to produce both thin and full OVAL Results output as described below. The specific result output SHALL be configurable within the SCAP product. | NOT_CHECKED | NA | TOOL | |
| 148 | 3.5 | Local enumerations are permitted, but if a CPE Name for a product or platform exists in the Official CPE Dictionary, the content SHALL match the product or platform referenced by that official identifier. | CPE items SHOULD exist in the official CPE dictionary. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 149 | 3.5 | For certain names, a <cpe_dict:cpe-item> MAY contain one or more <check> elements that reference OVAL system inventory definitions using the following format:~<cpe_dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"~[href="oval_URL"]>oval_inventory_definition_id</cpe_dict:check> | For certain names, a <cpe_dict:cpe-item> MAY contain one or more <check> elements that reference OVAL system inventory definitions using the following format:~<cpe_dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"~[href="Oval_URL"]>Oval_inventory_definition_id</cpe_dict:check> | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 150 | 3.7 | CVE references in SCAP content MAY include both “candidate” and “entry” status identifiers. | CVE references in SCAP content MAY include both “candidate” and “entry” status identifiers. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 151 | 3.7 | The use of deprecated CVE identifiers SHALL NOT be allowed. | The use of deprecated CVE identifiers SHALL NOT be allowed. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 152 | 3.7 | If a CVE identifier exists for a particular vulnerability, the official CVE identifier SHALL be used. | If a CVE identifier exists for a particular vulnerability, the official CVE identifier SHALL be used. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 154 | 3.1 | An SCAP source data stream is the expression of content for a specific use case using one or more stream components. For its filenames, every SCAP source data stream SHALL use a common locator prefix that is appended to the URL base of the deployed data source. | For each data source in an SCAP feed, the beginning of the resource ID must be the same for all resources in that feed, and the end must match the name conventions documented. For example: (example-winxp-xccdf.xml, example-winxp-oval.xml) is valid, but (sample-xccdf.xml, real-oval.xml) is not valid. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 169 | 3.2.6.4 | An OVAL instance document MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that references an OVAL patch source data stream component. When implementing a patches up-to-date XCCDF rule, the following approach SHALL be used:~The source data stream MUST include an OVAL Patch source data stream component.~ ~The <xccdf:Rule> element that references an OVAL Patch source data stream component SHALL have the @id attribute value of “security_patches_up_to_date”. | If an <xccdf:check-content-ref> references a Patch component, the corresponding rule for that element must have @id "security_patches_up_to_date". | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 170 | 3.2.6.4 | An OVAL instance document MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that references an OVAL patch source data stream component. When implementing a patches up-to-date XCCDF rule, the following approach SHALL be used:~A single <xccdf:check> element SHALL be provided for the <xccdf:Rule> with a @system attribute value of “http://oval.mitre.org/XMLSchema/oval-definitions-5”. | If a <xccdf:Rule> @id has a value of 'security_patches_up_to_date', then that rule SHALL have one, and only one, <xccdf:check> element, and that element SHALL have a @system attribute of 'http://oval.mitre.org/XMLSchema/oval-definitions-5' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 171 | 3.2.6.4 | An OVAL instance document MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that references an OVAL patch source data stream component. When implementing a patches up-to-date XCCDF rule, the following approach SHALL be used:~Each <xccdf:check-content-ref> element SHALL have an @href attribute referencing a valid SCAP <oval-def:oval_definitions> document instance with the @name attribute omitted. | If a <xccdf:check-content-ref> references a Patch component, the @name SHALL be omitted from the <xccdf:check-content-ref> | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 172 | 4.3 | If an <xccdf:Profile> element is not provided or selected, then profile processing SHALL be skipped and standard XCCDF benchmark processing rules SHALL apply. | If an <xccdf:Profile> element is not provided or selected, then profile processing SHALL be skipped and standard XCCDF benchmark processing rules SHALL apply. | NOT_CHECKED | NA | TOOL | |
| 174 | 3.2.3 | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~One or more instances of the <xccdf:notice> element MAY be provided indicating clarifications, suggestions, or warnings regarding the use of the benchmark, including but not limited to terms of use, legal notices, or copyright statements. | The following requirements and recommendations apply to the <xccdf:Benchmark> element:~One or more instances of the <xccdf:notice> element MAY be provided indicating clarifications, suggestions, or warnings regarding the use of the benchmark, including but not limited to terms of use, legal notices, or copyright statements.~~If used, the @href attribute SHALL be an absolute URL, NOT a relative URL. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 175 | 3.2.5 | The following requirements and recommendations apply to the use of the <xccdf:check> and <xccdf:complex-check> elements:~At least one <xccdf:check-content-ref> element MUST be provided for each <xccdf:check> . | At least one <xccdf:check-content-ref> element MUST be provided in each <xccdf:check> | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 177 | 4.6 | For its filenames, every SCAP result data stream SHALL use two common locator prefixes that are appended to the URL base of the deployed result file. | For each data source in an SCAP result feed, the beginning of the resource ID must be the same for all resources in that feed, and the end must match the name conventions documented. For example: (example-winxp-xccdf-res.xml, example-winxp-oval-res.xml) is valid, but (sample-xccdf-res.xml, real-oval-res.xml) is not valid. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 178 | 4.6 | The first locator prefix (a string followed by a hyphen) SHALL be associated with a specific result data stream. The first locator prefix SHALL be consistent between multiple evaluations of the same source content. The second locator prefix (a string followed by a hyphen) MAY be used to differentiate among similar result data streams | The notation ‘xxxx-’ designates a locator prefix that SHALL be associated with a specific result data stream. The notation ‘-yyy-‘ designates a locator prefix that MAY be used to differentiate among similar result data streams | NOT_CHECKED | NA | RESULT_CONTENT | |
