Not Tested
Content consumers SHALL apply the mapping illustrated in Table 23 when deriving <xccdf:check> results from OVAL Definition processing. The corresponding result value SHALL be recorded based on the @class attribute of the OVAL Definition and the @negate attribute of the <xccdf:check> element where applicable. ~Table 23: Deriving XCCDF Check Results from OVAL Definition Results~OVAL Definition Result~XCCDF Check Result~(@negate is set to "false")~XCCDF Check Result~(@negate is set to "true")~~error~error~error~~unknown~unknown~unknown~~not applicable~notapplicable~notapplicable~~not evaluated~notchecked~notchecked~~Definition Class~Definition Result~~compliance~true~~vulnerability~false~~inventory~true~~patch~false~~~pass~fail~~Definition Class~Definition Result~~compliance~False~~vulnerability~true~~inventory~false~~patch~true~~~fail~pass~~
If the <xccdf:result> value for a <xccdf:rule-result> is 'error', 'unknown', 'notapplicable', or 'notchecked', then the result of at least one OVAL definition referenced by that rule SHALL be 'error', 'unknown', 'not applicable', or 'not evaluated', respectively. If the <xccdf:result> value is 'fail' then the result of at least one of the OVAL definitions referenced SHALL match the fail category as defined in the SCAP table. If the <xccdf:result> value is 'pass' then the result of all of the OVAL definitions referenced SHALL match the pass category as defined in the SCAP table.
Not Tested
If the <xccdf:result> value for a <xccdf:rule-result> is 'error', 'unknown', 'notapplicable', or 'notchecked', then the result of at least one OVAL definition referenced by that rule SHALL be 'error', 'unknown', 'not applicable', or 'not evaluated', respectively. If the <xccdf:result> value is 'fail' then the result of at least one of the OVAL definitions referenced SHALL match the fail category as defined in the SCAP table. If the <xccdf:result> value is 'pass' then the result of all of the OVAL definitions referenced SHALL match the pass category as defined in the SCAP table.
The @class attribute of an OVAL definition used in a check cannot be found. scapval may not be able to properly verify OVAL result to XCCDF result mapping. If you have the source content containing the OVAL definition, try the -sourceds option to include it.
Not Tested
The @class attribute of an OVAL definition used in a check cannot be found. scapval may not be able to properly verify OVAL result to XCCDF result mapping. If you have the source content containing the OVAL definition, try the -sourceds option to include it.
If the <xccdf:result> value for a <xccdf:rule-result> is 'notapplicable' and OVAL definitions apply, then the OVAL definition referenced by that rule is expected to be 'not applicable' or 'not evaluated'.
Not Tested
If the <xccdf:result> value for a <xccdf:rule-result> is 'notapplicable' and OVAL definitions apply, then the OVAL definition referenced by that rule is expected to be 'not applicable' or 'not evaluated'.
If OVAL results component contain multiple instances of the same OVAL definition, SCAPVal cannot verify the mappings between OVAL results to XCCDF results.
Not Tested
If OVAL results component contain multiple instances of the same OVAL definition, SCAPVal cannot verify the mappings between OVAL results to XCCDF results.
If <xccdf:check-content-ref> @name is not present, the <xccdf:Rule> referenced should also contain no @name reference and should not contain @multi-check="true".
Not Tested
If <xccdf:check-content-ref> @name is not present, the <xccdf:Rule> referenced should also contain no @name reference and should not contain @multi-check="true".
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~The @start-time and @end-time attributes SHALL be provided to indicate when the scan started and completed, respectively.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-133-1 | The @start-time and @end-time attributes SHALL be provided to indicate when the scan started and completed, respectively. | Not Tested |
The @start-time and @end-time attributes SHALL be provided to indicate when the scan started and completed, respectively.
Not Tested
The @start-time and @end-time attributes SHALL be provided to indicate when the scan started and completed, respectively.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~The @test-system attribute SHALL be provided, and it SHALL be a CPE name value indicating the product that was responsible for generating the results.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-134-1 | The @test-system attribute SHALL be provided with a CPE Name value indicating the product that evaluated the checklist. | Not Tested |
The @test-system attribute SHALL be provided with a CPE Name value indicating the product that evaluated the checklist.
Not Tested
The @test-system attribute SHALL be provided with a CPE Name value indicating the product that evaluated the checklist.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~Each IP address(es) associated with the <xccdf:target> SHALL be enumerated using the <xccdf:target-address> element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-136-1 | The <xccdf:target> and <xccdf:target-address> elements SHALL be provided. | Not Tested |
| RES-136-2 | The <xccdf:target-address> SHALL contain an IP address | Not Tested |
The <xccdf:target> and <xccdf:target-address> elements SHALL be provided.
Not Tested
The <xccdf:target> and <xccdf:target-address> elements SHALL be provided.
The <xccdf:target-address> SHALL contain an IP address
Not Tested
The <xccdf:target-address> SHALL contain an IP address
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~Where applicable to the target system, each of the <xccdf:fact> elements in Table 22 SHALL be provided. Previous versions of SCAP required additional facts; these have been incorporated into the use of the Asset Identification specification, as discussed in Section 4.4.2.~~Table 22: XCCDF Fact Descriptions~XCCDF Fact~Description of Use~~urn:scap:fact:asset:identifier:ein~Equipment identification number or other inventory tag number~~urn:scap:fact:asset:identifier:guid~Globally unique identifier for the asset, if assigned~~urn:scap:fact:asset:environmental_information:owning_organization~Organization that tracks the asset on its inventory~~urn:scap:fact:asset:environmental_information:current_region~Geographic region where the asset is located~~urn:scap:fact:asset:environmental_information:administration_unit~Name of the organization that does system administration for the asset~~
Where applicable to the target system, each of the <xccdf:fact> elements in Table 22 SHALL be provided. Previous versions of SCAP required additional facts; these have been incorporated into the use of the Asset Identification specification, as discussed in Section 4.4.2.~~Table 22: XCCDF Fact Descriptions~XCCDF Fact~Description of Use~~urn:scap:fact:asset:identifier:ein~Equipment identification number or other inventory tag number~~urn:scap:fact:asset:identifier:guid~Globally unique identifier for the asset, if assigned~~urn:scap:fact:asset:environmental_information:owning_organization~Organization that tracks the asset on its inventory~~urn:scap:fact:asset:environmental_information:current_region~Geographic region where the asset is located~~urn:scap:fact:asset:environmental_information:administration_unit~Name of the organization that does system administration for the asset
Not Tested
Where applicable to the target system, each of the <xccdf:fact> elements in Table 22 SHALL be provided. Previous versions of SCAP required additional facts; these have been incorporated into the use of the Asset Identification specification, as discussed in Section 4.4.2.~~Table 22: XCCDF Fact Descriptions~XCCDF Fact~Description of Use~~urn:scap:fact:asset:identifier:ein~Equipment identification number or other inventory tag number~~urn:scap:fact:asset:identifier:guid~Globally unique identifier for the asset, if assigned~~urn:scap:fact:asset:environmental_information:owning_organization~Organization that tracks the asset on its inventory~~urn:scap:fact:asset:environmental_information:current_region~Geographic region where the asset is located~~urn:scap:fact:asset:environmental_information:administration_unit~Name of the organization that does system administration for the asset
Not Tested
If the <xccdf:ident> element is included, for tracking purposes it is important that produced XCCDF results have specific meanings. If an <xccdf:ident> element is present and it identifies a CVE, CCE, or CPE entry, then an <xccdf:rule-result> of "pass" SHALL indicate that the check content evaluated within the rule complied with one of the following:~For a CVE entry, the target platform satisfies all the conditions of the XCCDF rule and is unaffected by the vulnerability or exposure referenced by the CVE.~For a CCE entry, the target platform complies with the configuration setting guidance expressed in the XCCDF rule.~For a CPE entry, the target platform was identified on the system.~It is important that these interpretations of <xccdf:ident> elements be preserved. For example, consider two policy recommendations. One is that a particular piece of software be installed, and the second that another piece of software not be installed. Both rules for these policy recommendations could use the same CPE entry in their <xccdf:ident> elements. However, because the interpretation of a CPE entry is that a "pass" result indicates software was installed, the second policy recommendation's rule would violate this. This can be corrected by using the @con:negate attribute, a Boolean attribute that inverts the rule result. The second rule could check for the software being installed and then negate that result, thus giving a result consistent in meaning with the first rule. For rules that cannot have their interpretations preserved through the use of the @con:negate attribute, an alternative is to have a CCE entry corresponding to the recommendation. Rules that do not use <xccdf:ident> elements have no such restrictions.
If the <xccdf:ident> element is included, for tracking purposes it is important that produced XCCDF results have specific meanings. If an <xccdf:ident> element is present and it identifies a CVE, CCE, or CPE entry, then an <xccdf:rule-result> of "pass" SHALL indicate that the check content evaluated within the rule complied with one of the following:~For a CVE entry, the target platform satisfies all the conditions of the XCCDF rule and is unaffected by the vulnerability or exposure referenced by the CVE.~For a CCE entry, the target platform complies with the configuration setting guidance expressed in the XCCDF rule.~For a CPE entry, the target platform was identified on the system.~It is important that these interpretations of <xccdf:ident> elements be preserved. For example, consider two policy recommendations. One is that a particular piece of software be installed, and the second that another piece of software not be installed. Both rules for these policy recommendations could use the same CPE entry in their <xccdf:ident> elements. However, because the interpretation of a CPE entry is that a "pass" result indicates software was installed, the second policy recommendation's rule would violate this. This can be corrected by using the @con:negate attribute, a Boolean attribute that inverts the rule result. The second rule could check for the software being installed and then negate that result, thus giving a result consistent in meaning with the first rule. For rules that cannot have their interpretations preserved through the use of the @con:negate attribute, an alternative is to have a CCE entry corresponding to the recommendation. Rules that do not use <xccdf:ident> elements have no such restrictions.
Not Tested
If the <xccdf:ident> element is included, for tracking purposes it is important that produced XCCDF results have specific meanings. If an <xccdf:ident> element is present and it identifies a CVE, CCE, or CPE entry, then an <xccdf:rule-result> of "pass" SHALL indicate that the check content evaluated within the rule complied with one of the following:~For a CVE entry, the target platform satisfies all the conditions of the XCCDF rule and is unaffected by the vulnerability or exposure referenced by the CVE.~For a CCE entry, the target platform complies with the configuration setting guidance expressed in the XCCDF rule.~For a CPE entry, the target platform was identified on the system.~It is important that these interpretations of <xccdf:ident> elements be preserved. For example, consider two policy recommendations. One is that a particular piece of software be installed, and the second that another piece of software not be installed. Both rules for these policy recommendations could use the same CPE entry in their <xccdf:ident> elements. However, because the interpretation of a CPE entry is that a "pass" result indicates software was installed, the second policy recommendation's rule would violate this. This can be corrected by using the @con:negate attribute, a Boolean attribute that inverts the rule result. The second rule could check for the software being installed and then negate that result, thus giving a result consistent in meaning with the first rule. For rules that cannot have their interpretations preserved through the use of the @con:negate attribute, an alternative is to have a CCE entry corresponding to the recommendation. Rules that do not use <xccdf:ident> elements have no such restrictions.
Not Tested
data results SHALL be expressed as Single Machine Without System Characteristics, Single Machine With System Characteristics, or Single Machine With Thin Results
The <oval-res:directives> element SHALL be:<definition_true content="full" reported="true"/>~<definition_false content="full" reported="true"/>~<definition_unknown content="full" reported="true"/>~<definition_error content="full" reported="true"/>~<definition_not_evaluated content="full" reported="true"/>~<definition_not_applicable content="full" reported="true"/> or <definition_true reported="true"/>~<definition_false reported="true"/>~<definition_unknown reported="true"/>~<definition_error reported="true"/>~<definition_not_evaluated reported="true"/>~<definition_not_applicable reported="true"/> or <definition_true content="thin" reported="true"/>~<definition_false content="thin" reported="true"/>~<definition_unknown content="thin" reported="true"/>~<definition_error content="thin" reported="true"/>~<definition_not_evaluated content="thin" reported="true"/>~<definition_not_applicable content="thin" reported="true"/>
Not Tested
The <oval-res:directives> element SHALL be:<definition_true content="full" reported="true"/>~<definition_false content="full" reported="true"/>~<definition_unknown content="full" reported="true"/>~<definition_error content="full" reported="true"/>~<definition_not_evaluated content="full" reported="true"/>~<definition_not_applicable content="full" reported="true"/> or <definition_true reported="true"/>~<definition_false reported="true"/>~<definition_unknown reported="true"/>~<definition_error reported="true"/>~<definition_not_evaluated reported="true"/>~<definition_not_applicable reported="true"/> or <definition_true content="thin" reported="true"/>~<definition_false content="thin" reported="true"/>~<definition_unknown content="thin" reported="true"/>~<definition_error content="thin" reported="true"/>~<definition_not_evaluated content="thin" reported="true"/>~<definition_not_applicable content="thin" reported="true"/>
Not Tested
Single Machine Without System Characteristics – A single result file that includes the results of all OVAL Definitions evaluated and "full" results types as described in the <oval-res:ContentEnumeration> element, without system characteristics. ~For this format, the values for the <oval-res:directives> element SHALL be:~<oval-res:directives include_source_definitions="false">~ <oval-res:definition_true content="full" reported="true"/>~ <oval-res:definition_false content="full" reported="true"/>~ <oval-res:definition_unknown content="full" reported="true"/>~ <oval-res:definition_error content="full" reported="true"/>~ <oval-res:definition_not_evaluated content="full" reported="true"/>~ <oval-res:definition_not_applicable content="full" reported="true"/>~</oval-res:directives>~~When creating the OVAL System Characteristics as defined by the <oval-sc:oval_system_characteristics> element, the <oval-sc:collected_objects> and <oval-sc:system_data> elements SHALL NOT be provided.
When creating the OVAL System Characteristics as defined by the <oval-sc:oval_system_characteristics> element, the <oval-sc:collected_objects> and <oval-sc:system_data> elements SHALL NOT be provided. There is nothing to check. If the described elements are provided it is considered Single Machine With System Characteristics and that's being checked with the RES-181-1 schematron assert.
Not Tested
When creating the OVAL System Characteristics as defined by the <oval-sc:oval_system_characteristics> element, the <oval-sc:collected_objects> and <oval-sc:system_data> elements SHALL NOT be provided. There is nothing to check. If the described elements are provided it is considered Single Machine With System Characteristics and that's being checked with the RES-181-1 schematron assert.
Not Tested
Single Machine With System Characteristics – A single result file that includes the results of all OVAL Definitions evaluated and "full" results types as described in the <oval-res:ContentEnumeration> element and the System Characteristics of the target evaluated.~For this format, the values for the <oval-res:directives> element SHALL be:~~<oval-res:directives include_source_definitions="false">~ <oval-res:definition_true content="full" reported="true"/>~ <oval-res:definition_false content="full" reported="true"/>~ <oval-res:definition_unknown content="full" reported="true"/>~ <oval-res:definition_error content="full" reported="true"/>~ <oval-res:definition_not_evaluated content="full" reported="true"/>~ <oval-res:definition_not_applicable content="full" reported="true"/> ~</oval-res:directives>~~When creating the OVAL System Characteristics as defined by the <oval-sc:oval_system_characteristics> element, the <oval-sc:collected_objects> and <oval-sc:system_data> elements SHALL be provided.
