The Open Checklist Interactive Language (OCIL) defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions. Although the OCIL specification was developed for use with IT security checklists, the uses of OCIL are by no means confined to IT security. Other possible use cases include research surveys, academic course exams, and instructional walkthroughs.
In IT security, organizations work with security policies that detail the information that needs to be secured and the security requirements that must be met to ensure the information is protected accordingly. To verify compliance with security requirements, Federal agencies have already implemented security technologies that support the Security Content Automation Protocol (SCAP). OCIL is considered an emerging specification, so it is not currently included in SCAP. However, OCIL can still be used in conjunction with SCAP specifications such as XCCDF to help handle cases where lower-level checking languages such as OVAL are unable to automate a particular check. In short, OCIL provides a standardized approach to express and evaluate non-automated (i.e., manual) security checks.
OCIL provides the conceptual framework for representing non-automatable questions. The following list defines the features supported by OCIL:
The OCIL Discussion List is available for developers interested in OCIL. Please subscribe to this list through the SCAP Community page.
Specification:
XML Schema Files: [what is a schema?]
OCIL 2.0 Schema (XSD 1.0)
XML Schema Files: [what is a schema?]
OCIL Schema (XSD 1.0)
Sample Files:
Documentation:
OCIL Schema Element Dictionary
XML Schema Files: [what is a schema?]
OCIL Schema (XSD 1.0)
Sample Files:
Documentation:
OCIL Schema Element Dictionary
The OCIL Interpreter is a standalone Java GUI implementation that demonstrates how an interactive schema document can be evaluated. It guides the end user in completing questionnaires (one question at a time), viewing and computing results.
Download:
Security and Privacy: configuration management, patch management, security automation, security measurement, vulnerability management