| 179 | 4.8 | data results SHALL be expressed as Single Machine Without System Characteristics, Single Machine With System Characteristics, or Single Machine With Thin Results | The <oval-res:directives> element SHALL be:<definition_true content="full" reported="true"/>~<definition_false content="full" reported="true"/>~<definition_unknown content="full" reported="true"/>~<definition_error content="full" reported="true"/>~<definition_not_evaluated content="full" reported="true"/>~<definition_not_applicable content="full" reported="true"/> or <definition_true reported="true"/>~<definition_false reported="true"/>~<definition_unknown reported="true"/>~<definition_error reported="true"/>~<definition_not_evaluated reported="true"/>~<definition_not_applicable reported="true"/> or <definition_true content="thin" reported="true"/>~<definition_false content="thin" reported="true"/>~<definition_unknown content="thin" reported="true"/>~<definition_error content="thin" reported="true"/>~<definition_not_evaluated content="thin" reported="true"/>~<definition_not_applicable content="thin" reported="true"/> | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 180 | 4.8 | Single Machine Without System Characteristics – A single result file that includes all OVAL definitions evaluated and “full” results types as described in the ContentEnumeration element of the OVAL Results schema, without system characteristics. ~For this format, the values for the <oval-res:directives> element SHALL be:~<oval-res:definition_true content="full" reported="true"/>~<oval-res:definition_false content="full" reported="true"/>~<oval-res:definition_unknown content="full" reported="true"/>~<oval-res:definition_error content="full" reported="true"/>~<oval-res:definition_not_evaluated content="full" reported="true"/>~<oval-res:definition_not_applicable content="full" reported="true"/> | |||||
| 181 | 4.8 | Single Machine With System Characteristics – A single result file that includes all OVAL definitions evaluated and “full” results types as described in the ContentEnumeration element of the OVAL Results schema and the System Characteristics of the target evaluated.~For this format, the values for the <oval-res:directives> element SHALL be:~<oval-res:definition_true content="full" reported="true"/>~<oval-res:definition_false content="full" reported="true"/>~<oval-res:definition_unknown content="full" reported="true"/>~<oval-res:definition_error content="full" reported="true"/>~<oval-res:definition_not_evaluated content="full" reported="true"/>~<oval-res:definition_not_applicable content="full" reported="true"/> ~~When creating the OVAL System Characteristics as defined by the <oval-sc:oval_system_characteristics> element, the <oval-sc:collected_objects> and <oval-sc:system_data> elements SHALL be provided. | Issue warning if oval-res directives definitions have @content='full' or @content is not provided and oval-res:oval_system_characteristics does not have both oval-res:collected_objects and oval-res:system_data. In that case it is Single Machine Without System Characteristics. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 182 | 4.8 | Single Machine With Thin Results – A single result file that includes all OVAL definitions evaluated and “thin” results types as described in the OVAL Results schema. A value of “thin” means only the minimal amount of information will be provided.~For this format, the values for the <oval-res:directives> element SHALL be:~<oval-res:definition_true content="thin" reported="true"/>~<oval-res:definition_false content="thin" reported="true"/>~<oval-res:definition_unknown content="thin" reported="true"/>~<oval-res:definition_error content="thin" reported="true"/>~<oval-res:definition_not_evaluated content="thin" reported="true"/>~<oval-res:definition_not_applicable content="thin" reported="true"/> | |||||
| 193 | 3.2.5.1 | When present, the @name attribute SHALL refer to a specific OVAL Definition in the designated source data stream component. | |||||
| 194 | 3.2.5.1 | The @href attribute SHALL reference an OVAL source data stream component. | |||||
| 200 | 3.2.2 | Within a given <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Group>, or <xccdf:Rule> context, if no <xccdf:platform> element is defined, the <xccdf:platform> of its nearest ancestor that has an <xccdf:platform> element defined SHALL be inherited. If none of its ancestors have an <xccdf:platform> element defined, the <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Group>, or <xccdf:Rule> SHALL be considered to apply to any product. | Within a given <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Group>, or <xccdf:Rule> context, if no <xccdf:platform> element is defined, the <xccdf:platform> of its nearest ancestor that has an <xccdf:platform> element defined SHALL be inherited. If none of its ancestors have an <xccdf:platform> element defined, the <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Group>, or <xccdf:Rule> SHALL be considered to apply to all applicable targets. | NOT_CHECKED | NA | TOOL | |
| 202 | 4.8 | Each SCAP OVAL result data stream component SHALL use the <oval-res:oval_results> element as the document element. Each OVAL result data stream component SHALL validate against version 5.8 of the OVAL Results schema regardless of the version of the OVAL Definitions document that was evaluated. | Each SCAP OVAL result data stream component SHALL use the <oval-res:oval_results> element as the document element. Each OVAL result data stream component SHALL validate against version 5.8 of the OVAL Results schema regardless of the version of the OVAL Definitions document that was evaluated. | APPLICATION | ERROR | SOURCE_CONTENT | |