Error if oval-res directives definitions have @content='full' or @content is not provided and oval-res:oval_system_characteristics does not have both oval-res:collected_objects and oval-res:system_data. In that case it is Single Machine Without System Characteristics.
Not Tested
Error if oval-res directives definitions have @content='full' or @content is not provided and oval-res:oval_system_characteristics does not have both oval-res:collected_objects and oval-res:system_data. In that case it is Single Machine Without System Characteristics.
Not Tested
Single Machine With Thin Results – A single result file that includes the results of all OVAL Definitions evaluated and "thin" results types as described in the OVAL Results schema. A value of "thin" means only the minimal amount of information will be provided.~For this format, the values for the <oval-res:directives> element SHALL be:~<oval-res:directives include_source_definitions="false">~ <oval-res:definition_true content="thin" reported="true"/>~ <oval-res:definition_false content="thin" reported="true"/>~ <oval-res:definition_unknown content="thin" reported="true"/>~ <oval-res:definition_error content="thin" reported="true"/>~ <oval-res:definition_not_evaluated content="thin" reported="true"/>~ <oval-res:definition_not_applicable content="thin" reported="true"/>
For this format, the values for the <oval-res:directives> element SHALL be:~<oval-res:directives include_source_definitions="false">~ <oval-res:definition_true content="thin" reported="true"/>~ <oval-res:definition_false content="thin" reported="true"/>~ <oval-res:definition_unknown content="thin" reported="true"/>~ <oval-res:definition_error content="thin" reported="true"/>~ <oval-res:definition_not_evaluated content="thin" reported="true"/>~ <oval-res:definition_not_applicable content="thin" reported="true"/> There is nothing to check. Either the content for each element is all "full" or all "thin", this check is being handled with the RES-179-1 schematron assert.
Not Tested
For this format, the values for the <oval-res:directives> element SHALL be:~<oval-res:directives include_source_definitions="false">~ <oval-res:definition_true content="thin" reported="true"/>~ <oval-res:definition_false content="thin" reported="true"/>~ <oval-res:definition_unknown content="thin" reported="true"/>~ <oval-res:definition_error content="thin" reported="true"/>~ <oval-res:definition_not_evaluated content="thin" reported="true"/>~ <oval-res:definition_not_applicable content="thin" reported="true"/> There is nothing to check. Either the content for each element is all "full" or all "thin", this check is being handled with the RES-179-1 schematron assert.
Not Tested
The following requirements and recommendations pertain to content consumers generating OCIL result data stream components.~An SCAP OCIL result data stream component SHALL include the results of every <ocil:questionnaire>, <ocil:question_test_action>, and <ocil:question> element used to generate the reported results.
The following requirements and recommendations pertain to content consumers generating OCIL result data stream components.~An SCAP OCIL result data stream component SHALL include the results of every <ocil:questionnaire>, <ocil:question_test_action>, and <ocil:question> element used to generate the reported results.
Not Tested
The following requirements and recommendations pertain to content consumers generating OCIL result data stream components.~An SCAP OCIL result data stream component SHALL include the results of every <ocil:questionnaire>, <ocil:question_test_action>, and <ocil:question> element used to generate the reported results.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~When the <xccdf:TestResult> is the root XCCDF element, then it will include an <xccdf:benchmark> element [XCCDF:6.6.2]. ~The <xccdf:benchmark> element SHALL have an @id attribute specified. The @id attribute SHALL match the value of the <xccdf:Benchmark> element's @id attribute that was processed. ~The <xccdf:benchmark> element SHALL have an @href attribute specified. The @href attribute SHALL hold the URI referencing the XCCDF component (either local to the data stream collection or remote) that was processed. The URI SHALL be in the form specified for the @href attribute in Table 8.
The <xccdf:benchmark> element SHALL have an @id attribute specified.
Not Tested
The <xccdf:benchmark> element SHALL have an @id attribute specified.
The <xccdf:benchmark> element SHALL have an @href attribute specified. The @href attribute SHALL hold the URI to the XCCDF component (either local to the data stream collection or remote) that was processed. The URI SHALL be in the form specified for the @href attribute in Table 8. When referencing a local component, the URI SHALL be in the form ‘#’ + componentId (e.g. “#component1”). When referencing external content, the URI SHALL be in the form of scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
Not Tested
The <xccdf:benchmark> element SHALL have an @href attribute specified. The @href attribute SHALL hold the URI to the XCCDF component (either local to the data stream collection or remote) that was processed. The URI SHALL be in the form specified for the @href attribute in Table 8. When referencing a local component, the URI SHALL be in the form ‘#’ + componentId (e.g. “#component1”). When referencing external content, the URI SHALL be in the form of scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
Not Tested
When evaluating an <xccdf:Rule> element that references an OVAL Definition, the <xccdf:rule-result> element SHALL be used to capture the result of this evaluation. This result SHALL be determined by evaluating the referenced OVAL Definition on a target host. The result value of an individual <xccdf:check> SHALL be mapped from the OVAL Definition result produced during evaluation.
When evaluating an <xccdf:Rule> element that references an OVAL Definition, the <xccdf:rule-result> element SHALL be used to capture the result of this evaluation. This result SHALL be determined by evaluating the referenced OVAL Definition on a target host. The result value of an individual <xccdf:check> SHALL be mapped from the OVAL Definition result produced during evaluation.
Not Tested
When evaluating an <xccdf:Rule> element that references an OVAL Definition, the <xccdf:rule-result> element SHALL be used to capture the result of this evaluation. This result SHALL be determined by evaluating the referenced OVAL Definition on a target host. The result value of an individual <xccdf:check> SHALL be mapped from the OVAL Definition result produced during evaluation.
Not Tested
If the <xccdf:Rule> element under evaluation has an <xccdf:check-content-ref> element with the @name attribute omitted and an <xccdf:check> element with its @multi-check attribute set to "true", then the result of each evaluated OVAL Definition SHALL be recorded as a separate <xccdf:rule-result> element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-258-1 | This requirement was not tested but the user should check their content for adherence. | Not Tested |
This requirement was not tested but the user should check their content for adherence.
Not Tested
This requirement was not tested but the user should check their content for adherence.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~~The <xccdf:rule-result> elements report the result of the application of each selected rule [XCCDF:6.6.2].~The <xccdf:check/xccdf:check-content-ref> element SHALL record the reference to the checking system specific result component report ID and check name within the result file using the @href and @name attributes, respectively.
Every <xccdf:rule-result> other than 'notapplicable', 'notchecked', or 'notselected' must have a <xccdf:check>/<xccdf:check-content-ref> that has attributes @href and @name. One exception is when the referenced <xccdf:Rule> contains @multi-check=false(the default) and has no @name.
Not Tested
Every <xccdf:rule-result> other than 'notapplicable', 'notchecked', or 'notselected' must have a <xccdf:check>/<xccdf:check-content-ref> that has attributes @href and @name. One exception is when the referenced <xccdf:Rule> contains @multi-check=false(the default) and has no @name.
Not Tested
In this case the <xccdf:rule-result/xccdf:check-content-ref> element SHALL identify the specific check result of each evaluated OVAL Definition using the @href and @name attributes as described in Section 4.5, item 8.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-271-1 | In this case the <xccdf:rule-result/xccdf:check-content-ref> element SHALL identify the specific check result of each evaluated OVAL Definition using the @href and @name attributes as described in Section 4.5, item 8. | Not Tested |
In this case the <xccdf:rule-result/xccdf:check-content-ref> element SHALL identify the specific check result of each evaluated OVAL Definition using the @href and @name attributes as described in Section 4.5, item 8.
Not Tested
In this case the <xccdf:rule-result/xccdf:check-content-ref> element SHALL identify the specific check result of each evaluated OVAL Definition using the @href and @name attributes as described in Section 4.5, item 8.
Not Tested
The target asset SHALL be represented in the ARF report using the <ai:assets> part of ARF. The <ai:asset> element populated about a target asset SHOULD include the fields specified in Table 20, where applicable
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-299-1 | The target asset SHALL be represented in the ARF report using the <ai:assets> part of ARF. The <ai:asset> element populated about a target asset SHOULD include the fields specified in Table 20, where applicable | Not Tested |
The target asset SHALL be represented in the ARF report using the <ai:assets> part of ARF. The <ai:asset> element populated about a target asset SHOULD include the fields specified in Table 20, where applicable
Not Tested
The target asset SHALL be represented in the ARF report using the <ai:assets> part of ARF. The <ai:asset> element populated about a target asset SHOULD include the fields specified in Table 20, where applicable
Not Tested
The source data stream collection that was used to generate the results against the target SHOULD be included in the ARF report as an <arf:report-request>. If the source data stream collection is included in the ARF report and an <xccdf:Tailoring> component was used during processing, the tailoring component SHALL be included as well.
The source data stream collection that was used to generate the results against the target SHOULD be included in the ARF report as an <arf:report-request>.
Not Tested
The source data stream collection that was used to generate the results against the target SHOULD be included in the ARF report as an <arf:report-request>.
If the source data stream collection is included in the ARF report and an <xccdf:Tailoring> component was used during processing, the tailoring component SHALL be included as well.
Not Tested
If the source data stream collection is included in the ARF report and an <xccdf:Tailoring> component was used during processing, the tailoring component SHALL be included as well.
The source data stream collection SHOULD be included in the ARF report as an <arf:report-request>. The user should run SCAPVal using the -sourceds argument to specify the source data stream collection that was used to generate the results.
Not Tested
The source data stream collection SHOULD be included in the ARF report as an <arf:report-request>. The user should run SCAPVal using the -sourceds argument to specify the source data stream collection that was used to generate the results.
Not Tested
Table 21 outlines the relationships that SHALL be specified in the ARF report if the stated condition is satisfied.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-301-1 | Table 21 outlines the relationships that SHALL be specified in the ARF report if the stated condition is satisfied. | Not Tested |
Table 21 outlines the relationships that SHALL be specified in the ARF report if the stated condition is satisfied.
Not Tested
Table 21 outlines the relationships that SHALL be specified in the ARF report if the stated condition is satisfied.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~An <xccdf:target-id-ref> SHALL be specified with a @system attribute of "http://scap.nist.gov/schema/asset-identification/1.1", an @href attribute value of "", and a @name attribute value of the ID of the <ai:asset> element in the ARF that this <xccdf:TestResult> is about.
An <xccdf:target-id-ref> SHALL be specified with a @system attribute of "http://scap.nist.gov/schema/asset-identification/1.1", an @href attribute value of "", and a @name attribute value of the ID of the <ai:asset> element in the ARF that this <xccdf:TestResult> is about.
Not Tested
An <xccdf:target-id-ref> SHALL be specified with a @system attribute of "http://scap.nist.gov/schema/asset-identification/1.1", an @href attribute value of "", and a @name attribute value of the ID of the <ai:asset> element in the ARF that this <xccdf:TestResult> is about.
Not Tested
When specifying OVAL system characteristics, a reference SHOULD be made to the target asset in the ARF report collection. Specifically, the <oval-sc:oval_system_characteristics>/<oval-sc:system_info> SHOULD be populated with a <con:asset-identification> element. That element SHALL be populated with a single <arf:object-ref> element that points to the <ai:asset> element in the ARF report collection pertaining to the OVAL result. See [ARF] for details on populating the <arf:object-ref> element.
When specifying OVAL system characteristics, a reference SHOULD be made to the target asset in the ARF report collection. Specifically, the <oval-sc:oval_system_characteristics>/<oval-sc:system_info> SHOULD be populated with a <con:asset-identification> element. That element SHALL be populated with a single <arf:object-ref> element that points to the <ai:asset> element in the ARF report collection pertaining to the OVAL result. See [ARF] for details on populating the <arf:object-ref> element.
Not Tested
When specifying OVAL system characteristics, a reference SHOULD be made to the target asset in the ARF report collection. Specifically, the <oval-sc:oval_system_characteristics>/<oval-sc:system_info> SHOULD be populated with a <con:asset-identification> element. That element SHALL be populated with a single <arf:object-ref> element that points to the <ai:asset> element in the ARF report collection pertaining to the OVAL result. See [ARF] for details on populating the <arf:object-ref> element.
Not Tested
One XML digital signature MAY be included in an <arf:extended-info> element in the ARF report.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-307-1 | One XML digital signature MAY be included in an <arf:extended-info> element in the ARF report. | Not Tested |
One XML digital signature MAY be included in an <arf:extended-info> element in the ARF report.
Not Tested
One XML digital signature MAY be included in an <arf:extended-info> element in the ARF report.
Not Tested
The <dsig:Signature> element SHALL sign the ARF report collection root element.
The overall signature is optional "content consumers MAY digitally sign result content following the guidelines in [TMSAD]" If it's included SCAPVal runs the tmsad-1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
The overall signature is optional "content consumers MAY digitally sign result content following the guidelines in [TMSAD]" If it's included SCAPVal runs the tmsad-1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
A <dsig:SignatureProperties> element SHALL be included in the <dsig:Signature> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD].
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-311-1 | A <dsig:SignatureProperties> element SHALL be included in the <dsig:Signature> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD]. | Not Tested |
A <dsig:SignatureProperties> element SHALL be included in the <dsig:Signature> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD].
Not Tested
A <dsig:SignatureProperties> element SHALL be included in the <dsig:Signature> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD].
Not Tested
The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <arf:asset-report-collection> element. The element SHALL be referenced in the @URI attribute using the empty string convention "".
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-312-1 | The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <arf:asset-report-collection> element. The element SHALL be referenced in the @URI attribute using the empty string convention "". | Not Tested |
The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <arf:asset-report-collection> element. The element SHALL be referenced in the @URI attribute using the empty string convention "".
Not Tested
The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <arf:asset-report-collection> element. The element SHALL be referenced in the @URI attribute using the empty string convention "".
Not Tested
Two XPath Filter 2 transforms SHALL exist on the first <dsig:Reference> element in a <dsig:Signature> element. Both SHALL specify a filter type of "subtract". The first transform SHALL specify the XPath "/arf:asset-report-collection/arf:extended-infos[count(arf:extended-info[dsig:Signature]) = count(*)]". The second transform SHALL specify the XPath "/arf:asset-report-collection/arf:extended-infos/arf:extended-info[dsig:Signature]". In both cases, the namespace prefix "arf" SHALL map to the ARF namespace specified in this document.
Two XPath Filter 2 transforms SHALL exist on the first <dsig:Reference> element in a <dsig:Signature> element. Both SHALL specify a filter type of "subtract". The first transform SHALL specify the XPath "/arf:asset-report-collection/arf:extended-infos[count(arf:extended-info[dsig:Signature]) = count(*)]". The second transform SHALL specify the XPath "/arf:asset-report-collection/arf:extended-infos/arf:extended-info[dsig:Signature]". In both cases, the namespace prefix "arf" SHALL map to the ARF namespace specified in this document.
Not Tested
Two XPath Filter 2 transforms SHALL exist on the first <dsig:Reference> element in a <dsig:Signature> element. Both SHALL specify a filter type of "subtract". The first transform SHALL specify the XPath "/arf:asset-report-collection/arf:extended-infos[count(arf:extended-info[dsig:Signature]) = count(*)]". The second transform SHALL specify the XPath "/arf:asset-report-collection/arf:extended-infos/arf:extended-info[dsig:Signature]". In both cases, the namespace prefix "arf" SHALL map to the ARF namespace specified in this document.
