XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.
XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser.
Development of the XCCDF specification is being led by NIST, with contributions from other agencies and organizations. The XCCDF specification document and related files for various revisions can be downloaded below. A mailing list for XCCDF developers is available, please subscribe to participate in discussions. A publicly available archive of the XCCDF mailing list is also available.
Documents:
NISTIR 7275 Rev. 4 (PDF) - September 2011
XML Schema Files: [what is a schema?]
XCCDF 1.2 Schema (XSD 1.0) - xsd:import statements use absolute URLs
Complete 1.2 Schema Bundle (Zip) - xsd:import statements use relative URLs
* | ZIP file was updated on Mar 19, 2012 |
The correct version of cpe-language_2.3.xsd was added |
* | Files were updated on Feb 23, 2012 |
See the revised specification for details |
XML Schematron Files: [what is Schematron?]
XCCDF Validation tool:
Version: 1.2.0.0
Size: 5.61 MB
SHA-256: E812DE3DD3BBBBEC2EC597E4C7969BC9B5F20BB2A4BC7F215EE83649B2DFD332
Data Dictionaries:
XCCDF 1.2 Element Dictionary (Non-normative)
Upgrade Utility:
XSL Utility to Upgrade XCCDF content from 1.1.4 to 1.2 (See the README.txt)
* | ZIP file was updated on Mar 23, 2012 |
Bug was corrected in XSL converter |
Check Implementations:
Open Checklist Interactive Language (OCIL)
Open Vulnerability and Assessment Language (OVAL)
NISTIR 7275 Rev. 3 (PDF) - January 2008
Changes to XCCDF Specification since 1.1.3 (DOC)
XML Schema Files: [what is a schema?]
XCCDF 1.1.4 Schema (XSD 1.0)
Complete 1.1.4 Schema Bundle (Zip)
Reference Implementation
The XCCDF reference implementation was developed at the National Institute of Standards and Technology.
Includes OVALDI and OCIL developed by MITRE
XCCDF Interpreter (Sourceforge Project)
Check Implementations:
Open Checklist Interactive Language (OCIL)
Open Vulnerability and Assessment Language (OVAL)
Documents:
XCCDF Specification 1.1.3 draft (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.1.3 Schema (XSD 1.0)
Complete 1.1.3 Schema Bundle (Zip)
Samples:
Example XCCDF 1.1.3 Benchmark (XCCDF, raw XML)
Documents:
XCCDF Specification 1.1.2 (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.1.2 Schema (XSD 1.0)
Complete 1.1.2 Schema Bundle (Zip)
Documents:
XCCDF Specification 1.1 (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.1 Schema (XSD 1.0)
XCCDF-P 1.1 Schema (XSD 1.0)
Complete 1.1 Schema Bundle (Zip)
Samples:
Example XCCDF 1.1 Benchmark (XCCDF, raw XML) [note: sample uses XCCDF-P 1.0 specification which will be subsumed by XCCDF-P 1.1]
Documents:
XCCDF Specification 1.0 (PDF)
XML Schema Files: [what is a schema?]
XCCDF 1.0 Schema (XSD 1.0)
CIS Platform Schema (XSD 1.0)
Complete 1.0 Schema Bundle (Zip)
Samples:
Example XCCDF 1.0 Benchmark (XCCDF, raw XML)
Example (Proof-of-Concept) XCCDF->XHTML stylesheet(XSLT)
Stylesheet output samples:
XHTML (pre-transformed)
XML (transform at browser)
XCCDF was designed to support integration with multiple underlying configuration checking 'engines'. The expected or default checking technology is MITRE's OVAL(™). More information about OVAL maybe found at The MITRE Corporation OVAL web site.
For document and reference metadata, XCCDF uses the Dublin Core Metadata element set. For more information about Dublin Core Metadata, visit the DCMI web site.
Validating an XCCDF document against the XCCDF schema requires several supplementary schema and DTD files. To download all of the required files, select 'Complete Schema Bundle' above.
Security and Privacy: configuration management, patch management, security automation, security measurement, vulnerability management