| 203 | 3.1 | Every SCAP source data stream component SHALL have a filename comprised of the locator prefix (including a trailing hyphen) followed by the appropriate component suffix, as listed in Table 2.~~Table 2. SCAP Source Data Stream Conventions~Component~Component Suffix~Document Element~~XCCDF Benchmark~xccdf.xml~<xccdf:Benchmark>~~OVAL Compliance~oval.xml~<oval-def:oval_definitions>~~OVAL Patch~patches.xml~<oval-def:oval_definitions>~~OVAL Vulnerability~oval.xml~<oval-def:oval_definitions>~~OCIL Questionnaire~ocil.xml~<ocil:ocil>~~CPE Dictionary~cpe-dictionary.xml~<cpe-dict:cpe-list>~~CPE Inventory~cpe-oval.xml~<oval-def:oval_definitions>~~ | The table in section 3.1 must be followed. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| The table in section 3.1 must be followed. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| The table in section 3.1 must be followed. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 204 | 3.1 | Each SCAP source data stream component SHALL validate against the corresponding schema and, if applicable, associated Schematron stylesheet. | Each SCAP source data stream component SHALL validate against the corresponding schema. | SCHEMA | ERROR | SOURCE_CONTENT | |
| 205 | 3.2.2 | The @id attribute for each <cpe-lang:platform> element declared in this manner MAY be referenced within an <xccdf:platform> element with a corresponding @idref attribute. Complex platforms MAY be referenced this way within <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Group>, and <xccdf:Rule> elements. | |||||
| 206 | 3.2.6.5 | Current CVSS scores acquired dynamically, such as from a data feed, SHOULD be used in place of static CVSS scores in the @weight attribute within XCCDF vulnerability-related rules. | Current CVSS scores acquired dynamically, such as from a data feed, SHOULD be used in place of static CVSS scores in the @weight attribute within XCCDF vulnerability-related rules. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 207 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For compliance class definitions:~If an OVAL compliance class definition maps to one or more CCE identifiers, the definition SHOULD include <oval-def:reference> elements that reference those identifiers using the following format: ~<oval-def:reference source="http://cce.mitre.org" ref_id="CCE_identifier"/>_x000B__x000B_The source attribute SHALL be defined using either “CCE” or “http://cce.mitre.org” (preferred method). | OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 208 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For compliance class definitions:~Definitions that are directly or indirectly extended SHALL be limited to inventory and compliance classes. | For OVAL definitions of @class 'compliance', only definitions of class 'compliance' or 'inventory' can be extended. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 209 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For inventory class definitions:~If an OVAL inventory class definition maps to one or more CPE identifiers, the definition SHOULD include <oval-def:reference> elements that reference those identifiers using the following format: _x000B__x000B_<oval-def:reference source="http://cpe.mitre.org" ref_id="CPE_identifier"/>_x000B__x000B_The source attribute SHALL be defined using either “CPE” or “http://cpe.mitre.org” (preferred method). | OVAL definitions of class 'inventory' should include a reference to a CPE, where applicable. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 210 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For inventory class definitions:~Definitions that are directly or indirectly extended SHALL be limited to the inventory class. | For OVAL definitions of @class 'inventory', only definitions of class 'inventory' can be extended. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 211 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For patch class definitions:~If an OVAL patch class definition maps to one or more CVE identifiers, the definition MAY include <oval-def:reference> elements that reference those identifiers using the following format:_x000B__x000B_<oval-def:reference source="http://cve.mitre.org" ref_id="CVE_identifier"/>_x000B__x000B_The source attribute SHALL be defined using either “CVE” or “http://cve.mitre.org” (preferred method). | Issue a warning if an OVAL patch class does not reference a CVE. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 212 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For patch class definitions:~If an OVAL patch class definition is associated with a source specific identifier (for example, Knowledge Base numbers for Microsoft patches), these identifiers SHOULD be included in <oval-def:reference> elements contained by the definition. For example:_x000B__x000B_<oval-def:reference source="www.microsoft.com/Patch" ref_id="KB912919"/> | |||||
| 213 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For patch class definitions:~Definitions that are directly or indirectly extended SHALL be limited to inventory and patch classes. | For OVAL definitions of @class 'patch', only definitions of class 'patch' or 'inventory' can be extended. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 214 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For vulnerability class definitions:~If an OVAL vulnerability class definition maps to one or more CVE identifiers, the definition SHOULD include <oval-def:reference> elements that reference those identifiers using the following format:_x000B__x000B_<oval-def:reference source="http://cve.mitre.org" ref_id="CVE_identifier"/>_x000B__x000B_The source attribute SHALL be defined using either “CVE” or “http://cve.mitre.org” (preferred method). | OVAL definitions of class 'vulnerability' should include a reference to a CVE, where applicable. | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 215 | 3.3 | The following requirements apply to particular classes of OVAL definitions:~~For vulnerability class definitions:~Definitions that are directly or indirectly extended SHALL be limited to inventory and vulnerability classes. | For OVAL definitions of @class 'vulnerability', only definitions of class 'inventory' or 'vulnerability' can be extended. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 216 | 4.1 | Products supporting OVAL SHALL support OVAL Definition documents written against OVAL versions 5.3, 5.4, 5.5, 5.6, 5.7, and 5.8. | OVAL documents must be written in one of the following versions: 5.3, 5.4, 5.5, 5.6, 5.7, 5.8 | APPLICATION | ERROR | TOOL | |