Not Tested
Key information SHOULD be provided on the <dsig:Signature> element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-315-1 | Key information SHOULD be provided on the <dsig:Signature> element. | Not Tested |
Key information SHOULD be provided on the <dsig:Signature> element.
Not Tested
Key information SHOULD be provided on the <dsig:Signature> element.
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The <arf:extended-info> element containing the original signature SHALL be removed from the resulting document.
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The <arf:extended-info> element containing the original signature SHALL be removed from the resulting document.
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The <arf:extended-info> element containing the original signature SHALL be removed from the resulting document.
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The first <dsig:Reference> element on the new <dsig:Signature> element SHALL reference the <dsig:Object> element containing the original signature. The <dsig:Object> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:Object>
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The first <dsig:Reference> element on the new <dsig:Signature> element SHALL reference the <dsig:Object> element containing the original signature. The <dsig:Object> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:Object>
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The first <dsig:Reference> element on the new <dsig:Signature> element SHALL reference the <dsig:Object> element containing the original signature. The <dsig:Object> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:Object>
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The second <dsig:Reference> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:SignatureProperties>
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The second <dsig:Reference> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:SignatureProperties>
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The second <dsig:Reference> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:SignatureProperties>
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~A <dsig:SignatureProperties> element SHALL be included in the <dsig:Signature> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD].
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~A <dsig:SignatureProperties> element SHALL be included in the <dsig:Signature> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD].
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~A <dsig:SignatureProperties> element SHALL be included in the <dsig:Signature> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD].
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~Key information SHOULD be provided on the <dsig:Signature> element in accordance with [TMSAD].
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~Key information SHOULD be provided on the <dsig:Signature> element in accordance with [TMSAD].
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~Key information SHOULD be provided on the <dsig:Signature> element in accordance with [TMSAD].
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The new <dsig:Signature> element SHALL be placed in a new <arf:extended-info> element in the ARF report collection.
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The new <dsig:Signature> element SHALL be placed in a new <arf:extended-info> element in the ARF report collection.
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The new <dsig:Signature> element SHALL be placed in a new <arf:extended-info> element in the ARF report collection.
Not Tested
When signing a result data stream, the source data stream collection SHOULD be captured in the ARF report being signed.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-323-1 | When signing a result data stream, the source data stream collection SHOULD be captured in the ARF report being signed. | Not Tested |
When signing a result data stream, the source data stream collection SHOULD be captured in the ARF report being signed.
Not Tested
When signing a result data stream, the source data stream collection SHOULD be captured in the ARF report being signed.
Not Tested
An SCAP result data stream SHALL conform to the [ARF] specification.
An SCAP result data stream SHALL conform to the [ARF] specification. SCAPVal performs the Schema validation against SCAP results [ARF] content.
Not Tested
An SCAP result data stream SHALL conform to the [ARF] specification. SCAPVal performs the Schema validation against SCAP results [ARF] content.
An SCAP result data stream SHALL conform to the [ARF] specification. SCAPVal performs the Schematron validation against SCAP results [ARF] content. SCAP schematrons have their own associated IDs and will be used in the results.
Not Tested
An SCAP result data stream SHALL conform to the [ARF] specification. SCAPVal performs the Schematron validation against SCAP results [ARF] content. SCAP schematrons have their own associated IDs and will be used in the results.
Not Tested
In all situations, one or more component results (e.g., XCCDF, check results), the target asset, and/or the SCAP source data stream collection represented as a report request in ARF MAY be represented either as a local component in the ARF or as a remote resource, leveraging the remote resource capability built into ARF.
In all situations, one or more component results (e.g., XCCDF, check results), the target asset, and/or the SCAP source data stream collection represented as a report request in ARF MAY be represented either as a local component in the ARF or as a remote resource, leveraging the remote resource capability built into ARF.
Not Tested
In all situations, one or more component results (e.g., XCCDF, check results), the target asset, and/or the SCAP source data stream collection represented as a report request in ARF MAY be represented either as a local component in the ARF or as a remote resource, leveraging the remote resource capability built into ARF.
Not Tested
It MAY contain additional report objects for other results, such as <oval-var:oval_variables> or extended component results.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-365-1 | It MAY contain additional report objects for other results, such as <oval-var:oval_variables> or extended component results. | Not Tested |
It MAY contain additional report objects for other results, such as <oval-var:oval_variables> or extended component results.
Not Tested
It MAY contain additional report objects for other results, such as <oval-var:oval_variables> or extended component results.
Not Tested
Each component result SHALL be captured as a separate <arf:report> element in the <arf:asset-report-collection> element, and when reporting on XCCDF, OVAL, or OCIL, each component report SHALL use the element specified in Table 19 as its root element.
This requirement was not tested. The user should inspect SCAP results to verify that the ARF report contains a report object for each XCCDF, OVAL, and OCIL component executed when a source data stream is evaluated against a target. Each component result SHALL be captured as a separate <arf:report> element in the <arf:asset-report-collection> element. XCCDF: xccdf:TestResult, OVAL: oval-res:oval_results, OCIL:ocil:ocil
Not Tested
This requirement was not tested. The user should inspect SCAP results to verify that the ARF report contains a report object for each XCCDF, OVAL, and OCIL component executed when a source data stream is evaluated against a target. Each component result SHALL be captured as a separate <arf:report> element in the <arf:asset-report-collection> element. XCCDF: xccdf:TestResult, OVAL: oval-res:oval_results, OCIL:ocil:ocil
Not Tested
Each SCAP result data stream component SHOULD NOT use any deprecated constructs in its associated specification.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-367-1 | Each SCAP result data stream component SHOULD NOT use any deprecated constructs in its associated specification. | Not Tested |
Each SCAP result data stream component SHOULD NOT use any deprecated constructs in its associated specification.
Not Tested
Each SCAP result data stream component SHOULD NOT use any deprecated constructs in its associated specification.
Not Tested
Additional identification information MAY be captured in the <ai:asset> element (asset tag, system GUID, etc.) The guidelines specified in [AI] SHALL be followed when populating the asset identification information.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-369-1 | Additional identification information MAY be captured in the <ai:asset> element (asset tag, system GUID, etc.) The guidelines specified in [AI] SHALL be followed when populating the asset identification information. | Not Tested |
Additional identification information MAY be captured in the <ai:asset> element (asset tag, system GUID, etc.) The guidelines specified in [AI] SHALL be followed when populating the asset identification information.
Not Tested
Additional identification information MAY be captured in the <ai:asset> element (asset tag, system GUID, etc.) The guidelines specified in [AI] SHALL be followed when populating the asset identification information.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~~The <xccdf:rule-result> elements report the result of the application of each selected rule [XCCDF:6.6.2].~The @href attribute SHALL contain "#" + the @id of the <arf:report> containing the check result. This approach provides traceability between XCCDF and check results.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-370-1 | The @href attribute SHALL contain "#" + the @id of the <arf:report> containing the check result. This approach provides traceability between XCCDF and check results. | Not Tested |
| RES-370-2 | Depending on the checking engine used (OVAL or OCIL), the the <arf:report> element should contain the relevant (OVAL or OCIL) content. | Not Tested |
The @href attribute SHALL contain "#" + the @id of the <arf:report> containing the check result. This approach provides traceability between XCCDF and check results.
Not Tested
The @href attribute SHALL contain "#" + the @id of the <arf:report> containing the check result. This approach provides traceability between XCCDF and check results.
Depending on the checking engine used (OVAL or OCIL), the the <arf:report> element should contain the relevant (OVAL or OCIL) content.
Not Tested
Depending on the checking engine used (OVAL or OCIL), the the <arf:report> element should contain the relevant (OVAL or OCIL) content.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~~The <xccdf:rule-result> elements report the result of the application of each selected rule [XCCDF:6.6.2].~Note that if @multi-check is not set to "true" and the <xccdf:rule-result> represents a group of checks, then the @name attribute SHALL be omitted.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-371-1 | Note that if @multi-check is not set to "true" and the <xccdf:rule-result> represents a group of checks, then the @name attribute SHALL be omitted. | Not Tested |
Note that if @multi-check is not set to "true" and the <xccdf:rule-result> represents a group of checks, then the @name attribute SHALL be omitted.
Not Tested
Note that if @multi-check is not set to "true" and the <xccdf:rule-result> represents a group of checks, then the @name attribute SHALL be omitted.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~If a child profile of an <xccdf:Tailoring> element was applied during processing, then the <xccdf:tailoring-file> element SHALL be present and SHALL provide the following information about the <xccdf:Tailoring> element: @href, @id, @version, and @time. The @href attribute SHALL hold the URI to the XCCDF Tailoring component and SHALL comply with the format described above (item 3).
If a child profile of an <xccdf:Tailoring> element was applied during processing, then the <xccdf:tailoring-file> element SHALL be present and SHALL provide the following information about the <xccdf:Tailoring> element: @href, @id, @version, and @time. The @href attribute SHALL hold the URI to the XCCDF Tailoring component and SHALL comply with the format described above (item 3). If <xccdf:tailoring-file> is provided, the XCCDF schema will check for this.
Not Tested
If a child profile of an <xccdf:Tailoring> element was applied during processing, then the <xccdf:tailoring-file> element SHALL be present and SHALL provide the following information about the <xccdf:Tailoring> element: @href, @id, @version, and @time. The @href attribute SHALL hold the URI to the XCCDF Tailoring component and SHALL comply with the format described above (item 3). If <xccdf:tailoring-file> is provided, the XCCDF schema will check for this.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~The <xccdf:Profile> element SHALL be included if a profile was applied during processing. This is also applicable to selected profiles part of <xccdf:Tailoring>.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-389-1 | The <xccdf:Profile> element SHALL be included if a profile was applied during processing. This is also applicable to selected profiles part of <xccdf:Tailoring>. | Not Tested |
The <xccdf:Profile> element SHALL be included if a profile was applied during processing. This is also applicable to selected profiles part of <xccdf:Tailoring>.
Not Tested
The <xccdf:Profile> element SHALL be included if a profile was applied during processing. This is also applicable to selected profiles part of <xccdf:Tailoring>.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~Regarding the definition and use of <xccdf:Profile> elements, reported <xccdf:set-value> elements SHALL include all those values that are exported by the reported rules. The specific settings are those determined by the reported <xccdf:Profile>.
Regarding the definition and use of <xccdf:Profile> elements, reported <xccdf:set-value> elements SHALL include all those values that are exported by the reported rules. The specific settings are those determined by the reported <xccdf:Profile>.
Not Tested
Regarding the definition and use of <xccdf:Profile> elements, reported <xccdf:set-value> elements SHALL include all those values that are exported by the reported rules. The specific settings are those determined by the reported <xccdf:Profile>.
Not Tested
According to [XCCDF:Table 9;Table 35;Table 39], if the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unchecked", then the rule result SHALL be set to "notchecked". If the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unscored", then the rule result SHALL be set to "informational".
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-391-1 | If the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unchecked", then the rule result SHALL be set to "notchecked". | Not Tested |
| RES-391-2 | If the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unscored", then the rule result SHALL be set to "informational". | Not Tested |
If the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unchecked", then the rule result SHALL be set to "notchecked".
Not Tested
If the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unchecked", then the rule result SHALL be set to "notchecked".
If the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unscored", then the rule result SHALL be set to "informational".
Not Tested
If the <xccdf:Rule> element under evaluation is selected and its @role attribute is set to "unscored", then the rule result SHALL be set to "informational".
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~~The <xccdf:rule-result> elements report the result of the application of each selected rule [XCCDF:6.6.2].~The @role, @severity, and @weight attributes of the <xccdf:rule-result> element SHALL be provided to indicate their values used during assessment.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-392-1 | The @role, @severity, and @weight attributes of the <xccdf:rule-result> element SHALL be provided to indicate their values used during assessment. | Not Tested |
The @role, @severity, and @weight attributes of the <xccdf:rule-result> element SHALL be provided to indicate their values used during assessment.
Not Tested
The @role, @severity, and @weight attributes of the <xccdf:rule-result> element SHALL be provided to indicate their values used during assessment.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~~To be considered valid SCAP result content, the <xccdf:TestResult> element SHALL meet the following conditions~The <xccdf:identity> element SHALL identify the security principal used to access rule evaluation on the target(s). This will include the identity name or username used to perform the evaluation.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-42-1 | At least one <xccdf:identity> element SHALL be provided and SHALL contain text to identify the security principal. | Not Tested |
At least one <xccdf:identity> element SHALL be provided and SHALL contain text to identify the security principal.
Not Tested
At least one <xccdf:identity> element SHALL be provided and SHALL contain text to identify the security principal.
Not Tested
If the target <xccdf:Rule> identified by the <xccdf:rule-result> element's @idref attribute has one or more <xccdf:ident> elements with a @system attribute value listed in Section 3.2.4.1, then each <xccdf:ident> element SHALL also appear within the <xccdf:rule-result> element.
If the target <xccdf:Rule> identified by the <xccdf:rule-result idref=""> attribute has one or more <ident> elements with the "http://cve.mitre.org" or "http://cpe.mitre.org" or "http://cpe.mitre.org" system identifier, then each <xccdf:ident> element SHALL also appear within the <xccdf:rule-result> element.
Not Tested
If the target <xccdf:Rule> identified by the <xccdf:rule-result idref=""> attribute has one or more <ident> elements with the "http://cve.mitre.org" or "http://cpe.mitre.org" or "http://cpe.mitre.org" system identifier, then each <xccdf:ident> element SHALL also appear within the <xccdf:rule-result> element.
Not Tested
SCAP-conformant content SHALL include full status reporting, including Error, Unknown, Not Applicable, Not Evaluated, True, and False.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-68-1 | SCAP-conformant content SHALL include full status reporting, including Error, Unknown, Not Applicable, Not Evaluated, True, and False. | Not Tested |
SCAP-conformant content SHALL include full status reporting, including Error, Unknown, Not Applicable, Not Evaluated, True, and False.
Not Tested
SCAP-conformant content SHALL include full status reporting, including Error, Unknown, Not Applicable, Not Evaluated, True, and False.
Not Tested
An SCAP OVAL result data stream component SHALL include the results of every OVAL Definition used to generate the reported results.
| Derived Requirement # | Summary | Result |
|---|---|---|
| RES-69-1 | An SCAP OVAL result data stream component SHALL include the results of every OVAL Definition used to generate the reported results. | Not Tested |
An SCAP OVAL result data stream component SHALL include the results of every OVAL Definition used to generate the reported results.
Not Tested
An SCAP OVAL result data stream component SHALL include the results of every OVAL Definition used to generate the reported results.
Not Tested
In order to support SCAP instances where OVAL thin content (only the ID of the definition and the results) is preferred, SCAP content consumers SHALL support all valid values for the <oval-res:directives> controlling the expected content of the results file.
In order to support SCAP instances where OVAL thin content (only the ID of the definition and the results) is preferred, SCAP products SHALL support all valid values for the <oval-res:directives> controlling the expected content of the results file.
Not Tested
In order to support SCAP instances where OVAL thin content (only the ID of the definition and the results) is preferred, SCAP products SHALL support all valid values for the <oval-res:directives> controlling the expected content of the results file.
