Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
    Projects Security Content Automation Protocol SCAP Specifications Open Checklist Interactive Language (OCIL)

Security Content Automation Protocol SCAP

Element Dictionary

- OCIL Schema -
Element Dictionary

  • Schema: OCIL
  • Version: 1.0
  • Release Date: December 29, 2008

VERSION 1.0

The Open Checklist Interactive Language (OCIL) is a language to express a set of questions to be presented to a user and procedures to interpret responses to these questions for the purpose of developing security checklists. Although its intended domain of use is IT security, its generic nature allows for other applications. For instance, it could be used for authoring research surveys, academic course exams, and instructional walkthroughs.

This document was originally developed by David Waltermire (The Center for Internet Security) and has been revised by The MITRE Corp with input from the security benchmark community. It is intended for developers and assumes familiarity with XML.

< ocil >

The ocil element is the root XML element of an OCIL document. It contains information about one or more questionnaires. It may also contain results elements to store prior responses.

Attributes:
- scope   inter:ScopeType   (optional -- default='FULL')
Child Elements Type MinOccurs MaxOccurs
generator inter:GeneratorType 1 1
document inter:DocumentType 0 1
inter:questionnaire [ extends ] inter:CompoundTestActionType 1 unbounded
inter:test_action inter:ItemBaseType 1 unbounded
inter:question inter:QuestionType 1 unbounded
inter:choice_group n/a 0 unbounded
inter:results n/a 0 1

 

 

< questionnaire >

A questionnaire represents specific question or set of questions that evaluate to a single result. A questionnaire may contain multiple test_actions. test_actions may be nested and aggregated thru some acceptable operation to produce the result of a check.

Attributes:
- id   inter:QuestionnaireIDPattern   (required)
- priority   inter:PriorityType   (optional -- default='LOW')
- child_only   xsd:boolean   (optional -- default='false')

 

 

< question >

Type: inter:QuestionType

A question elements contains information one question that needs to be answered by a user. It can be a boolean_question, choice_question, numeric_question, or string_question depending on the set of acceptable answers.

 

 

< boolean_question >

Substitution Group: inter:question

A boolean_question is a type of question with valid responses of either {TRUE, FALSE} or {YES, NO}.

Attributes:
- default_answer   xsd:boolean   (optional)
- model   inter:BooleanQuestionModelType   (optional -- default='MODEL_YES_NO')

 

 

< choice_question >

Substitution Group: inter:question

A choice_question is a type of question element with one or more acceptable answers specified by the author. The user will select one of these specified answers as their response. Acceptable answers are specified either explicitly using the choice element or implicitly using the choice_group_ref element to reference a choice_group element. Choices are presented in the order in which they are provided. All the choices in a choice_group are inserted in the order in which they appear within the choice_group.

Attributes:
- default_answer_ref   inter:ChoiceIDPattern   (optional)

 

 

< numeric_question >

Substitution Group: inter:question

A numeric_question is a type of question_element that requires a numeric answer. Acceptable values may be positive or negative and may include decimals.

Attributes:
- default_answer   xsd:decimal   (optional)

 

 

< string_question >

Substitution Group: inter:question

A string_question is a type of question element that requires a string answer.

Attributes:
- default_answer   xsd:string   (optional)

 

 

< test_action >

Type: inter:ItemBaseType

This is a common base element for the question_test_action element.

 

 

< question_test_action >

Substitution Group: inter:test_action

Type: inter:QuestionTestActionType

The question_test_action element contains a reference to a single question along with a set of handlers that indicate how processing should proceed based on the answer provided by the user. This element is abstract and is implemented in a document as a boolean_test_action, choice_test_action, numeric_test_action, or string_test_action. The type of question_test_action must match the type of question referenced. (E.g. a boolean_test_action MUST reference a boolean_question, etc..)

 

 

< boolean_question_test_action >

Substitution Group: inter:question_test_action

A boolean_question_test_action element references a boolean_question and includes handlers for TRUE (YES) or FALSE (NO) responses.

Child Elements Type MinOccurs MaxOccurs
when_true inter:ResultChoiceType 1 1
when_false inter:ResultChoiceType 1 1

 

 

< choice_question_test_action >

Substitution Group: inter:question_test_action

A choice_question_test_action element references a choice_question and includes handlers for the various choices set out in the choice_question.