| 217 | 4.1 | Within the OVAL Language, constructs may be deprecated. Deprecated constructs MUST be handled properly during OVAL Definition evaluation. | |||||
| 218 | 4.2 | An SCAP implementation that can import SCAP content SHALL be capable of validating the content against the appropriate schemas and Schematron stylesheets, detecting and reporting errors, and failing gracefully if there are errors. | An SCAP implementation that can import SCAP content SHALL be capable of validating the content against the appropriate schemas and schematron rules, detecting and reporting errors, and failing gracefully if there are errors. | NOT_CHECKED | NA | TOOL | |
| 221 | 3.2.6.1 | When referencing a CVE, CCE, or CPE identifier:~~The identifier type SHALL correspond to the OVAL definition class, as follows:~OVAL compliance class definitions reference CCE identifiers. | OVAL definitions of type compliance SHALL NOT reference CVE or CPE. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 222 | 3.2.6.1 | When referencing a CVE, CCE, or CPE identifier:~~The identifier type SHALL correspond to the OVAL definition class, as follows:~OVAL inventory class definitions reference CPE identifiers. | OVAL definitions of type inventory SHALL NOT reference CVE or CCE. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 223 | 3.2.6.1 | When referencing a CVE, CCE, or CPE identifier:~~The identifier type SHALL correspond to the OVAL definition class, as follows:~OVAL patch and vulnerability class definitions reference CVE identifiers. | OVAL definitions of type vulnerability or patch SHALL NOT reference CCE or CPE. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 224 | 3.2.6.1 | When referencing a CVE, CCE, or CPE identifier:~~The system attribute for the <xccdf:ident> element SHALL be defined using one of the following:~The CVE system identifier, either “CVE” or “http://cve.mitre.org” (preferred method) | When xccdf:ident elements references a CVE, the @system attribute SHOULD be 'http://cve.mitre.org' or 'CVE' | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 225 | 3.2.6.1 | When referencing a CVE, CCE, or CPE identifier:~~The system attribute for the <xccdf:ident> element SHALL be defined using one of the following:~The CCE system identifier, either “CCE” or “http://cce.mitre.org” (preferred method) | When xccdf:ident elements references a CCE, the @system attribute SHOULD be 'http://cce.mitre.org' or 'CCE' | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| 226 | 3.2.6.1 | When referencing a CVE, CCE, or CPE identifier:~~The system attribute for the <xccdf:ident> element SHALL be defined using one of the following:~The CPE system identifier, either “CPE” or “http://cpe.mitre.org” (preferred method) | When xccdf:ident elements references a CPE, the @system attribute SHALL be 'http://cpe.mitre.org' or 'CPE' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 227 | 3.2.6.2 | If an <xccdf:Rule> element references a specific OVAL Definition, then:~The referenced OVAL Definition MUST have its @class attribute defined as “compliance” if it represents a check for the value of a specific configuration setting. | |||||
| 228 | 3.2.6.2 | If an <xccdf:Rule> element references a specific OVAL Definition, then:~The referenced OVAL Definition MUST have its @class attribute defined as “vulnerability” if it represents a check for the presence of a particular software flaw vulnerability. | |||||
| 229 | 3.2.6.2 | If an <xccdf:Rule> element references a specific OVAL Definition, then:~The referenced OVAL Definition MUST have its @class attribute defined as “patch” if it represents a check for the presence of a discrete patch. | |||||
| 230 | 3.2.6.2 | If an <xccdf:Rule> element references a specific OVAL Definition, then:~The referenced OVAL Definition MUST have its @class attribute defined as “inventory” if it represents a check for the presence of a product of interest. | |||||
| 231 | 4.5 | In XCCDF content, if multiple <xccdf:check-content-ref> elements are provided, then the following evaluation method SHALL be performed:~Evaluate each <xccdf:check-content-ref> element in the order that it appears in the <xccdf:check> element. The first resolvable <xccdf:check-content-ref> element SHALL be used to determine the <xccdf:Rule> status. | |||||
| 232 | 4.5 | In XCCDF content, if multiple <xccdf:check-content-ref> elements are provided, then the following evaluation method SHALL be performed:~For each <xccdf:check-content-ref> element, a product will attempt to retrieve the document referenced by the @href attribute. If not resolvable, the next available <xccdf:check-content-ref> element SHALL be evaluated. If none of the <xccdf:check-content-ref> elements are resolvable, then the result of the rule evaluation SHALL be the XCCDF “unchecked” status and processing of the <xccdf:Rule> SHALL end. Please note that it is acceptable to map a remote URL to a local copy of the file in cases where remote access is not available, not allowed, or not practical. | |||||
| 233 | 4.5 | In XCCDF content, if multiple <xccdf:check-content-ref> elements are provided, then the following evaluation method SHALL be performed:~Once a resolvable <xccdf:check-content-ref> element is found, then check system processing SHALL proceed. When evaluating a rule, an <xccdf:rule-result/xccdf:message> with the @severity attribute value of “info” SHALL be generated, indicating the <xccdf:check-content-ref> @href and @name, if provided. | |||||
| 234 | 4.6 | Every SCAP result data stream component SHALL have a filename comprised of the first locator prefix, the second locator prefix, and the appropriate component suffix (as listed in Table 5), in that order. Each component SHALL use the element specified in Table 5 as its document element. ~~~Table 5. SCAP Result Data Stream Naming Conventions~Component~Component Suffix~Document Element~~XCCDF Benchmark~xccdf-res.xml~<xccdf:Benchmark> or <xccdf:TestResults>~~OVAL Compliance~oval-res.xml~<oval-def:oval_definitions>~~OVAL Patch~patches-res.xml~<oval-def:oval_definitions>~~OVAL Vulnerability~oval-res.xml~<oval-def:oval_definitions>~~OCIL Questionnaire~ocil-res.xml~<ocil:ocil>~~CPE Inventory~cpe-oval-res.xml~<oval-def:oval_definitions>~~ | The file naming convention for results should follow table 5 in section 4.6. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 235 | 4.9 | An SCAP OCIL result data stream component SHALL include the results of every OCIL questionnaire, test_action, and question used to generate the reported results. | |||||