Pass
The following requirements and conventions apply to the <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> elements:~One or more instances of the <xccdf:description> element SHALL be provided. Each instance SHALL contain a text value that describes the purpose of the containing element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-10-1 | For each <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> element, a <xccdf:description> SHALL be provided. | Pass |
For each <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> element, a <xccdf:description> SHALL be provided.
Pass
For each <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> element, a <xccdf:description> SHALL be provided.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~Use of the OVAL checking system SHALL be indicated by setting the <xccdf:check> element's @system attribute to "http://oval.mitre.org/XMLSchema/oval-definitions-5 ".
@system on <xccdf:check> MUST be "http://oval.mitre.org/XMLSchema/oval-definitions-5" or "http://scap.nist.gov/schema/ocil/2"
Pass
@system on <xccdf:check> MUST be "http://oval.mitre.org/XMLSchema/oval-definitions-5" or "http://scap.nist.gov/schema/ocil/2"
@system on <cpe-dict:check> MUST be "http://oval.mitre.org/XMLSchema/oval-definitions-5" or "http://scap.nist.gov/schema/ocil/2"
Pass
@system on <cpe-dict:check> MUST be "http://oval.mitre.org/XMLSchema/oval-definitions-5" or "http://scap.nist.gov/schema/ocil/2"
@system on <cpe-lang:check-fact-ref> MUST be "http://oval.mitre.org/XMLSchema/oval-definitions-5" or "http://scap.nist.gov/schema/ocil/2"
Not Applicable
@system on <cpe-lang:check-fact-ref> MUST be "http://oval.mitre.org/XMLSchema/oval-definitions-5" or "http://scap.nist.gov/schema/ocil/2"
Not Tested
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~Use of the OCIL checking system SHALL be indicated by setting the <xccdf:check> element's @system attribute to "http://scap.nist.gov/schema/ocil/2".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-119-1 | Use of the OCIL check system SHALL be indicated by setting the <xccdf:check> element's @system attribute to "http://scap.nist.gov/schema/ocil/2. This is already checked with schematron asserts SRC-118 | Not Tested |
Use of the OCIL check system SHALL be indicated by setting the <xccdf:check> element's @system attribute to "http://scap.nist.gov/schema/ocil/2. This is already checked with schematron asserts SRC-118
Not Tested
Use of the OCIL check system SHALL be indicated by setting the <xccdf:check> element's @system attribute to "http://scap.nist.gov/schema/ocil/2. This is already checked with schematron asserts SRC-118
Not Tested
One or more <xccdf:check-export> elements MAY be used to define the binding of <xccdf:Value> elements to OVAL variables. The format of the <xccdf:check-export> element is:~<xccdf:check-export value-id="XCCDF_Value_id" _x000B_ export-name="OVAL_External_Variable_id"/>
One or more <xccdf:check-export> elements MAY be used to define the binding of <xccdf:Value> elements to OVAL variables. The format of the <xccdf:check-export> element is:~<xccdf:check-export value-id="XCCDF_Value_id" _x000B_ export-name="OVAL_External_Variable_id"/>
Not Tested
One or more <xccdf:check-export> elements MAY be used to define the binding of <xccdf:Value> elements to OVAL variables. The format of the <xccdf:check-export> element is:~<xccdf:check-export value-id="XCCDF_Value_id" _x000B_ export-name="OVAL_External_Variable_id"/>
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~XCCDF test results SHALL be documented as the contents of an <xccdf:TestResult> element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-131-1 | XCCDF test results SHALL be documented as the contents of an <xccdf:TestResult> element. | Not Tested |
XCCDF test results SHALL be documented as the contents of an <xccdf:TestResult> element.
Not Tested
XCCDF test results SHALL be documented as the contents of an <xccdf:TestResult> element.
Not Tested
A <cpe2_dict:cpe-item> element MAY contain one or more <cpe2-dict:check> elements that reference OVAL inventory class definitions using the following format:~<cpe2_dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"~[href="oval_URL"]>oval_inventory_definition_id</cpe2_dict:check>
A <cpe2_dict:cpe-item> element MAY contain one or more <cpe2-dict:check> elements that reference OVAL inventory class definitions using the following format:~<cpe2_dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"~[href="oval_URL"]>oval_inventory_definition_id</cpe2_dict:check>
Not Tested
A <cpe2_dict:cpe-item> element MAY contain one or more <cpe2-dict:check> elements that reference OVAL inventory class definitions using the following format:~<cpe2_dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"~[href="oval_URL"]>oval_inventory_definition_id</cpe2_dict:check>
Pass
Each CPE name [CPE-N] in an <xccdf:platform> or <cpe2:fact-ref> element within an XCCDF document SHALL match at least one CPE entry in a dictionary referenced by the data stream. A match is considered an EQUAL or SUPERSET result when matching the CPE name to a dictionary entry, as defined in the CPE Name Matching specification [CPE-M]. Only non-deprecated names SHOULD be used.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-15-1 | Every <xccdf:platform> or <cpe2:fact-ref> MUST match as EQUAL or SUPERSET to a CPE in a CPE dictionary component of this data stream. | Pass |
Every <xccdf:platform> or <cpe2:fact-ref> MUST match as EQUAL or SUPERSET to a CPE in a CPE dictionary component of this data stream.
Pass
Every <xccdf:platform> or <cpe2:fact-ref> MUST match as EQUAL or SUPERSET to a CPE in a CPE dictionary component of this data stream.
Not Tested
CVE references in SCAP content MAY include both "candidate" and "entry" status identifiers.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-150-1 | CVE references in SCAP content MAY include both "candidate" and "entry" status identifiers. | Not Tested |
CVE references in SCAP content MAY include both "candidate" and "entry" status identifiers.
Not Tested
CVE references in SCAP content MAY include both "candidate" and "entry" status identifiers.
Not Tested
Deprecated CVE identifiers SHALL NOT be used.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-151-1 | Deprecated CVE identifiers SHALL NOT be used. | Not Tested |
Deprecated CVE identifiers SHALL NOT be used.
Not Tested
Deprecated CVE identifiers SHALL NOT be used.
Not Tested
If a CVE identifier exists for a particular vulnerability, the official CVE identifier SHALL be used. If no CVE exists for the software flaw, an alternate identifier MAY be used, but the user SHOULD seek to have a CVE identifier issued for the vulnerability.
If a CVE identifier exists for a particular vulnerability, the official CVE identifier SHALL be used. If no CVE exists for the software flaw, an alternate identifier MAY be used, but the user SHOULD seek to have a CVE identifier issued for the vulnerability.
Not Tested
If a CVE identifier exists for a particular vulnerability, the official CVE identifier SHALL be used. If no CVE exists for the software flaw, an alternate identifier MAY be used, but the user SHOULD seek to have a CVE identifier issued for the vulnerability.
Not Tested
Each SCAP source data stream component SHALL use one of the elements specified in Table 14 as its document element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-154-1 | Each SCAP source data stream component SHALL use one of the elements specified in Table 12 as its document element. | Not Tested |
Each SCAP source data stream component SHALL use one of the elements specified in Table 12 as its document element.
Not Tested
Each SCAP source data stream component SHALL use one of the elements specified in Table 12 as its document element.
Pass
An OVAL source data stream component MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that SHALL reference an OVAL source data stream component. ~When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, the following approach SHALL be used:~The source data stream SHALL include the OVAL source data stream component referenced by the patches up-to-date rule, which contains one or more OVAL patch class definitions.
An xccdf:Rule with @id "xccdf_NAMESPACE_rule_security_patches_up_to_date" and @multi-check=true SHALL reference an OVAL component that contains two or more oval definition of class 'patch'. This schematron assert also covers SRC-275-1 If your content contains external references, SCAPVal will attempt to resolve them in -online mode.
Pass
An xccdf:Rule with @id "xccdf_NAMESPACE_rule_security_patches_up_to_date" and @multi-check=true SHALL reference an OVAL component that contains two or more oval definition of class 'patch'. This schematron assert also covers SRC-275-1 If your content contains external references, SCAPVal will attempt to resolve them in -online mode.
Pass
An OVAL source data stream component MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that SHALL reference an OVAL source data stream component. ~When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, the following approach SHALL be used:~Each <xccdf:check-content-ref> element SHALL omit the @name attribute.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-171-1 | When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, then each <xccdf:check-content-ref> element SHALL omit the @name attribute. | Pass |
When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, then each <xccdf:check-content-ref> element SHALL omit the @name attribute.
Pass
When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, then each <xccdf:check-content-ref> element SHALL omit the @name attribute.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~At least one <xccdf:check-content-ref> element SHALL be provided for each <xccdf:check>
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-175-1 | At least one <xccdf:check-content-ref> element SHALL be provided in each <xccdf:check> | Pass |
At least one <xccdf:check-content-ref> element SHALL be provided in each <xccdf:check>
Pass
At least one <xccdf:check-content-ref> element SHALL be provided in each <xccdf:check>
Pass
The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The <xccdf:Benchmark> element SHALL have an @xml:lang attribute.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-2-1 | @xml:lang attribute SHALL be provided on <xccdf:Benchmark> elements. | Pass |
@xml:lang attribute SHALL be provided on <xccdf:Benchmark> elements.
Pass
@xml:lang attribute SHALL be provided on <xccdf:Benchmark> elements.
Not Tested
During scoring, current CVSS scores acquired dynamically, such as from a data feed, SHOULD be used in place of the @weight attribute within XCCDF vulnerability-related rules.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-206-1 | During scoring, current CVSS scores acquired dynamically, such as from a data feed, SHOULD be used in place of the @weight attribute within XCCDF vulnerability-related rules. | Not Tested |
During scoring, current CVSS scores acquired dynamically, such as from a data feed, SHOULD be used in place of the @weight attribute within XCCDF vulnerability-related rules.
Not Tested
During scoring, current CVSS scores acquired dynamically, such as from a data feed, SHOULD be used in place of the @weight attribute within XCCDF vulnerability-related rules.
Warning
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For compliance class definitions:~If an OVAL compliance class definition maps to one or more CCE identifiers, the definition SHOULD include <oval-def:reference> elements that reference those identifiers using the following format: ~<oval-def:reference source="http://cce.mitre.org" ref_id="CCE_identifier"/>_x000B__x000B_The source attribute SHALL be defined using either "http://cce.mitre.org" (preferred method) or "CCE".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-207-1 | OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable. | Warning |
OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable.
Warning
OVAL definitions of class 'compliance' should include a reference to a CCE, where applicable.
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Fail | 'oval-def:definition oval:ssg-rsyslog_nolisten:def:1' | 51 : 93 |
|
|||
| 2 | Fail | 'oval-def:definition oval:ssg-logwatch_configured_splithosts:def:1' | 139 : 107 |
|
|||
| 3 | Fail | 'oval-def:definition oval:ssg-logwatch_configured_hostlimit:def:1' | 152 : 106 |
|
|||
| 4 | Fail | 'oval-def:definition oval:ssg-directory_permissions_var_log_audit:def:1' | 375 : 112 |
|
|||
| 5 | Fail | 'oval-def:definition oval:ssg-auditd_data_retention_space_left:def:1' | 854 : 109 |
|
|||
| 6 | Fail | 'oval-def:definition oval:ssg-auditd_data_disk_full_action:def:1' | 881 : 105 |
|
|||
| 7 | Fail | 'oval-def:definition oval:ssg-auditd_data_disk_error_action:def:1' | 964 : 106 |
|
|||
| 8 | Fail | 'oval-def:definition oval:ssg-accounts_have_homedir_login_defs:def:1' | 1033 : 109 |
|
|||
| 9 | Fail | 'oval-def:definition oval:ssg-file_permissions_home_dirs:def:1' | 1080 : 103 |
|
|||
| 10 | Fail | 'oval-def:definition oval:ssg-root_path_no_dot:def:1' | 1109 : 93 |
|
|||
| Omitting 243 additional results. | |||
Pass
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For compliance class definitions:~Definitions that are directly or indirectly extended SHALL be limited to inventory and compliance classes.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-208-1 | For OVAL definitions of @class 'compliance', only definitions of class 'compliance' or 'inventory' can be extended. | Pass |
For OVAL definitions of @class 'compliance', only definitions of class 'compliance' or 'inventory' can be extended.
Pass
For OVAL definitions of @class 'compliance', only definitions of class 'compliance' or 'inventory' can be extended.
Warning
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For inventory class definitions:~If an OVAL inventory class definition maps to one or more CPE identifiers, the definition SHOULD include <oval-def:reference> elements that reference those identifiers using the following format: _x000B__x000B_<oval-def:reference source="http://cpe.mitre.org" ref_id="CPE_identifier"/>_x000B__x000B_The source attribute SHALL be defined using either "http://cpe.mitre.org" (preferred method) or "CPE".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-209-1 | OVAL definitions of class 'inventory' should include a reference to a CPE, where applicable. | Warning |
OVAL definitions of class 'inventory' should include a reference to a CPE, where applicable.
Warning
OVAL definitions of class 'inventory' should include a reference to a CPE, where applicable.
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Fail | 'oval-def:definition oval:ssg-installed_OS_is_opensuse:def:1' | 7198 : 100 |
|
|||
| 2 | Fail | 'oval-def:definition oval:ssg-installed_OS_is_part_of_Unix_family:def:1' | 7244 : 111 |
|
|||
| 3 | Fail | 'oval-def:definition oval:ssg-installed_OS_is_ubuntu:def:1' | 7426 : 98 |
|
|||
| 4 | Fail | 'oval-def:definition oval:ssg-installed_OS_is_opensuse:def:1' | 140424 : 100 |
|
|||
| 5 | Fail | 'oval-def:definition oval:ssg-installed_OS_is_part_of_Unix_family:def:1' | 140467 : 111 |
|
|||
| 6 | Fail | 'oval-def:definition oval:ssg-installed_OS_is_ubuntu:def:1' | 140639 : 98 |
|
|||
Pass
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For inventory class definitions:~Definitions that are directly or indirectly extended SHALL be limited to the inventory class.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-210-1 | For OVAL definitions of @class 'inventory', only definitions of class 'inventory' can be extended. | Pass |
For OVAL definitions of @class 'inventory', only definitions of class 'inventory' can be extended.
Pass
For OVAL definitions of @class 'inventory', only definitions of class 'inventory' can be extended.