Child Elements Type MinOccurs MaxOccurs
inter:when_choice [ extends ] inter:ResultChoiceType 1 unbounded

 

 

< numeric_question_test_action >

Substitution Group: inter:question_test_action

A numeric_question_test_action element references a numeric_question and includes handlers that indicate actions to perform based on whether the user's response matches a particular value or falls within a particular range.

 

 

< string_question_test_action >

Substitution Group: inter:question_test_action

A string_question_test_action element references a string_question and includes handlers that indicate actions to perform based on whether the user's response matches a given regular expression.

Child Elements Type MinOccurs MaxOccurs
inter:when_pattern [ extends ] inter:ResultChoiceType 1 unbounded

 

 

< results >

The results element stores information about the results of processing the questionnaires, test_actions, and questions in a document.

Attributes:
- start_time   xsd:dateTime   (optional)
- end_time   xsd:dateTime   (optional)
Child Elements Type MinOccurs MaxOccurs
title inter:TextType 0 1
target xsd:string 0 unbounded
target_address xsd:string 0 unbounded
questionnaire_result n/a 0 unbounded
inter:question_result inter:QuestionResultType 0 unbounded
test_action_result n/a 0 unbounded

 

 

< question_result >

Type: inter:QuestionResultType

A question_result element contains result information associated with a specific question. The specific type of question_result (boolean_question_result, choice_question_result, etc.) depends on the type of the associated question (boolean_question, choice_question, etc.)

 

 

< boolean_question_result >

Substitution Group: inter:question_result

A boolean_question_result element contains a reference to a boolean_question, the user's response, and whether the question was successfully posed.

Child Elements Type MinOccurs MaxOccurs
answer xsd:boolean 1 1

 

 

< choice_question_result >

Substitution Group: inter:question_result

A choice_question_result element contains a reference to a choice_question, the user's response, and whether the question was successfully posed.

Child Elements Type MinOccurs MaxOccurs
answer n/a 1 1

 

 

< numeric_question_result >

Substitution Group: inter:question_result

A numeric_question_result element contains a reference to a numeric_question, the result provided by the user, and whether the question was successfully posed.

Child Elements Type MinOccurs MaxOccurs
answer xsd:decimal 1 1

 

 

< string_question_result >

Substitution Group: inter:question_result

A string_question_result element contains a reference to a string_question, the string provided by the user in response, and whether the question was successfully posed.

Child Elements Type MinOccurs MaxOccurs
answer xsd:string 1 1

 

-- ScopeType --

 

Value Description
FULL

The FULL value indicates that all questions must be asked regardless of whether or not it they are all needed to produce a result for a questionnaire.

SHORT

The SHORT value indicates that once a result value can be computed for a questionnaire, then it is safe to stop asking questions.

 

-- BooleanQuestionModelType --

 

Provides the acceptable models (i.e. set of acceptable responses) for a boolean_question.

Value Description
MODEL_YES_NO

MODEL_YES_NO represents a response set of {YES, NO}.

MODEL_TRUE_FALSE

MODEL_TRUE_FALSE represents a response set of {TRUE, FALSE}.

 

-- OperatorType --

 

Value Description
AND

The AND operator produces a true result if every argument is true. If one or more arguments are false, the result of the AND is false. See the truth table provided in the ResultType type for a complete list of how the various result types are combined by an AND operation.

OR

The OR operator produces a true result if one or more arguments is true. If every argument is false, the result of the OR is false. See the truth table provided in the ResultType type for a complete list of how the various result types are combined by an AND operation.

 

 

== CompoundTestActionType ==

The CompoundTestActionType type describes the structures used to combine multiple test_action elements into a single result.

 

 

== GeneratorType ==

The GeneratorType type defines an element that is used to hold information about when a particular OCIL document was generated, what version of the schema was used, what tool was used to generate the document, and what version of the tool was used.

Additional generator information is also allowed although it is not part of the official OCIL language. Individual organizations can place generator information that they feel are important.

