Security products and checklist authors assemble content from SCAP data repositories to create viable SCAP-expressed security guidance. A security configuration checklist that documents desired security configuration settings, installed patches, and other system security elements using a standardized SCAP format is known as an SCAP-expressed checklist.
Such a checklist would use XCCDF to describe the checklist, CCE to identify security configuration settings to be addressed or assessed, and CPE to identify platforms for which the checklist is valid.
The use of CCE and CPE entries within XCCDF checklists is an example of an SCAP convention—a requirement for valid SCAP usage.
These conventions are considered part of the definition of SCAP 1.1. Organizations producing SCAP content should adhere to these conventions to ensure the highest degree of interoperability. NIST provides an SCAP Content Validation Tool that organizations can use to help validate the correctness of their SCAP content.
The tool checks that SCAP content is well-formed, all cross references are valid, and required values are appropriately set.
- An OVAL vulnerability definition. This definition SHALL be contained in an OVAL Vulnerability component, which holds the definitions of the vulnerability checks used by the checklist. The OVAL Vulnerability component SHALL have at least one OVAL definition of class vulnerability, MAY have one or more additional OVAL definitions of classes vulnerability and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark‘s rules MAY reference one or more OVAL vulnerability definitions in an OVAL Vulnerability component.
- An OCIL questionnaire. This questionnaire SHALL be contained in an OCIL Questionnaire component, which holds the questionnaires that collect information that OVAL is not being used to collect, such as giving a system administrator step-by-step directions for manually examining a system for a vulnerability that cannot be detected with OVAL, and then collecting information on the results of that manual examination. An XCCDF Benchmark‘s rules MAY reference one or more OCIL questionnaires in an OCIL Questionnaire component.
- An OVAL Patch component. The OVAL Patch component holds definitions for patch compliance checks. These checks may be needed if an organization includes patch verification in its vulnerability scanning activities. The OVAL Patch component SHALL have at least one OVAL definition of class patch, MAY have one or more additional OVAL definitions of classes compliance and/or inventory, and SHALL NOT have any other classes of OVAL definitions. An XCCDF Benchmark MAY reference an OVAL Patch component through a patches up-to-date rule in a manner consistent with Section 188.8.131.52.
- CPE Dictionary: specifies the products or platforms of interest.
- CPE Inventory: contains the technical procedures for determining whether or not a specific target asset has a product or platform of interest. The CPE Inventory component SHALL have one or more OVAL definitions of class inventory and SHALL NOT have any other classes of OVAL definitions