| 251 | 3.2.6.1 | Each <xccdf:Rule> element SHALL include an <xccdf:ident> element containing a CVE, CCE, or CPE identifier reference if an appropriate reference exists. If the rule references an OVAL definition, then <xccdf:ident> element content SHALL match the corresponding CVE, CCE, or CPE identifier found in the associated OVAL Definition(s) if an appropriate identifier exists. | An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | SCHEMATRON | WARNING | SOURCE_CONTENT | |
| If an XCCDF rule references an OVAL definition, then <xccdf:ident> element content SHALL match the corresponding CVE, CCE, or CPE identifier found in the associated OVAL Definition(s) | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 252 | 3.2.5.3 | When referencing OCIL questionnaires as checks, XCCDF content SHALL follow all requirements defined in Appendix B of NIST Interagency Report (IR) 7692, Specifications for the Open Checklist Interactive Language (OCIL) Version 2.0 [OCIL]. | When xccdf:check-content-ref refers to an OCIL questionnaire, the @href MUST identify OCIL component, and the @name MUST identify the questionnaire. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| When an XCCDF rule references a specific OCIL Questionnaire, an OCIL Questionnaire source SHALL be available to resolve the reference. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| Every variable required in a referenced OCIL questionnaire by an <xccdf:Rule> SHALL be bound in an <xccdf:check-export>. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| If an XCCDF value of type 'number' is bound to an OCIL variable, the OCIL variable SHALL be of type 'NUMERIC' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| If an XCCDF value of type 'string' or 'boolean' is bound to an OCIL variable, the OCIL variable SHALL be of type 'TEXT' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| The required OCIL version is 2.0 and it SHALL be specified using the <inter:schema_version> inside the <inter:generator> element. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 253 | 4.7 | If the <xccdf:TestResult> is the root XCCDF element, the <xccdf:benchmark> element’s @href attribute SHALL be an absolute URL, NOT a relative URL. | If the <xccdf:TestResult> is the root XCCDF element, the <xccdf:benchmark> element’s @href attribute SHALL be an absolute URL, NOT a relative URL. | NOT_CHECKED | NA | SOURCE_CONTENT | |
| 254 | 4.7 | Each XCCDF result data stream component SHALL comply with the XCCDF Results schema. | Each XCCDF result data stream component SHALL comply with the XCCDF Results schema. | APPLICATION | ERROR | RESULT_CONTENT | |
| 255 | 4.7.3 | When evaluating an <xccdf:Rule> element that references an OVAL Definition, the <xccdf:rule-result> element SHALL be used to capture the result of this evaluation. This result SHALL be determined by evaluating the referenced OVAL Definition on a target host. The <xccdf:result> value recorded SHALL be mapped from the OVAL Definition Result produced during evaluation. | When evaluating an <xccdf:Rule> element that references an OVAL Definition, the <xccdf:rule-result> element SHALL be used to capture the result of this evaluation. This result SHALL be determined by evaluating the referenced OVAL Definition on a target host. The <xccdf:result> value recorded SHALL be mapped from the OVAL Definition Result produced during evaluation. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 257 | 3.2.6.1 | An <xccdf:ident> element referencing a CVE, CCE, or CPE identifier SHALL be ordered before other <xccdf:ident> elements referencing non-SCAP identifiers. Identifiers from previous revisions of CCE or CPE MAY also be specified following the SCAP identifiers. | An <xccdf:ident> element referencing a CVE, CCE, or CPE identifier (using the @system value specified in the 800-126) SHALL be ordered before other <xccdf:ident> elements referencing non-SCAP identifiers. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 258 | 4.7.3 | If the <xccdf:Rule> under evaluation has an <xccdf:check-content-ref> element with the @name attribute omitted, then the result of each evaluated OVAL Definition SHALL be recorded as a separate <xccdf:rule-result>. This will commonly occur for a “security_patches_up_to_date” check, as defined in Section 3.2.6.4. | If the <xccdf:Rule> under evaluation has an <xccdf:check-content-ref> element with the @name attribute omitted, then the result of each OVAL Definition SHALL be evaluated as a separate <xccdf:rule-result>. This will commonly occur for a “security_patches_up_to_date” check, as defined in Section 3.2.6.4. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 259 | 4.7 | The <xccdf:rule-result> elements SHALL report the result of the application of each selected rule against all specified targets.~If an evaluated rule references a check system (e.g., OVAL, OCIL) that the SCAP implementation does not support, the implementation SHALL return a result of “notchecked” for each such rule. | The <xccdf:rule-result> elements SHALL report the result of the application of each selected rule against all specified targets.~If an evaluated rule references a check system (e.g., OVAL, OCIL) that the SCAP implementation does not support, the implementation SHALL return a result of “notchecked” for each such rule. | NOT_CHECKED | NA | RESULT_CONTENT | |
| 260 | 4.7 | The <xccdf:rule-result> elements SHALL report the result of the application of each selected rule against all specified targets.~The <xccdf:check/xccdf:check-content-ref> element SHALL record the reference to the check system specific result file and check name within the result file using the @href and @name attributes, respectively. | Every <xccdf:rule-result> must have a <xccdf:check>/<xccdf:check-content-ref> that has attributes @href and @name | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 267 | 3.1 | Each SCAP source data stream component SHOULD NOT use any constructs that are deprecated in its associated specification. | Each SCAP source data stream component SHOULD NOT use any constructs that are deprecated in its associated specification. | NOT_CHECKED | WARNING | SOURCE_CONTENT | |
| 268 | 3.2.5.1 | Use of the @name attribute is REQUIRED except for the patches up-to-date rule, as defined in Section 3.2.6.4. | If a <xccdf:check-content-ref> does not reference a Patch component, the @name SHALL be provided on the <xccdf:check-content-ref> | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 269 | 3.6 | . If no CCE exists for the configuration setting of interest, the content author SHOULD seek to have a CCE identifier issued for the configuration setting | If no CCE exists for the configuration setting of interest, the content author SHOULD seek to have a CCE identifier issued for the configuration setting. | NOT_CHECKED | NA | TOOL | |