Child Elements Type MinOccurs MaxOccurs
product_name xsd:string 0 1
product_version xsd:string 0 1
author n/a 0 unbounded
schema_version xsd:decimal 1 1
timestamp xsd:dateTime 1 1

 

== DocumentType ==

 

This type describes structures used to provide document-level information, including title, descriptions, and notices.

Child Elements Type MinOccurs MaxOccurs
title xsd:string 1 1
description xsd:string 0 unbounded
notice xsd:string 0 unbounded

 

 

== ItemBaseType ==

The ItemBaseType complex type defines structures allowing a set of notes to be included. This type is inherited by many of the elements in the OCIL language.

Child Elements Type MinOccurs MaxOccurs
notes xsd:string 0 unbounded

 

 

== OperationType ==

The OperationType type defines structures that hold a set of test_actions and provide instructions as to how to aggregate their individual results into a single result.

Attributes:
- operation   inter:OperatorType    
- negate   xsd:boolean    
- priority   inter:PriorityType   (optional -- default='LOW')
Child Elements Type MinOccurs MaxOccurs
inter:test_action_ref inter:TestActionRefValuePattern 1 unbounded

 

 

== PatternType ==

The pattern element specifies a regular expression against which a string will be compared.

Attributes:
Simple Content xsd:string

 

 

-- PriorityType --

This type provides the possible priorities of a set of test_actions.

Value Description
HIGH  
MEDIUM  
LOW  

 

 

== QuestionTestActionType ==

The QuestionTestActionType type defines structures that are used to hold handlers for non-standard results (UNKNOWN, NOT_TESTED, NOT_APPLICABLE, and ERROR) received from a referenced question. All children of question_test_action extend this type.

 

 

== QuestionResultType ==

The QuestionResultType complex type defines structures that hold information about a question and the user's response to it.

Attributes:
- question_ref   inter:QuestionIDPattern   (required)
- success   xsd:boolean   (required)

 

 

== QuestionType ==

The QuestionType complex type defines a structure to describe a question and any instructions to help in determining an answer.

 

 

== RangeType ==

This type describes structures to define a range against which a numeric user response is to be compared.

Child Elements Type MinOccurs MaxOccurs
min n/a 0 1
max n/a 0 1

 

 

== ResultChoiceType ==

The ResultChoiceType complex type specifies processing instructions - either produce a result or move on to another test. The ResultChoiceType is extended by all handlers ("when_...") in test_actions.

Child Elements Type MinOccurs MaxOccurs
result inter:ResultType 1 1
inter:test_action_ref inter:TestActionRefValuePattern 1 1

 

 

-- ResultType --

The ResultType simple type defines acceptable result values for questionnaires and test_actions.

Value Description
PASS

A PASS value indicates that the check passed its test.

FAIL

A FAIL value indicates that the check did not pass its test.

UNKNOWN

An UNKNOWN value indicates that the result of a test cannot be determined.

ERROR

An ERROR value indicates that an error occured while processing the check.

Among other causes, this can indicate an unexpected response from the user.

NOT_TESTED

A NOT_TESTED value indicates that the check has not been tested yet.

NOT_APPLICABLE

A NOT_APPLICABLE value indicates that the check is not relevant and can be skipped.

The following table shows how the result is computed if the operator is AND:

Pass Fail Error Unkn Not Tstd N/A
1+ 0 0 0 0 0+ Pass
0+ 1+ 0+ 0+ 0+ 0+ Fail
0+ 0 1+ 0+ 0+ 0+ Error
0+ 0 0 1+ 0+ 0+ Unknown
0+ 0 0 0 1+ 0+ Not Tested
0 0 0 0 0 1+ Not Applicable
0 0 0 0 0 0 Not Tested

The following table shows how the result is computed if the operator is OR:

Pass Fail Error Unkn Not Tstd N/A
1+ 0+ 0+ 0+ 0+ 0+ Pass
0 1+ 0 0 0 0+ Fail
0 0+ 1+ 0+ 0+ 0+ Error
0 0+ 0 1+ 0+ 0+ Unknown
0 0+ 0 0 1+ 0+ Not Tested
0 0 0 0 0 1+ Not Applicable
0 0 0 0 0 0 Not Tested

 

 

 

== TextType ==

The TextType complex type defines an element that holds any information.