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For patch class definitions:~If an OVAL patch class definition maps to one or more CVE identifiers, the definition MAY include <oval-def:reference> elements that reference those identifiers using the following format:_x000B__x000B_<oval-def:reference source="http://cve.mitre.org" ref_id="CVE_identifier"/>_x000B__x000B_This recommendation is weaker than its counterparts for the other class definition types because a CVE identifier is not an identifier for a patch; it is more of an association. For example, one patch could fix multiple vulnerabilities, so it would map to multiple CVE identifiers._x000B__x000B_The source attribute SHALL be defined using either "http://cve.mitre.org" (preferred method) or "CVE".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-211-1 | OVAL patch class MAY reference a CVE. This requirement changed from "SHOULD" to "MAY" in SCAP Schematron version 1.1 | Not Tested |
OVAL patch class MAY reference a CVE. This requirement changed from "SHOULD" to "MAY" in SCAP Schematron version 1.1
Not Tested
OVAL patch class MAY reference a CVE. This requirement changed from "SHOULD" to "MAY" in SCAP Schematron version 1.1
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For patch class definitions:~If an OVAL patch class definition is associated with a source specific identifier (for example, Knowledge Base numbers for Microsoft patches), these identifiers SHOULD be included in <oval-def:reference> elements contained by the definition. For example:_x000B__x000B_<oval-def:reference source="www.microsoft.com/Patch" ref_id="KB912919"/>
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For patch class definitions:~If an OVAL patch class definition is associated with a source specific identifier (for example, Knowledge Base numbers for Microsoft patches), these identifiers SHOULD be included in <oval-def:reference> elements contained by the definition. For example:_x000B__x000B_<oval-def:reference source="www.microsoft.com/Patch" ref_id="KB912919"/>
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For patch class definitions:~If an OVAL patch class definition is associated with a source specific identifier (for example, Knowledge Base numbers for Microsoft patches), these identifiers SHOULD be included in <oval-def:reference> elements contained by the definition. For example:_x000B__x000B_<oval-def:reference source="www.microsoft.com/Patch" ref_id="KB912919"/>
Pass
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For patch class definitions:~Definitions that are directly or indirectly extended SHALL be limited to inventory and patch classes.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-213-1 | For OVAL definitions of @class 'patch', only definitions of class 'patch' or 'inventory' can be extended. | Pass |
For OVAL definitions of @class 'patch', only definitions of class 'patch' or 'inventory' can be extended.
Pass
For OVAL definitions of @class 'patch', only definitions of class 'patch' or 'inventory' can be extended.
Pass
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For vulnerability class definitions:~If an OVAL vulnerability class definition maps to one or more CVE identifiers, the definition SHOULD include <oval-def:reference> elements that reference those identifiers using the following format:_x000B__x000B_<oval-def:reference source="http://cve.mitre.org" ref_id="CVE_identifier"/>_x000B__x000B_The source attribute SHALL be defined using either "http://cve.mitre.org" (preferred method) or "CVE".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-214-1 | OVAL definitions of class 'vulnerability' should include a reference to a CVE, where applicable. | Pass |
OVAL definitions of class 'vulnerability' should include a reference to a CVE, where applicable.
Pass
OVAL definitions of class 'vulnerability' should include a reference to a CVE, where applicable.
Pass
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.~"inventory" if it represents a check for the presence of a product of interest on the system.~The following requirements apply to particular classes of OVAL Definitions:~~For vulnerability class definitions:~Definitions that are directly or indirectly extended SHALL be limited to inventory and vulnerability classes.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-215-1 | For OVAL definitions of @class 'vulnerability', only definitions of class 'inventory' or 'vulnerability' can be extended. | Pass |
For OVAL definitions of @class 'vulnerability', only definitions of class 'inventory' or 'vulnerability' can be extended.
Pass
For OVAL definitions of @class 'vulnerability', only definitions of class 'inventory' or 'vulnerability' can be extended.
Pass
Within the SCAP component specifications, certain constructs can be deprecated. SCAP content consumers SHALL support all deprecated constructs, unless specifically noted in the annex, because they are still valid within SCAP 1.3 and supported legacy SCAP versions. This requirement ensures that legacy SCAP content making use of these deprecated constructs continues to be supported.~Content consumers supporting OVAL SHALL support OVAL Definition documents written against all versions of OVAL component specifications listed in the annex.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-216-1 | OVAL documents shall be written in one of the following versions: 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.10.1, 5.11, 5.11.1, 5.11.2 | Pass |
| SRC-216-2 | OVAL platform schema versions shall be approved for SCAP 1.3 (Annex to NIST Special Publication 800-126 Revision 3) | Pass |
OVAL documents shall be written in one of the following versions: 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.10.1, 5.11, 5.11.1, 5.11.2
Pass
OVAL documents shall be written in one of the following versions: 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.10.1, 5.11, 5.11.1, 5.11.2
OVAL platform schema versions shall be approved for SCAP 1.3 (Annex to NIST Special Publication 800-126 Revision 3)
Pass
OVAL platform schema versions shall be approved for SCAP 1.3 (Annex to NIST Special Publication 800-126 Revision 3)
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"compliance" if it represents a check for the system's configuration complying with policy requirements (for example, having the required value for a specific configuration setting).
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-228-1 | Required values for the @class attribute of an OVAL Definition are as follows:~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system. | Not Tested |
Required values for the @class attribute of an OVAL Definition are as follows:~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"vulnerability" if it represents a check for the presence of a particular software flaw vulnerability on a system.
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-229-1 | Required values for the @class attribute of an OVAL Definition are as follows:~"patch" if it represents a check for whether a discrete patch needs to be installed on the system. | Not Tested |
Required values for the @class attribute of an OVAL Definition are as follows:~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"patch" if it represents a check for whether a discrete patch needs to be installed on the system.
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"inventory" if it represents a check for the presence of a product of interest on the system.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-230-1 | Required values for the @class attribute of an OVAL Definition are as follows:~"inventory" if it represents a check for the presence of a product of interest on the system. | Not Tested |
Required values for the @class attribute of an OVAL Definition are as follows:~"inventory" if it represents a check for the presence of a product of interest on the system.
Not Tested
Required values for the @class attribute of an OVAL Definition are as follows:~"inventory" if it represents a check for the presence of a product of interest on the system.
Pass
The SCAP source data stream component that SHALL be included for compliance checking is the XCCDF benchmark, which expresses the checklist. Each rule in the XCCDF benchmark SHALL reference one of the following:~An OVAL compliance definition. This definition SHALL be contained in an OVAL component, which holds definitions of compliance checks used by the checklist. An XCCDF benchmark's rules MAY reference one or more OVAL compliance class definitions in an OVAL component.~An OCIL questionnaire. This questionnaire SHALL be contained in an OCIL component, which holds questionnaires that collect information that OVAL is not being used to collect, such as posing questions to users or harvesting configuration information from an existing database. An XCCDF benchmark's rules MAY reference one or more OCIL questionnaires in an OCIL component.~An OVAL patch definition. This definition SHALL be contained in an OVAL component, which holds definitions for patch compliance checks. These checks may be needed if an organization includes patch verification in its compliance activities. An XCCDF benchmark MAY reference an OVAL patch definition through a patches up-to-date rule in a manner consistent with Section 3.2.4.3.
For this CONFIGURATION @use-case, unable to find at least one <xccdf:Benchmark> element referenced in the <ds:checklists> child elements. Check your <ds:component-ref> @xlink:href values for validity. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Pass
For this CONFIGURATION @use-case, unable to find at least one <xccdf:Benchmark> element referenced in the <ds:checklists> child elements. Check your <ds:component-ref> @xlink:href values for validity. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Each xccdf:Rule shall reference at least one of the follow items: OVAL compliance class, OCIL Questionnaire, OVAL patch class
Pass
Each xccdf:Rule shall reference at least one of the follow items: OVAL compliance class, OCIL Questionnaire, OVAL patch class
Pass
The SCAP source data stream component that SHALL be included for vulnerability scanning is the XCCDF benchmark, which expresses the checklist of the flaws to be checked for. Each rule in the XCCDF benchmark SHALL reference one of the following:~An OVAL vulnerability definition. This definition SHALL be contained in an OVAL component, which holds definitions of vulnerability checks used by the checklist. An XCCDF benchmark's rules MAY reference one or more OVAL vulnerability class definitions in an OVAL component.~An OCIL questionnaire. This questionnaire SHALL be contained in an OCIL component, which holds questionnaires that collect information that OVAL is not being used to collect. An example of OCIL use is to give step-by-step directions for manually examining a system for a vulnerability that cannot be detected with OVAL. In such a case, OCIL is used for capturing information collected using manual examination. An XCCDF benchmark's rules MAY reference one or more OCIL questionnaires in an OCIL component. ~An OVAL patch definition. This definition SHALL be contained in an OVAL component, which holds definitions for patch compliance checks. These checks may be needed if an organization includes patch verification in its vulnerability scanning activities. An XCCDF benchmark MAY reference an OVAL patch definition through a patches up-to-date rule in a manner consistent with Section 3.2.4.3.
For this VULNERABILITY @use-case, unable to find at least one <xccdf:Benchmark> element referenced in the <ds:checklists> child elements. Check your <ds:component-ref> @xlink:href values for validity. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Pass
For this VULNERABILITY @use-case, unable to find at least one <xccdf:Benchmark> element referenced in the <ds:checklists> child elements. Check your <ds:component-ref> @xlink:href values for validity. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Each xccdf:Rule shall reference at least one of the follow components: OVAL vulnerability class, OCIL Questionnaire, OVAL patch class
Pass
Each xccdf:Rule shall reference at least one of the follow components: OVAL vulnerability class, OCIL Questionnaire, OVAL patch class
Pass
The SCAP source data stream component that SHALL be included for inventory scanning is the XCCDF benchmark, which references the inventory checks and captures the results. Each rule in the XCCDF benchmark SHALL reference one of the following:~An OVAL inventory definition. This definition SHALL be contained in an OVAL component, which holds definitions of technical procedures for determining whether or not a specific target asset has software (product, platform, malware, etc.) of interest. An XCCDF benchmark's rules MAY reference one or more OVAL inventory class definitions in an OVAL component. ~An OCIL questionnaire. This questionnaire SHALL be contained in an OCIL component, which holds questionnaires that collect information that OVAL is not being used to collect, such as posing questions to users or harvesting inventory information from an existing database. An XCCDF benchmark's rules MAY reference one or more OCIL questionnaires in an OCIL component.
For this INVENTORY @use-case, unable to find at least one <xccdf:Benchmark> element referenced in the <ds:checklists> child elements. Check your <ds:component-ref> @xlink:href values for validity. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Pass
For this INVENTORY @use-case, unable to find at least one <xccdf:Benchmark> element referenced in the <ds:checklists> child elements. Check your <ds:component-ref> @xlink:href values for validity. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Each xccdf:Rule shall reference at least one OVAL definition in CPE_INVENTORY
Pass
Each xccdf:Rule shall reference at least one OVAL definition in CPE_INVENTORY
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~The <xccdf:check-content> element SHALL NOT be used to embed check content directly into XCCDF content.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-25-1 | A XCCDF document SHALL NOT contain an <xccdf:check-content> element | Pass |
A XCCDF document SHALL NOT contain an <xccdf:check-content> element
Pass
A XCCDF document SHALL NOT contain an <xccdf:check-content> element
Warning
Each <xccdf:Rule> element SHALL include an <xccdf:ident> element containing a CVE, CCE, or CPE identifier reference if an appropriate identifier exists. The meaning of the identifier SHALL be consistent with the recommendation implemented by the <xccdf:Rule> element. If the rule references an OVAL Definition, then <xccdf:ident> element content SHALL match the corresponding CVE, CCE, or CPE identifier found in the associated OVAL Definition(s) if an appropriate identifier exists and if that OVAL Definition is the only input to the rule's final result.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-251-1 | An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | Warning |
| SRC-251-2 | If an XCCDF rule references an OVAL definition, then <xccdf:ident> element content SHALL match the corresponding CVE, CCE, or CPE identifier found in the associated OVAL Definition(s). | Pass |
An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE
Warning
An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' | 50724 : 121 |
|
|||
| 2 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_nolisten' | 50862 : 115 |
|
|||
| 3 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_package_syslogng_installed' | 50990 : 125 |
|
|||
| 4 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_service_syslogng_enabled' | 51038 : 123 |
|
|||
| 5 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp' | 51121 : 134 |
|
|||
| 6 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp' | 51164 : 134 |
|
|||
| 7 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership' | 51247 : 127 |
|
|||
| 8 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_files_ownership' | 51316 : 122 |
|
|||
| 9 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_files_permissions' | 51385 : 124 |
|
|||
| 10 | Fail | 'xccdf:Rule xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' | 51467 : 119 |
|
|||
| Omitting 1042 additional results. | |||
If an XCCDF rule references an OVAL definition, then <xccdf:ident> element content SHALL match the corresponding CVE, CCE, or CPE identifier found in the associated OVAL Definition(s).
Pass
If an XCCDF rule references an OVAL definition, then <xccdf:ident> element content SHALL match the corresponding CVE, CCE, or CPE identifier found in the associated OVAL Definition(s).
Pass
An <xccdf:ident> element referencing a CVE, CCE, or CPE identifier SHALL be ordered before other <xccdf:ident> elements referencing non-SCAP identifiers. Identifiers from previous revisions of CCE or CPE MAY also be specified following the SCAP identifiers.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-257-1 | An <xccdf:ident> element referencing a CVE, CCE, or CPE identifier (using the @system value specified in the 800-126) SHALL be ordered before other <xccdf:ident> elements referencing non-SCAP identifiers. | Pass |
An <xccdf:ident> element referencing a CVE, CCE, or CPE identifier (using the @system value specified in the 800-126) SHALL be ordered before other <xccdf:ident> elements referencing non-SCAP identifiers.
Pass
An <xccdf:ident> element referencing a CVE, CCE, or CPE identifier (using the @system value specified in the 800-126) SHALL be ordered before other <xccdf:ident> elements referencing non-SCAP identifiers.
Pass
Each XCCDF benchmark SHALL have at least one rule that references either an OVAL compliance class definition in an OVAL component or an OCIL questionnaire in an OCIL component.
Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL compliance class definition in an OVAL component or an OCIL questionnaire in an OCIL Questionnaire component. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Pass
Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL compliance class definition in an OVAL component or an OCIL questionnaire in an OCIL Questionnaire component. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Not Tested
All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-263-1 | All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream. | Not Tested |
All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream.
Not Tested
All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream.
Pass
Each XCCDF benchmark SHALL have at least one rule that references either an OVAL vulnerability class definition in an OVAL component or an OCIL questionnaire in an OCIL component.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-265-1 | Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL vulnerability definition in the an OVAL component or an OCIL questionnaire in the OCIL Questionnaire component. | Pass |
Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL vulnerability definition in the an OVAL component or an OCIL questionnaire in the OCIL Questionnaire component.
Pass
Each XCCDF Benchmark SHALL have at least one rule that references either an OVAL vulnerability definition in the an OVAL component or an OCIL questionnaire in the OCIL Questionnaire component.
Not Tested
All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-266-1 | All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream. | Not Tested |
All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream.
Not Tested
All OVAL components and OCIL components referenced by the XCCDF benchmark SHALL be included in the SCAP source data stream.
Not Tested
Each SCAP source data stream component SHOULD NOT use any constructs that are deprecated in its associated specification.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-267-1 | Each SCAP source data stream component SHOULD NOT use any constructs that are deprecated in its associated specification. | Not Tested |
Each SCAP source data stream component SHOULD NOT use any constructs that are deprecated in its associated specification.
Not Tested
Each SCAP source data stream component SHOULD NOT use any constructs that are deprecated in its associated specification.
Not Tested
An OVAL source data stream component MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that SHALL reference an OVAL source data stream component. ~When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, the following approach SHALL be used:~The @multi-check attribute of the <xccdf:check> element SHALL be set to "true". This causes a separate <xccdf:rule-result> to be generated for each OVAL Patch Definition. See Section 4.5.2 for more information.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-275-1 | SRC-169-1 covers this check. When the @multi-check attribute of the <xccdf:check> element SHALL is set to "true". This Patches Up-To-Date Rule is considered a multi-check and shall have two or more OVAL Patch definition references. | Not Tested |
SRC-169-1 covers this check. When the @multi-check attribute of the <xccdf:check> element SHALL is set to "true". This Patches Up-To-Date Rule is considered a multi-check and shall have two or more OVAL Patch definition references.