| 270 | 4.5 | When processing a patches-up-to-date rule, only OVAL patch class definitions SHALL be evaluated; all other classes of definitions (e.g., inventory class definitions) SHALL NOT be evaluated. | When processing a patches-up-to-date rule, only OVAL patch class definitions SHALL be evaluated; all other classes of definitions (e.g., inventory class definitions) SHALL NOT be evaluated. | NOT_CHECKED | NA | TOOL | |
| 271 | 4.7.3 | In this case the <xccdf:rule-result/xccdf:check-content-ref> SHALL identify the specific check result of each evaluated OVAL definition using the @href and @name attributes as described in Section 4.7, item 8c. . | Each <xccdf:rule-result/xccdf:check-content-ref> SHALL point to a check-system result using the @href and @name attributes. | SCHEMATRON | ERROR | RESULT_CONTENT | |
| 272 | 4.4 | CPEs referenced in an <xccdf:platform> element directly or by a <cpe-lang:fact-ref> contained within a referenced <cpe-lang:platform-specification> element SHALL be evaluated as follows:~The <cpe_dict:cpe-item> element data SHALL be located from the CPE dictionary data stream component in the same data stream with the @name attribute that is identical to the referenced CPE Name. | The xccdf:platform/@id and cpe-lang:fact-ref/@name must reference a CPE entry in the CPE Dictionary in the source files. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 273 | 4.4 | CPEs referenced in an <xccdf:platform> element directly or by a <cpe-lang:fact-ref> contained within a referenced <cpe-lang:platform-specification> element SHALL be evaluated as follows:~The <cpe_dict:check> element data associated with the identified <cpe_dict:cpe-item> element SHALL be evaluated using the referenced CPE inventory data stream component within the same data stream. | The cpe_dict:cpe-item/cpe_dict:check must reference an inventory OVAL definition in the CPE Inventory in the source data stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 274 | 4.4 | CPEs referenced in an <xccdf:platform> element directly or by a <cpe-lang:fact-ref> contained within a referenced <cpe-lang:platform-specification> element SHALL be evaluated as follows:~The result of evaluation SHALL be handled according to Section 4.7.3 of this document, with a result of “pass” indicating that the CPE Name was found on the machine. | CPEs referenced in an <xccdf:platform> element directly or by a <cpe-lang:fact-ref> contained within a referenced <cpe-lang:platform-specification> element SHALL be evaluated as follows:~The result of evaluation SHALL be handled according to Section 4.7.3 of this document, with a result of “pass” indicating that the CPE Name was found on the machine. | NOT_CHECKED | NA | TOOL | |
| A1 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Working off-line, unable to download latest CCE and CPE dictionaries. | APPLICATION | WARNING | SOURCE_CONTENT | |
| A2 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Version not found in OVAL file, unable to apply OVAL schematron rules. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A3 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | A file that is required for the SCAP validation use case could not be located. Please ensure that the file is named in accordance with the NIST SP 800-126 and that the file is not contained within a sub folder. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A4 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Skipping unrecognized file in SCAP bundle. | APPLICATION | WARNING | SOURCE_CONTENT | |
| A5 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | SCAP use case not found in combined data stream. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A6 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | SCAP version not found in combined data stream. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A7 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | XCCDF document contains a reference to an unrecognized file type. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A8 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Working off-line, unable to resolve remote reference in XCCDF document. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A9 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Remote reference in XCCDF document could not be located or is too large to download. To override the default maximum size limit for remote references, set the -maxsize parameter | APPLICATION | ERROR | SOURCE_CONTENT | |
| A10 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | XML content failed schema validation. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A11 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Unrecognized schema reference. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A12 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | In certain instances, a newer XML schema may be substituted for an older one for schema validation. | APPLICATION | WARNING | SOURCE_CONTENT | |
| A14 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Content failed validation against Schematron. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A15 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | Unused OVAL definitions exist | APPLICATION | WARNING | SOURCE_CONTENT | |
| A16 | N/A | This is an additional, common-sense check. | CCE number is expected, but missing as a reference | APPLICATION | WARNING | SOURCE_CONTENT | |
| A17 | N/A | This is an additional, common-sense check. | CCE number is in an invalid format or the check-digit does not match. It should be of format CCE-XXXX-X or CCE-XXXXX-X where each X is a digit, and the final X is a check-digit. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A18 | N/A | This is an additional, common-sense check. | The attribute @content-type on <scap:check-system-content> must match the content as such: OVAL_COMPLIANCE, OVAL_PATCH, CPE_INVENTORY, OVAL_VULNERABILITY must contain an <oval-def:oval_definitions> element; OCIL_QUESTIONS must contain an <ocil:ocil> element. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A19 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | A file that is required for the SCAP results validation could not be located. Please ensure that the file is named in accordance with the NIST SP 800-126 and that the file is not contained within a sub folder. | APPLICATION | ERROR | RESULT_CONTENT | |