 

 

-- QuestionnaireIDPattern --

ID values for questionnaires must match this pattern.

ocil:[A-Za-z0-9_\-\.]+:questionnaire:[1-9][0-9]*

 

 

-- QuestionIDPattern --

ID values for questions must match this pattern. Each ID must be unique within an OCIL document.

ocil:[A-Za-z0-9_\-\.]+:question:[1-9][0-9]*

 

 

-- QuestionTestActionIDPattern --

ID values for test_actions must match this pattern. Each ID must be unique within an OCIL document.

ocil:[A-Za-z0-9_\-\.]+:testaction:[1-9][0-9]*

 

 

-- TestActionRefValuePattern --

A test_action_ref may refer to either a test_action or a questionnaire. This type represents the union of these two ID patterns.

ocil:[A-Za-z0-9_\-\.]+:testaction:[1-9][0-9]*

 

 

-- ChoiceIDPattern --

ID values for choices in choice_questions must match this pattern. Each ID must be unique within an OCIL document.

ocil:[A-Za-z0-9_\-\.]+:choice:[1-9][0-9]*

 

-- ChoiceGroupIDPattern --

 

ID values for choice_group references in choice_questions must match this pattern. Each ID must be unique within an OCIL document.

ocil:[A-Za-z0-9_\-\.]+:choicegroup:[1-9][0-9]*

 

 

< test_action_ref >

The test_action_ref element holds a reference (id) to a test_action or questionnaire.

 

 

< when_choice >

The element when_choice specifies the action to take in a choice_test_action when a particular choice is selected by a user in response to a choice_question.

Child Elements Type MinOccurs MaxOccurs
choice_ref inter:ChoiceIDPattern 1 unbounded

 

 

< choice >

A choice element holds information about one acceptable answer to a choice_question.

 

< choice_group >

 

A choice_group defines a group of choices that may then be reused in multiple choice_question elements. For example, a document may include multiple choice_questions with the options of "Good", "Fair", or "Poor". By defining these choices in a single choice_group, the author would not need to list them out explicitly in every choice_question.

Attributes:
- id   inter:ChoiceGroupIDPattern   (required)
Child Elements Type MinOccurs MaxOccurs
inter:choice n/a 1 unbounded

 

 

< when_equals >

The element when_equals specifies the action to take in a numeric_test_action when a particular value is given by a user in response to a numeric_question.

Child Elements Type MinOccurs MaxOccurs
value xsd:decimal 1 unbounded

 

 

< when_range >

The element when_range specifies the action to take in a numeric_test_action when a value given by a user in response to a numeric_question falls within the indicated range.

Child Elements Type MinOccurs MaxOccurs
range inter:RangeType 1 unbounded

 

< when_pattern >

 

The element when_pattern specifies the action to take in a string_test_action when a string given by a user in response to a string_question matches the given regular expression.

Child Elements Type MinOccurs MaxOccurs
pattern inter:PatternType 1 unbounded

 

 

== ReferenceType ==

The ReferenceType complex type defines structures used to hold information about an external reference given its URI and description.

This structure may be used to reference other standards such as CVE, CCE, or CPE. To do so, the href attribute would give the relevant namespace. For example, the namespace of the current version of CPE is http://cpe.mitre.org/dictionary/2.0 and the body of this element would hold a specific CPE identifier. References to other information (documents, web pages, etc.) are also permitted.

 

 

== StepType ==

The StepType complex type defines structures that describe one step (out of possibly multiple steps) that a user should take in order to respond to a question. The steps would appear as parts of the question's instructions element.

Attributes:
- is_done   xsd:boolean    
- is_required   xsd:boolean    
Child Elements Type MinOccurs MaxOccurs
description inter:TextType 0 1
reference inter:ReferenceType 0 unbounded
inter:step inter:StepType 0 unbounded

 

 

< step >

Type: inter:StepType

The step element describes one step in the procedures a user should undertake in order to answer an encapsulating question.

 

 

< instructions >

The instructions element contains a step by step procedure to guide the user in answering a question.

Child Elements Type MinOccurs MaxOccurs
title inter:TextType 1 1
inter:step inter:StepType 1 unbounded

Contacts

SCAP Inquiries
scap@nist.gov

Created December 07, 2016, Updated August 07, 2020