Not Tested
SRC-169-1 covers this check. When the @multi-check attribute of the <xccdf:check> element SHALL is set to "true". This Patches Up-To-Date Rule is considered a multi-check and shall have two or more OVAL Patch definition references.
Pass
Use of the <xccdf:source>, <xccdf:complex-value>, and <xccdf:complex-default> elements within the <xccdf:Value> element SHALL NOT be allowed. Within the <xccdf:choices> element of the <xccdf:Value> element, use of the <xccdf:complex-choice> element SHALL NOT be allowed.
The use of the <xccdf:source>, <xccdf:complex-value>, and <xccdf:complex-default> elements within the <xccdf:Value> element SHALL NOT be allowed. Within the <xccdf:choices> element of the <xccdf:Value> element, the use of the <xccdf:complex-choice> element SHALL NOT be allowed.
Pass
The use of the <xccdf:source>, <xccdf:complex-value>, and <xccdf:complex-default> elements within the <xccdf:Value> element SHALL NOT be allowed. Within the <xccdf:choices> element of the <xccdf:Value> element, the use of the <xccdf:complex-choice> element SHALL NOT be allowed.
Not Tested
This section lists requirements and recommendations for using Common Platform Enumeration (CPE) to express a CPE component of an SCAP source data stream (see Table 14). ~The Official CPE Dictionary data feed MAY be used by SCAP components to reference CPE names. If use of the Official CPE Dictionary is impractical, a subset of the dictionary MAY be used instead. Creating the reduced official dictionary involves first identifying every CPE in <xccdf:platform> and <cpe2:fact-ref> elements contained within referenced <cpe2:platform-specification> elements in every benchmark in the data stream. Then these CPEs SHALL be matched against every entry in the Official CPE Dictionary using the CPE name matching algorithm [CPE-M]. All CPEs matched in the official dictionary with a result of EQUAL or SUPERSET SHALL be included in the reduced official dictionary
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-278-1 | The Official CPE Dictionary data feed MAY be used by SCAP components to reference CPE names. This is optional and currently not checked. | Not Tested |
The Official CPE Dictionary data feed MAY be used by SCAP components to reference CPE names. This is optional and currently not checked.
Not Tested
The Official CPE Dictionary data feed MAY be used by SCAP components to reference CPE names. This is optional and currently not checked.
Not Tested
One or more third-party dictionaries MAY be included in a data stream as well. All such third-party dictionaries SHOULD follow the requirements of the CPE Dictionary specification [CPE-D]. If including an entire third-party dictionary is impractical, a subset of the dictionary MAY be used instead. The reduced dictionary SHALL be created using the same procedure outlined for creating a subset of the official dictionary. ~In all cases, a dictionary component MAY be remote to the data stream collection.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-279-1 | One or more third-party dictionaries MAY be included in a data stream as well. This is optional and currently not checked. | Not Tested |
One or more third-party dictionaries MAY be included in a data stream as well. This is optional and currently not checked.
Not Tested
One or more third-party dictionaries MAY be included in a data stream as well. This is optional and currently not checked.
Not Tested
When creating a subset of the Official CPE Dictionary or a third-party dictionary, a <cpe2_dict:check> element on an entry MAY be added or modified if the existing check does not provide satisfactory content to test the presence of the CPE name.
When creating a subset of the Official CPE Dictionary or a third-party dictionary, a <cpe2_dict:check> element on an entry MAY be added or modified if the existing check does not provide satisfactory content to test the presence of the CPE name. This is optional and currently not checked.
Not Tested
When creating a subset of the Official CPE Dictionary or a third-party dictionary, a <cpe2_dict:check> element on an entry MAY be added or modified if the existing check does not provide satisfactory content to test the presence of the CPE name. This is optional and currently not checked.
Not Tested
Each signature SHALL be represented as a <dsig:Signature> element and follow the W3C recommendation [DSIG].
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-281-1 | Each signature SHALL be represented as a <dsig:Signature> element and follow the W3C recommendation [DSIG]. | Not Tested |
Each signature SHALL be represented as a <dsig:Signature> element and follow the W3C recommendation [DSIG].
Not Tested
Each signature SHALL be represented as a <dsig:Signature> element and follow the W3C recommendation [DSIG].
Not Applicable
Each <dsig:Signature> element SHALL sign only one data stream
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-282-1 | Each <dsig:Signature> element SHALL sign only one data stream | Not Applicable |
Each <dsig:Signature> element SHALL sign only one data stream
Not Applicable
Each <dsig:Signature> element SHALL sign only one data stream
Not Applicable
A <dsig:Manifest> element SHALL be included within the <dsig:Signature> element as a <dsig:Object> element. The <dsig:Manifest> element SHALL have a <dsig:Reference> element for each local component referenced by the data stream being signed. External components MAY be omitted from the <dsig:Manifest> element. Each <dsig:Reference> element referencing a <ds:component> or <ds:extended-component> element SHALL point to the component being signed by identifying the component in the @URI attribute using "#" + @Id of the component.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-284-1 | A <dsig:Manifest> SHALL be included in the <dsig:Signature> as a <dsig:Object> | Not Applicable |
| SRC-284-2 | The <dsig:Manifest> SHALL have a <dsig:Reference> for each local component referenced by the data stream being signed. | Not Applicable |
A <dsig:Manifest> SHALL be included in the <dsig:Signature> as a <dsig:Object>
Not Applicable
A <dsig:Manifest> SHALL be included in the <dsig:Signature> as a <dsig:Object>
The <dsig:Manifest> SHALL have a <dsig:Reference> for each local component referenced by the data stream being signed.
Not Applicable
The <dsig:Manifest> SHALL have a <dsig:Reference> for each local component referenced by the data stream being signed.
Not Applicable
A <dsig:SignatureProperties> element SHALL be included within the <dsig:Signature> element as a <dsig:Object> element. At least one <dsig:SignatureProperty> element SHALL be populated with <dt:signature-info> as specified in [TMSAD]
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-285-1 | A <dsig:SignatureProperties> SHALL be included in the <dsig:Signature> as a <dsig:Object> with a dsig:SignatureProperty populated with tmsad:signature-info | Not Applicable |
A <dsig:SignatureProperties> SHALL be included in the <dsig:Signature> as a <dsig:Object> with a dsig:SignatureProperty populated with tmsad:signature-info
Not Applicable
A <dsig:SignatureProperties> SHALL be included in the <dsig:Signature> as a <dsig:Object> with a dsig:SignatureProperty populated with tmsad:signature-info
Not Applicable
The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <ds:data-stream> element being signed. The <ds:data-stream> element SHALL be referenced in the @URI attribute using "#" + @Id of the <ds:data-stream>
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-286-1 | The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <ds:data-stream> element being signed. The <ds:data-stream> element SHALL be referenced in the @URI attribute using "#" + @Id of the <ds:data-stream> | Not Applicable |
The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <ds:data-stream> element being signed. The <ds:data-stream> element SHALL be referenced in the @URI attribute using "#" + @Id of the <ds:data-stream>
Not Applicable
The first <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <ds:data-stream> element being signed. The <ds:data-stream> element SHALL be referenced in the @URI attribute using "#" + @Id of the <ds:data-stream>
Not Applicable
The second <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element within the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the<dsig:SignatureProperties> element.
The second <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element within the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the<dsig:SignatureProperties> element.
Not Applicable
The second <dsig:Reference> element in a <dsig:Signature> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element within the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the<dsig:SignatureProperties> element.
Not Applicable
The third <dsig:Reference> element SHALL be to the <dsig:Manifest> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:Manifest> element SHALL be referenced in the @URI attribute using "#" + @Id attribute of the <dsig:Manifest>
The third <dsig:Reference> element SHALL be to the <dsig:Manifest> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:Manifest> element SHALL be referenced in the @URI attribute using "#" + @Id attribute of the <dsig:Manifest>
Not Applicable
The third <dsig:Reference> element SHALL be to the <dsig:Manifest> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:Manifest> element SHALL be referenced in the @URI attribute using "#" + @Id attribute of the <dsig:Manifest>
Not Tested
<dsig:Reference> elements on the <dsig:Manifest> element SHOULD be in the same order as the <ds:component-ref> elements on the data stream being signed
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-289-1 | <dsig:Reference> elements on the <dsig:Manifest> element SHOULD be in the same order as the <ds:component-ref> elements on the data stream being signed | Not Tested |
<dsig:Reference> elements on the <dsig:Manifest> element SHOULD be in the same order as the <ds:component-ref> elements on the data stream being signed
Not Tested
<dsig:Reference> elements on the <dsig:Manifest> element SHOULD be in the same order as the <ds:component-ref> elements on the data stream being signed
Not Applicable
Cryptographic key information SHOULD be provided in the <dsig:Signature> element through use of the <dsig:KeyInfo> subelement.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-290-1 | Cryptographic key information SHOULD be provided in the <dsig:Signature> element through use of the <dsig:KeyInfo> subelement. | Not Applicable |
Cryptographic key information SHOULD be provided in the <dsig:Signature> element through use of the <dsig:KeyInfo> subelement.
Not Applicable
Cryptographic key information SHOULD be provided in the <dsig:Signature> element through use of the <dsig:KeyInfo> subelement.
Warning
The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The <xccdf:version> element and the @id attribute SHALL be used together to uniquely identify all revisions of a benchmark.~Multiple revisions of a single benchmark SHOULD have the same @id attribute value and different <xccdf:version> element values, so that someone who reviews the revisions can readily identify them as multiple versions of a single benchmark. ~Multiple revisions of a single benchmark SHOULD have <xccdf:version> element values that indicate the revision sequence, so that the history of changes from the original benchmark can be determined. ~The @time attribute of the <xccdf:version> element SHOULD be used for a timestamp of when the benchmark was defined.
Multiple revisions of a single benchmark SHOULD have <xccdf:version> element values that indicate the revision sequence, so that the history of changes from the original benchmark can be determined.
Not Tested
Multiple revisions of a single benchmark SHOULD have <xccdf:version> element values that indicate the revision sequence, so that the history of changes from the original benchmark can be determined.
The @time attribute of the <xccdf:version> element SHOULD be used for a timestamp of when the benchmark was defined.
Warning
The @time attribute of the <xccdf:version> element SHOULD be used for a timestamp of when the benchmark was defined.
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Fail | ' - TEST: exists(xccdf:version/@time)' | 46583 : 119 |
|
|||
The @id and <xccdf:version> together MUST uniquely identify an xccdf:Benchmark in a <scap:data-stream-collection>
Pass
The @id and <xccdf:version> together MUST uniquely identify an xccdf:Benchmark in a <scap:data-stream-collection>
Pass
If the XCCDF benchmark component references any CPE names, then the SCAP source data stream SHALL include a CPE component, which specifies the products or platforms of interest, and SHALL include one or more OVAL inventory class definitions in an OVAL component that contain the technical procedures for determining whether or not a specific target asset has a product or platform of interest.
If an XCCDF referenced from a data stream contains an <xccdf:platform> or <cpe-lang:fact-ref>, then a CPE dictionary component must be reference from the same data stream, and an OVAL component with a definition of class "inventory" must also be referenced.
Pass
If an XCCDF referenced from a data stream contains an <xccdf:platform> or <cpe-lang:fact-ref>, then a CPE dictionary component must be reference from the same data stream, and an OVAL component with a definition of class "inventory" must also be referenced.
Pass
When evaluating an <xccdf:check-content-ref> element within an <xccdf:check> element, its @href attribute either SHALL contain a "#" + @id of a <ds:component-ref> element or SHALL be resolved in the context of the XML Catalog specified as part of the <ds:component-ref> element that is referencing this benchmark. In either case, the @href attribute SHALL ultimately resolve to a <ds:component-ref> element in the data stream referencing the benchmark containing this <xccdf:check-content-ref> element. See Section 3.1.1 for additional information on <ds:component-ref> resolution.
When evaluating an <xccdf:check-content-ref> element within an <xccdf:check> element, its @href attribute either SHALL contain a "#" + @id of a <ds:component-ref> element or SHALL be resolved in the context of the XML Catalog specified as part of the <ds:component-ref> element that is referencing this benchmark. In either case, the @href attribute SHALL ultimately resolve to a <ds:component-ref> element in the data stream referencing the benchmark containing this <xccdf:check-content-ref> element. See Section 3.1.1 for additional information on <ds:component-ref> resolution. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Pass
When evaluating an <xccdf:check-content-ref> element within an <xccdf:check> element, its @href attribute either SHALL contain a "#" + @id of a <ds:component-ref> element or SHALL be resolved in the context of the XML Catalog specified as part of the <ds:component-ref> element that is referencing this benchmark. In either case, the @href attribute SHALL ultimately resolve to a <ds:component-ref> element in the data stream referencing the benchmark containing this <xccdf:check-content-ref> element. See Section 3.1.1 for additional information on <ds:component-ref> resolution. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Not Tested
The second <dsig:Reference> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:SignatureProperties>
The second <dsig:Reference> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:SignatureProperties>
Not Tested
The second <dsig:Reference> element SHALL be to the <dsig:SignatureProperties> element captured in a <dsig:Object> element with the <dsig:Signature> element. The <dsig:SignatureProperties> element SHALL be referenced in the @URI attribute using "#" + @Id of the <dsig:SignatureProperties>
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The original signature SHALL be captured as a <dsig:Object> element on the new <dsig:Signature>
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The original signature SHALL be captured as a <dsig:Object> element on the new <dsig:Signature>
Not Tested
In situations where it is desirable to countersign a result data stream (e.g., when a content consumer automatically signs a result data stream and then a person also wants to sign the results), the following requirements apply.~The original signature SHALL be captured as a <dsig:Object> element on the new <dsig:Signature>
Pass
The @use-case attribute in the <ds:data-stream> element SHALL be set to "CONFIGURATION".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-324-1 | The @use-case attribute in the <ds:data-stream> element SHALL be set to "CONFIGURATION", "VULNERABILITY", "INVENTORY" or "OTHER" | Pass |
The @use-case attribute in the <ds:data-stream> element SHALL be set to "CONFIGURATION", "VULNERABILITY", "INVENTORY" or "OTHER"
Pass
The @use-case attribute in the <ds:data-stream> element SHALL be set to "CONFIGURATION", "VULNERABILITY", "INVENTORY" or "OTHER"
Not Tested
The @use-case attribute in the <ds:data-stream> element SHALL be set to "VULNERABILITY".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-325-1 | The @use-case attribute in the <ds:data-stream> element SHALL be set to "VULNERABILITY". All @use-case attributes are being checked with SRC-324-1 schematron asserts. | Not Tested |
The @use-case attribute in the <ds:data-stream> element SHALL be set to "VULNERABILITY". All @use-case attributes are being checked with SRC-324-1 schematron asserts.
Not Tested
The @use-case attribute in the <ds:data-stream> element SHALL be set to "VULNERABILITY". All @use-case attributes are being checked with SRC-324-1 schematron asserts.
Not Tested
The @use-case attribute in the <ds:data-stream> element SHALL be set to "INVENTORY".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-327-1 | The @use-case attribute in the <ds:data-stream> element SHALL be set to "INVENTORY". All @use-case attributes are being checked with SRC-324-1 schematron asserts. | Not Tested |
The @use-case attribute in the <ds:data-stream> element SHALL be set to "INVENTORY". All @use-case attributes are being checked with SRC-324-1 schematron asserts.