| A20 | N/A | This is an application specific requirement. If content does not pass this check the SCAP Content Validation Tool may fail. | The profile provided on the command-line must exist in the source XCCDF document. | APPLICATION | ERROR | SOURCE_CONTENT | |
| A21 | N/A | This requirement is intended to help the end-user, but it isn't required for content to pass validation. | The OVAL test type is not checked in the NIST SCAP Validation Program. | APPLICATION | INFO | SOURCE_CONTENT | |
CONFIGURATION |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category | |
| 236 | 5.1 | The SCAP source data stream component that MUST be included for compliance checking is the XCCDF Benchmark, which expresses the checklist. Each rule in the XCCDF Benchmark SHALL reference one of the following | XCCDF Benchmark must be included in the compliance use case. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| Each xccdf:Rule must reference at least one of the follow components: OVAL Compliance, OCIL Questionnaire, OVAL Patches-Up-To-Date | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 237 | 5.1 | An OVAL compliance definition. This definition SHALL be contained in an OVAL Compliance component, which holds the definitions of the compliance checks used by the checklist. The OVAL Compliance component SHALL have at least one OVAL definition of class compliance, MAY have one or more additional OVAL definitions of classes compliance and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark’s rules MAY reference one or more OVAL compliance definitions in an OVAL Compliance component. | OVAL Compliance component must have at least one OVAL definition of @class 'compliance' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| OVAL Compliance component SHALL NOT have any OVAL definitons except of @class 'compliance' or 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| When an xccdf:Rule references an OVAL Compliance component, it must reference an OVAL compliance definition in that component. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 238 | 5.1 | If the XCCDF Benchmark component references any CPE names, then the SCAP source data stream MUST include the following components, in addition to those already mentioned:~CPE Dictionary: specifies the products or platforms of interest. | If an XCCDF Benchmark references a CPE, then the CPE Dictionary component must be included. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 239 | 5.1 | If the XCCDF Benchmark component references any CPE names, then the SCAP source data stream MUST include the following components, in addition to those already mentioned:~CPE Inventory: contains the technical procedures for determining whether or not a specific target asset has a product or platform of interest. The CPE Inventory component SHALL have one or more OVAL definitions of class inventory and SHALL NOT have any other classes of OVAL definitions. | If an XCCDF Benchmark references a CPE, then the CPE Inventory component must be included. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| In a CPE Inventory component there must be at least one definition of @class 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| All OVAL definitions in CPE Inventory component must be of @class 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 240 | 5.1 | An OVAL Patch component. The OVAL Patch component holds definitions for patch compliance checks. These checks may be needed if an organization includes patch verification in its compliance activities. The OVAL Patch component SHALL have at least one OVAL definition of class patch, MAY have one or more additional OVAL definitions of classes compliance and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark MAY reference an OVAL Patch component through a patches up-to-date rule in a manner consistent with Section 3.2.6.4. | In a OVAL Patch component there must be at least one definition of @class 'patch' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| All OVAL definitions in OVAL Patch component must be of @class 'inventory', 'compliance' or 'patch' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 241 | 5.1 | An OCIL questionnaire. This questionnaire SHALL be contained in an OCIL Questionnaire component, which holds the questionnaires that collect information that OVAL is not being used to collect, such as posing questions to users or harvesting configuration information from an existing database. An XCCDF Benchmark’s rules MAY reference one or more OCIL questionnaires in an OCIL Questionnaire component. | When an xccdf:Rule references an OCIL component, it must reference an OCIL questionnaire in that component. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 262 | 5.1 | Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL compliance definition in the OVAL Compliance component or an OCIL questionnaire in the OCIL Questionnaire component. | Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL compliance definition in the OVAL Compliance component or an OCIL questionnaire in the OCIL Questionnaire component. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 263 | 5.1 | All OVAL Compliance, OCIL Questionnaire, and OVAL Patch components referenced by the XCCDF Benchmark SHALL be included in the SCAP source data stream. | All OVAL Compliance, OCIL Questionnaire, and OVAL Patch components referenced by the XCCDF Benchmark SHALL be included in the SCAP source data stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
VULNERABILITY_XCCDF_OVAL |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category | |