Not Tested
The @use-case attribute in the <ds:data-stream> element SHALL be set to "INVENTORY". All @use-case attributes are being checked with SRC-324-1 schematron asserts.
Pass
The SCAP source data stream collection SHALL validate against the XML schema representation for the source data stream, as well as all associated Schematron schemas.
The SCAP source data stream collection SHALL validate against the XML schema representation for the source data stream, as well as all Schematron rules associated with that schema. SCAPVal performs the Schema validation against source data streams. Result Schema issues are reported under requirement ID RES-363 Component Schema issues are reported under requirement ID A-10
Pass
The SCAP source data stream collection SHALL validate against the XML schema representation for the source data stream, as well as all Schematron rules associated with that schema. SCAPVal performs the Schema validation against source data streams. Result Schema issues are reported under requirement ID RES-363 Component Schema issues are reported under requirement ID A-10
Pass
If the XCCDF benchmark component references any CPE names, then the SCAP source data stream SHALL include a CPE component, which specifies the products or platforms of interest, and SHALL include one or more OVAL inventory class definitions in an OVAL component that contain the technical procedures for determining whether or not a specific target asset has a product or platform of interest.
If an XCCDF referenced from a data stream contains an <xccdf:platform> or <cpe-lang:fact-ref>, then a CPE dictionary component shall be reference from the same data stream, and an OVAL component with a definition of class "inventory" shall also be referenced.
Pass
If an XCCDF referenced from a data stream contains an <xccdf:platform> or <cpe-lang:fact-ref>, then a CPE dictionary component shall be reference from the same data stream, and an OVAL component with a definition of class "inventory" shall also be referenced.
Pass
If applicable, each component SHALL validate against its associated Schematron schema. For the SCAP source data stream collection, it SHALL validate against the version of the SCAP Schematron rules as specified on the <ds:data-stream-collection> element's @schematron-version attribute, and it SHOULD also validate against the latest Schematron rules.
For the SCAP source data stream collection, it SHALL validate against the version of the SCAP Schematron rules as specified on the <ds:data-stream-collection> element’s @schematron-version attribute. SCAPVal performs the schematron rules validation.
Not Tested
For the SCAP source data stream collection, it SHALL validate against the version of the SCAP Schematron rules as specified on the <ds:data-stream-collection> element’s @schematron-version attribute. SCAPVal performs the schematron rules validation.
SCAP 1.3 source content shall specify schematron-version="1.3"
Pass
SCAP 1.3 source content shall specify schematron-version="1.3"
If applicable, each component SHALL validate against its associated Schematron stylesheet. SCAPVal will run the appropriate schematron against the components.
Pass
If applicable, each component SHALL validate against its associated Schematron stylesheet. SCAPVal will run the appropriate schematron against the components.
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 46627 : 64 |
|
|||
| 2 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 50696 : 50 |
|
|||
| 3 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 50718 : 52 |
|
|||
| 4 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 50812 : 54 |
|
|||
| 5 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 50861 : 52 |
|
|||
| 6 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 50985 : 54 |
|
|||
| 7 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 51033 : 54 |
|
|||
| 8 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 51116 : 54 |
|
|||
| 9 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 51162 : 54 |
|
|||
| 10 | Warning | 'Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. - TEST: false()' | 51206 : 54 |
|
|||
| Omitting 820 additional results. | |||
Pass
When referencing a CVE, CCE, or CPE identifier, an <xccdf:Rule> element SHALL have a purpose consistent with one of the rows in ~Table 17. Based on the purpose of the <xccdf:Rule> element, the <xccdf:Rule> SHALL define its <xccdf:ident> element's @system attribute using the corresponding value from Table 17. Also, if the <xccdf:Rule> element references an OVAL Definition, it SHALL reference an OVAL Definition of the specified class. ~~Table 17: <xccdf:Rule> and <xccdf:ident> Element Values~Purpose of the <xccdf:Rule>~OVAL Definition Class~Identifier Type~Value for <xccdf:ident> @system attribute~~Check compliance with a configuration setting~compliance~CCE~http://cce.mitre.org~~Perform a software inventory check ~inventory~CPE~http://cpe.mitre.org~~Check for a software flaw vulnerability~vulnerability~CVE~http://cve.mitre.org~~
If an <xccdf:Rule> has an <xccdf:ident> with a CCE and that rule reference an OVAL definition, the definition SHALL have @class 'compliance'.
Pass
If an <xccdf:Rule> has an <xccdf:ident> with a CCE and that rule reference an OVAL definition, the definition SHALL have @class 'compliance'.
If an <xccdf:Rule> has an <xccdf:ident> with a CVE and that rule reference an OVAL definition, the definition SHALL have @class 'vulnerability'.
Pass
If an <xccdf:Rule> has an <xccdf:ident> with a CVE and that rule reference an OVAL definition, the definition SHALL have @class 'vulnerability'.
If an <xccdf:Rule> has an <xccdf:ident> with a CPE and that rule reference an OVAL definition, the definition SHALL have @class 'inventory'.
Pass
If an <xccdf:Rule> has an <xccdf:ident> with a CPE and that rule reference an OVAL definition, the definition SHALL have @class 'inventory'.
Not Tested
Content authors MAY place components in any order.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-332-1 | Content authors MAY place components in any order. | Not Tested |
Content authors MAY place components in any order.
Not Tested
Content authors MAY place components in any order.
Pass
Any single data stream in a data stream collection SHALL NOT reference any component in the collection more than once.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-333-1 | Any single data stream in a data stream collection SHALL NOT reference any component in the collection more than once. | Pass |
Any single data stream in a data stream collection SHALL NOT reference any component in the collection more than once.
Pass
Any single data stream in a data stream collection SHALL NOT reference any component in the collection more than once.
Not Tested
The SCAP components referenced by each <ds:component> and <ds:extended-component> element SHALL validate against the corresponding component schema and its embedded Schematron rules.
The SCAP components referenced by each <ds:component> and <ds:extended-component> element SHALL validate against the corresponding component schema and its embedded Schematron rules. SCAPVal performs the Schematron rules and Schema validation.
Not Tested
The SCAP components referenced by each <ds:component> and <ds:extended-component> element SHALL validate against the corresponding component schema and its embedded Schematron rules. SCAPVal performs the Schematron rules and Schema validation.
Not Tested
The elements listed in Table 15 have special conventions around the format of their identifiers (@id attribute). Authors SHALL follow these conventions because they preserve the global uniqueness of the resulting identifiers. In Table 15, namespace contains a valid reverse-DNS style string (limited to letters, numbers, periods, and the hyphen character) that is associated with the content author. Examples include "com.acme.finance" and "gov.tla". These namespace strings MAY have any number of parts, and SCAP content consumers processing them SHALL treat them as case-insensitive (e.g., com.ABC is considered identical to com.abc). The name in the format conventions SHALL be an NCName-compliant string [XMLS].
The elements listed in Table 15 have special conventions around the format of their identifiers (@id attribute). Authors SHALL follow these conventions because they preserve the global uniqueness of the resulting identifiers. In Table 15, namespace contains a valid reverse-DNS style string (limited to letters, numbers, periods, and the hyphen character) that is associated with the content author. Examples include "com.acme.finance" and "gov.tla". These namespace strings MAY have any number of parts, and SCAP content consumers processing them SHALL treat them as case-insensitive (e.g., com.ABC is considered identical to com.abc). The name in the format conventions SHALL be an NCName-compliant string [XMLS].
Not Tested
The elements listed in Table 15 have special conventions around the format of their identifiers (@id attribute). Authors SHALL follow these conventions because they preserve the global uniqueness of the resulting identifiers. In Table 15, namespace contains a valid reverse-DNS style string (limited to letters, numbers, periods, and the hyphen character) that is associated with the content author. Examples include "com.acme.finance" and "gov.tla". These namespace strings MAY have any number of parts, and SCAP content consumers processing them SHALL treat them as case-insensitive (e.g., com.ABC is considered identical to com.abc). The name in the format conventions SHALL be an NCName-compliant string [XMLS].
Pass
XInclude elements SHALL NOT be included in XCCDF content [XINCLUDE].
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-339-1 | XInclude elements SHALL NOT be included in XCCDF content [XINCLUDE]. | Pass |
XInclude elements SHALL NOT be included in XCCDF content [XINCLUDE].
Pass
XInclude elements SHALL NOT be included in XCCDF content [XINCLUDE].
Pass
The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The @update attribute of the <xccdf:version> element SHOULD be used for a URI that specifies where updates to the benchmark can be obtained.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-341-1 | @update on <xccdf:version> SHOULD be specified | Pass |
@update on <xccdf:version> SHOULD be specified
Pass
@update on <xccdf:version> SHOULD be specified
Pass
Use of the <xccdf:set-complex-value> element within the <xccdf:Profile> element SHALL NOT be allowed.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-343-1 | Use of the <xccdf:set-complex-value> element within the <xccdf:Profile> element SHALL NOT be allowed. | Pass |
Use of the <xccdf:set-complex-value> element within the <xccdf:Profile> element SHALL NOT be allowed.
Pass
Use of the <xccdf:set-complex-value> element within the <xccdf:Profile> element SHALL NOT be allowed.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~The @href attribute in the <xccdf:check-content-ref> element SHALL reference an OVAL source data stream component using the <ds:component-ref> approach defined above.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-345-1 | <xccdf:check-content-ref> in an OVAL <xccdf:check> SHALL reference an OVAL component. If your content contains external references, SCAPVal will attempt to resolve it in -online mode. | Pass |
<xccdf:check-content-ref> in an OVAL <xccdf:check> SHALL reference an OVAL component. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Pass
<xccdf:check-content-ref> in an OVAL <xccdf:check> SHALL reference an OVAL component. If your content contains external references, SCAPVal will attempt to resolve it in -online mode.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~Use of the @name attribute in the <xccdf:check-content-ref> element is OPTIONAL. If present, it SHALL reference an OVAL Definition in the designated OVAL source data stream component, otherwise see Section 4.5.2 for information on use of the @multi-check attribute.
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~Use of the @name attribute in the <xccdf:check-content-ref> element is OPTIONAL. If present, it SHALL reference an OVAL Definition in the designated OVAL source data stream component, otherwise see Section 4.5.2 for information on use of the @multi-check attribute.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OVAL checking system~Use of the @name attribute in the <xccdf:check-content-ref> element is OPTIONAL. If present, it SHALL reference an OVAL Definition in the designated OVAL source data stream component, otherwise see Section 4.5.2 for information on use of the @multi-check attribute.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~The @href attribute in the <xccdf:check-content-ref> element SHALL reference an OCIL source data stream component using the <ds:component-ref> approach defined above.
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~The @href attribute in the <xccdf:check-content-ref> element SHALL reference an OCIL source data stream component using the <ds:component-ref> approach defined above.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~The @href attribute in the <xccdf:check-content-ref> element SHALL reference an OCIL source data stream component using the <ds:component-ref> approach defined above.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~Use of the @name attribute in the <xccdf:check-content-ref> element is OPTIONAL. If present, it SHALL reference an OCIL questionnaire in the designated OCIL source data stream component, otherwise see Section 4.5.2 for information on use of the @multi-check attribute.
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~Use of the @name attribute in the <xccdf:check-content-ref> element is OPTIONAL. If present, it SHALL reference an OCIL questionnaire in the designated OCIL source data stream component, otherwise see Section 4.5.2 for information on use of the @multi-check attribute.
Pass
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~Use of the @name attribute in the <xccdf:check-content-ref> element is OPTIONAL. If present, it SHALL reference an OCIL questionnaire in the designated OCIL source data stream component, otherwise see Section 4.5.2 for information on use of the @multi-check attribute.
Not Tested
Checklist authors SHOULD ensure that each CPE name [CPE-N] they specify in an <xccdf:platform> or <cpe2:fact-ref> element within an XCCDF document has a check associated with its CPE name. If a corresponding check does not exist, then it will not be possible to fully detect the presence of the product and determine platform applicability. Because there may be a lag between the time that a new product is available and the Official CPE Dictionary is updated to include a CPE name for that product, third-party dictionaries would need to be used to compensate for the lag.
Checklist authors SHOULD ensure that each CPE name [CPE-N] they specify in an <xccdf:platform> or <cpe2:fact-ref> element within an XCCDF document has a check associated with its CPE name. This optional requirement is not currently checked.
Not Tested
Checklist authors SHOULD ensure that each CPE name [CPE-N] they specify in an <xccdf:platform> or <cpe2:fact-ref> element within an XCCDF document has a check associated with its CPE name. This optional requirement is not currently checked.
Not Tested
One or more XML digital signatures MAY be included as the last elements in the SCAP source data stream collection root element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-360-1 | One or more XML digital signatures MAY be included as the last elements in the SCAP source data stream collection root element. | Not Tested |
One or more XML digital signatures MAY be included as the last elements in the SCAP source data stream collection root element.
Not Tested
One or more XML digital signatures MAY be included as the last elements in the SCAP source data stream collection root element.
Not Tested
Note that as stated in Table 3 in Section 3.1, each data stream is required to have a @use-case attribute in its <ds:data-stream> element with a value corresponding either to one of the content types defined in this section or to "OTHER", for data streams not corresponding to a defined use case.
Note that as stated in Table 3 in Section 3.1, each data stream is required to have a @use-case attribute in its <ds:data-stream> element with a value corresponding either to one of the content types defined in this section or to "OTHER", for data streams not corresponding to a defined use case.
Not Tested
Note that as stated in Table 3 in Section 3.1, each data stream is required to have a @use-case attribute in its <ds:data-stream> element with a value corresponding either to one of the content types defined in this section or to "OTHER", for data streams not corresponding to a defined use case.
Pass
When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL patch class definition, the following approach SHALL be used:~The source data stream SHALL include the OVAL source data stream component referenced by the patches up-to-date rule, which contains one or more OVAL patch class definitions, and MAY contain other class definitions.
An xccdf:Rule with @id "xccdf_NAMESPACE_rule_security_patches_up_to_date" and @multi-check=false the rule MUST reference an OVAL component and a single oval definition of class 'patch'. If your content contains external references, SCAPVal will attempt to resolve them in -online mode.
Pass
An xccdf:Rule with @id "xccdf_NAMESPACE_rule_security_patches_up_to_date" and @multi-check=false the rule MUST reference an OVAL component and a single oval definition of class 'patch'. If your content contains external references, SCAPVal will attempt to resolve them in -online mode.
Pass
When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL definition, the following approach SHALL be used:~Each <xccdf:check-content-ref> element SHALL refer to the single OVAL definition performing the patches up-to-date check.
When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL definition the xccdf:check-content-ref> element SHALL refer to the single OVAL definition performing the patches up-to-date check.
Pass
When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL definition the xccdf:check-content-ref> element SHALL refer to the single OVAL definition performing the patches up-to-date check.
Not Tested
When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL definition, the following approach SHALL be used:~The @multi-check attribute of the <xccdf:check> element SHALL be set to "false", which is the default value.
SRC-377-1 covers this check. When the @multi-check attribute of the <xccdf:check> element SHALL is set to "false" (this is the default). This Patches Up-To-Date Rule is not considered a multi-check and must a single OVAL Patch definition references.