| 242 | 5.2 | The SCAP source data stream component that MUST be included for vulnerability scanning is the XCCDF Benchmark, which expresses the checklist of the flaws to be checked for. Each rule in the XCCDF Benchmark SHALL reference one of the following | XCCDF Benchmark must be included in the vulnerability use case. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| Each xccdf:Rule must reference at least one of the follow components: OVAL Vulnerability, OCIL Questionnaire, OVAL Patches-Up-To-Date | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 243 | 5.2 | An OVAL vulnerability definition. This definition SHALL be contained in an OVAL Vulnerability component, which holds the definitions of the vulnerability checks used by the checklist. The OVAL Vulnerability component SHALL have at least one OVAL definition of class vulnerability, MAY have one or more additional OVAL definitions of classes vulnerability and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark’s rules MAY reference one or more OVAL vulnerability definitions in an OVAL Vulnerability component. | OVAL Vulnerability component must have at least one OVAL definition of @class 'vulnerability' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| OVAL Vulnerability component SHALL NOT have any OVAL definitons except of @class 'vulnerability' or 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| When an xccdf:Rule references an OVAL Vulnerability component, it must reference an OVAL vulnerability definition in that component. | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 244 | 5.2 | If the XCCDF Benchmark component references any CPE names, then the SCAP source data stream MUST include the following components, in addition to those already mentioned:~CPE Dictionary: specifies the products or platforms of interest. | If an XCCDF Benchmark references a CPE, then the CPE Dictionary component must be included. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 245 | 5.2 | If the XCCDF Benchmark component references any CPE names, then the SCAP source data stream MUST include the following components, in addition to those already mentioned:~CPE Inventory: contains the technical procedures for determining whether or not a specific target asset has a product or platform of interest. The CPE Inventory component SHALL have one or more OVAL definitions of class inventory and SHALL NOT have any other classes of OVAL definitions. | If an XCCDF Benchmark references a CPE, then the CPE Inventory component must be included. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| In a CPE Inventory component there must be at least one definition of @class 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| All OVAL definitions in CPE Inventory component must be of @class 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 246 | 5.2 | An OVAL Patch component. The OVAL Patch component holds definitions for patch compliance checks. These checks may be needed if an organization includes patch verification in its vulnerability scanning activities. The OVAL Patch component SHALL have at least one OVAL definition of class patch, MAY have one or more additional OVAL definitions of classes compliance and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark MAY reference an OVAL Patch component through a patches up-to-date rule in a manner consistent with Section 3.2.6.4. | In a OVAL Patch component there must be at least one definition of @class 'patch' | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| All OVAL definitions in OVAL Patch component must be of @class 'inventory', 'compliance' or 'patch' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 247 | 5.2 | An OCIL questionnaire. This questionnaire SHALL be contained in an OCIL Questionnaire component, which holds the questionnaires that collect information that OVAL is not being used to collect, such as giving a system administrator step-by-step directions for manually examining a system for a vulnerability that cannot be detected with OVAL, and then collecting information on the results of that manual examination. An XCCDF Benchmark’s rules MAY reference one or more OCIL questionnaires in an OCIL Questionnaire component. | When an xccdf:Rule references an OCIL component, it must reference an OCIL questionnaire in that component. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 265 | 5.2 | Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL vulnerability definition in the OVAL Vulnerability component or an OCIL questionnaire in the OCIL Questionnaire component. | Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL vulnerability definition in the OVAL Vulnerability component or an OCIL questionnaire in the OCIL Questionnaire component. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| 266 | 5.2 | All OVAL Vulnerability, OCIL Questionnaire, and OVAL Patch components referenced by the XCCDF Benchmark SHALL be included in the SCAP source data stream. | All OVAL Vulnerability, OCIL Questionnaire, and OVAL Patch components referenced by the XCCDF Benchmark SHALL be included in the SCAP source data stream. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
SYSTEM_INVENTORY |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category | |
| 248 | 5.3 | The SCAP source data stream components that MUST be included for inventory scanning are:~XCCDF Benchmark: references the CPE Inventory and captures the results of the inventory. Each rule in the XCCDF Benchmark SHALL reference an OVAL inventory definition in the CPE Inventory component. | XCCDF Benchmark must be included in the inventory use case. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| Each xccdf:Rule must reference at least one OVAL definition in CPE_INVENTORY | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| 249 | 5.3 | The SCAP source data stream components that MUST be included for inventory scanning are:~CPE Inventory: contains the technical procedures for determining whether or not a specific target asset has a product or platform of interest. The CPE Inventory component SHALL have one or more OVAL definitions of class inventory and SHALL NOT have any other classes of OVAL definitions. | CPE Inventory component is required for the inventory use case. | SCHEMATRON | ERROR | SOURCE_CONTENT | |
| All OVAL definitions in CPE Inventory component must be of @class 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
| In a CPE Inventory component there must be at least one definition of @class 'inventory' | SCHEMATRON | ERROR | SOURCE_CONTENT | ||||
OVAL_ONLY |
|||||||
| Requirement ID | 800-126 Section | 800-126 Statement | 800-126 Derived Requirement | Requirement Type | Error Level | Requirement Category | |
| 250 | 5.4 | The only SCAP source data stream component that MUST be included is an OVAL component that maps to the desired definition classes (e.g., compliance class for configuration setting checks, inventory class for asset checks, patch class for patch presence checks, vulnerability class for software flaw vulnerability presence checks). The mapping SHALL correspond to the mappings defined in Section 3.2.6.2. | |||||