Not Tested
SRC-377-1 covers this check. When the @multi-check attribute of the <xccdf:check> element SHALL is set to "false" (this is the default). This Patches Up-To-Date Rule is not considered a multi-check and must a single OVAL Patch definition references.
Not Tested
Since the required CVSS version has been updated in SCAP 1.3 to CVSS v3, CVSS v3 scores SHOULD be used instead of CVSS v2 scores when a v3 score is available.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-381-1 | Since the required CVSS version has been updated in SCAP 1.3 to CVSS v3, CVSS v3 scores SHOULD be used instead of CVSS v2 scores when a v3 score is available. | Not Tested |
Since the required CVSS version has been updated in SCAP 1.3 to CVSS v3, CVSS v3 scores SHOULD be used instead of CVSS v2 scores when a v3 score is available.
Not Tested
Since the required CVSS version has been updated in SCAP 1.3 to CVSS v3, CVSS v3 scores SHOULD be used instead of CVSS v2 scores when a v3 score is available.
Pass
The type and value binding of the specified <xccdf:Value> is constrained to match that lexical representation of the indicated OVAL Variable data type. Table 18 summarizes the constraints regarding data type usage. Additional information regarding OVAL data types can be found in the OVAL Language documentation and the XCCDF specification [XCCDF]. Additional information on OVAL data types may also be added to Section 4 of the SCAP 1.3 annex document, NIST SP 800-126A.~Table 18: XCCDF-OVAL Data Export Matching Constraints~OVAL Variable Data Type~Matching XCCDF Data Type~ ~int~number~~float~number~~boolean~boolean~~string, evr_string, version, ios_version, fileset_revision, binary~string~~
Values of XCCDF datatype 'number', when bound to OVAL variables, the OVAL variables must be of the following OVAL types: int, float
Pass
Values of XCCDF datatype 'number', when bound to OVAL variables, the OVAL variables must be of the following OVAL types: int, float
Values of XCCDF datatype 'boolean', when bound to OVAL variables, the OVAL variables must be the following OVAL type: boolean
Pass
Values of XCCDF datatype 'boolean', when bound to OVAL variables, the OVAL variables must be the following OVAL type: boolean
Values of XCCDF datatype 'string', when bound to OVAL variables, the OVAL variables must be of the following OVAL types: string, evr_string, version, ios_version, fileset_revision, binary
Pass
Values of XCCDF datatype 'string', when bound to OVAL variables, the OVAL variables must be of the following OVAL types: string, evr_string, version, ios_version, fileset_revision, binary
Warning
The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The @style attribute SHOULD have the value "SCAP_1.3".
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-4-1 | The style attribute of the <xccdf:Benchmark> element SHOULD contain the value "SCAP_1.3". | Warning |
The style attribute of the <xccdf:Benchmark> element SHOULD contain the value "SCAP_1.3".
Warning
The style attribute of the <xccdf:Benchmark> element SHOULD contain the value "SCAP_1.3".
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Fail | 'xccdf:Benchmark xccdf_org.ssgproject.content_benchmark_RHEL-8' | 46583 : 119 |
|
|||
Pass
The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The <xccdf:status> element SHALL indicate the current status of the benchmark document. The associated text value SHALL be "draft" for documents released in public draft state and "accepted" for documents that have been officially released by an organization. The @date attribute SHALL be populated with the date of the status change. Additional <xccdf:status> elements MAY be included to indicate historic status transitions.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-5-1 | The <xccdf:status> element SHALL have value 'draft' or 'accepted' | Pass |
| SRC-5-2 | The "date" attribute of the <xccdf:status> element SHALL be populated with the date of the last status change. | Pass |
The <xccdf:status> element SHALL have value 'draft' or 'accepted'
Pass
The <xccdf:status> element SHALL have value 'draft' or 'accepted'
The "date" attribute of the <xccdf:status> element SHALL be populated with the date of the last status change.
Pass
The "date" attribute of the <xccdf:status> element SHALL be populated with the date of the last status change.
Not Tested
The version of any particular OVAL document instance SHALL be specified using the <oval:schema_version> content element of the <oval:generator> element, as in this example: ~ <oval:generator>~ <oval:product_name>The OVAL Repository</oval:product_name>~ <oval:schema_version>5.11</oval:schema_version>~ </oval:generator>
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-52-1 | OVAL content SHALL include the <oval:generator> and <oval:schema_version> elements. | Not Tested |
OVAL content SHALL include the <oval:generator> and <oval:schema_version> elements.
Not Tested
OVAL content SHALL include the <oval:generator> and <oval:schema_version> elements.
Not Tested
If an <oval-var:oval_variables> element is used to carry variable values between an XCCDF processor and an OVAL processor, the <oval:schema_version> of the <oval-var:oval_variables> element SHALL be the same as that of the <oval-def:oval_definitions> element whose external variables are bound by the <oval-var:oval_variables> element.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-54-1 | All SCAP OVAL variables content that does not match the <oval-var:schema_version> of it corresponding OVAL definitions source it shall be considered in error. | Not Tested |
All SCAP OVAL variables content that does not match the <oval-var:schema_version> of it corresponding OVAL definitions source it shall be considered in error.
Not Tested
All SCAP OVAL variables content that does not match the <oval-var:schema_version> of it corresponding OVAL definitions source it shall be considered in error.
Not Tested
The referenced OVAL inventory class definition SHALL specify the technical procedure for determining whether or not a specific target asset is an instance of the CPE name specified by the <cpe2_dict:cpe-item> element. This usage is encouraged for CPE components.
The referenced OVAL inventory class definition SHALL specify the technical procedure for determining whether or not a specific target asset is an instance of the CPE name specified by the <cpe2_dict:cpe-item> element. This usage is encouraged for CPE components.
Not Tested
The referenced OVAL inventory class definition SHALL specify the technical procedure for determining whether or not a specific target asset is an instance of the CPE name specified by the <cpe2_dict:cpe-item> element. This usage is encouraged for CPE components.
Pass
If a <cpe2_dict:cpe-item> element contained in a CPE component references an OVAL inventory class definition, then that definition SHALL be resolved by an @href attribute referencing an OVAL source data stream component in the same data stream.
For all SCAP <cpe-dict:cpe-item>'s specified the CPE dictionary component of an SCAP datastream that contain a cpe-dict:check element, that cpe-dict:check element SHALL refer to an OVAL inventory definition in the same SCAP data stream
Pass
For all SCAP <cpe-dict:cpe-item>'s specified the CPE dictionary component of an SCAP datastream that contain a cpe-dict:check element, that cpe-dict:check element SHALL refer to an OVAL inventory definition in the same SCAP data stream
Pass
SCAP content referencing a configuration setting SHALL use the official CCE identifier if a CCE entry for a particular configuration setting exists in the official CCE list.
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-74-1 | All CCE references SHOULD be in the official CCE dictionary. | Pass |
All CCE references SHOULD be in the official CCE dictionary.
Pass
All CCE references SHOULD be in the official CCE dictionary.
Pass
The following requirements and recommendations apply to the <xccdf:Benchmark> element:~The <xccdf:metadata> element SHALL be provided and SHALL, at minimum, contain the Dublin Core [DCES] terms from Table 16. If provided, additional Dublin Core terms SHALL follow the required terms within the element sequence.~Table 16: Use of Dublin Core Terms in <xccdf:metadata>~Dublin Core Term~Description of Use~~<dc:creator>~The person, organization, and/or service that created the benchmark~~<dc:publisher>~The person, organization, and/or service that published the benchmark~~<dc:contributor>~The person, organization, and/or service that contributed to the creation of the benchmark~~<dc:source>~An identifier that indicates the organizational context of the benchmark's @id attribute. An organizationally specific URI SHOULD be used.~~
| Derived Requirement # | Summary | Result |
|---|---|---|
| SRC-8-1 | xccdf:Benchmark/xccdf:metadata SHALL contain, at minimum, one of each of the Dublin Core terms <dc:creator>, <dc:publisher>, <dc:contributor>, <dc:source> | Pass |
| SRC-8-2 | The <xccdf:metadata> element SHALL be provided in the <xccdf:Benchmark> element. | Pass |
xccdf:Benchmark/xccdf:metadata SHALL contain, at minimum, one of each of the Dublin Core terms <dc:creator>, <dc:publisher>, <dc:contributor>, <dc:source>
Pass
xccdf:Benchmark/xccdf:metadata SHALL contain, at minimum, one of each of the Dublin Core terms <dc:creator>, <dc:publisher>, <dc:contributor>, <dc:source>
The <xccdf:metadata> element SHALL be provided in the <xccdf:Benchmark> element.
Pass
The <xccdf:metadata> element SHALL be provided in the <xccdf:Benchmark> element.
Pass
The following requirements and conventions apply to the <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule> elements:~One or more instances of the <xccdf:title> element SHALL be provided. Each instance SHALL contain a text value that briefly indicates the purpose of the containing element.
For all <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule>, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error.
Pass
For all <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule>, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error.
For all <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule>, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error.
Pass
For all <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule>, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error.
For all <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule>, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error.
Pass
For all <xccdf:Benchmark>, <xccdf:Profile>, <xccdf:Value>, <xccdf:Group>, and <xccdf:Rule>, check for the existence of <xccdf:title>; if not found, the content shall be considered to be in error.
Not Tested
Content consumers supporting SCAP 1.3 SHALL be capable of processing SCAP 1.3 content and the legacy SCAP 1.2 and 1.1 content versions. Content consumers SHALL process SCAP content as defined under the corresponding version of NIST SP 800-126 (for SCAP 1.3, this revision; for SCAP 1.2, revision 2; for SCAP 1.1, revision 1).
Content consumers supporting SCAP 1.3 SHALL be capable of processing SCAP 1.3 content and the legacy SCAP 1.2 and 1.1 content versions. Content consumers SHALL process SCAP content as defined under the corresponding version of NIST SP 800-126 (for SCAP 1.3, this revision; for SCAP 1.2, revision 2; for SCAP 1.1, revision 1).
Not Tested
Content consumers supporting SCAP 1.3 SHALL be capable of processing SCAP 1.3 content and the legacy SCAP 1.2 and 1.1 content versions. Content consumers SHALL process SCAP content as defined under the corresponding version of NIST SP 800-126 (for SCAP 1.3, this revision; for SCAP 1.2, revision 2; for SCAP 1.1, revision 1).
Not Tested
In order to be SCAP conformant, an SCAP content consumer SHALL be able to produce all the types of OVAL Results output described below. The specific result output SHALL be configurable within the SCAP content consumer.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-141-1 | In order to be SCAP conformant, an SCAP content consumer SHALL be able to produce all the types of OVAL Results output described below. The specific result output SHALL be configurable within the SCAP content consumer. | Not Tested |
In order to be SCAP conformant, an SCAP content consumer SHALL be able to produce all the types of OVAL Results output described below. The specific result output SHALL be configurable within the SCAP content consumer.
Not Tested
In order to be SCAP conformant, an SCAP content consumer SHALL be able to produce all the types of OVAL Results output described below. The specific result output SHALL be configurable within the SCAP content consumer.
Not Tested
Each OVAL result data stream component SHALL validate against at least one version of the OVAL Results schema that corresponds to an OVAL component specification version specified in Section 2 of the annex, regardless of the version of the OVAL Definitions document that was evaluated.
The following requirements and recommendations pertain to content consumers generating OVAL result data stream components.~Each OVAL result data stream component SHALL validate against version 5.11.2 of the OVAL Results schema regardless of the version of the OVAL Definitions document that was evaluated. SCAPVal implements this.
Not Tested
The following requirements and recommendations pertain to content consumers generating OVAL result data stream components.~Each OVAL result data stream component SHALL validate against version 5.11.2 of the OVAL Results schema regardless of the version of the OVAL Definitions document that was evaluated. SCAPVal implements this.
Not Tested
Content consumers SHALL be capable of validating SCAP content against the appropriate schemas and Schematron stylesheets, detecting and reporting errors, and failing gracefully if there are errors.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-218-1 | Content consumers SHALL be capable of validating SCAP content against the appropriate schemas and Schematron stylesheets, detecting and reporting errors, and failing gracefully if there are errors. | Not Tested |
Content consumers SHALL be capable of validating SCAP content against the appropriate schemas and Schematron stylesheets, detecting and reporting errors, and failing gracefully if there are errors.
Not Tested
Content consumers SHALL be capable of validating SCAP content against the appropriate schemas and Schematron stylesheets, detecting and reporting errors, and failing gracefully if there are errors.
Not Tested
If an XCCDF component has multiple <xccdf:check-content-ref> elements, then check processing SHALL be performed according to [XCCDF:7.2.3.5.1] with the following changes:~For each <xccdf:check-content-ref> element, a content consumer either SHALL attempt to retrieve the document referenced by the <ds:component-ref> element that is referenced directly by the <xccdf:check-content-ref> element's @href attribute, or it SHALL resolve the @href attribute within the context of the XML Catalog specified as part of the <ds:component-ref> element used to reference this benchmark. If not resolvable, the next available <xccdf:check-content-ref> element SHALL be evaluated. If none of the <xccdf:check-content-ref> elements are resolvable, then the result of the rule evaluation SHALL be the XCCDF "notchecked" status and processing of the check SHALL end
If an XCCDF component has multiple <xccdf:check-content-ref> elements, then check processing SHALL be performed according to [XCCDF:7.2.3.5.1] with the following changes:~For each <xccdf:check-content-ref> element, a content consumer either SHALL attempt to retrieve the document referenced by the <ds:component-ref> element that is referenced directly by the <xccdf:check-content-ref> element's @href attribute, or it SHALL resolve the @href attribute within the context of the XML Catalog specified as part of the <ds:component-ref> element used to reference this benchmark. If not resolvable, the next available <xccdf:check-content-ref> element SHALL be evaluated. If none of the <xccdf:check-content-ref> elements are resolvable, then the result of the rule evaluation SHALL be the XCCDF "notchecked" status and processing of the check SHALL end
Not Tested
If an XCCDF component has multiple <xccdf:check-content-ref> elements, then check processing SHALL be performed according to [XCCDF:7.2.3.5.1] with the following changes:~For each <xccdf:check-content-ref> element, a content consumer either SHALL attempt to retrieve the document referenced by the <ds:component-ref> element that is referenced directly by the <xccdf:check-content-ref> element's @href attribute, or it SHALL resolve the @href attribute within the context of the XML Catalog specified as part of the <ds:component-ref> element used to reference this benchmark. If not resolvable, the next available <xccdf:check-content-ref> element SHALL be evaluated. If none of the <xccdf:check-content-ref> elements are resolvable, then the result of the rule evaluation SHALL be the XCCDF "notchecked" status and processing of the check SHALL end
Not Tested
If an XCCDF component has multiple <xccdf:check-content-ref> elements, then check processing SHALL be performed according to [XCCDF:7.2.3.5.1] with the following changes:~Once a resolvable <xccdf:check-content-ref> element is found, then checking system processing SHALL proceed. When evaluating a rule, an <xccdf:rule-result/xccdf:message> with the @severity attribute value of "info" SHALL be generated, indicating the <xccdf:check-content-ref> @href attribute and @name attribute, if provided.
If an XCCDF component has multiple <xccdf:check-content-ref> elements, then check processing SHALL be performed according to [XCCDF:7.2.3.5.1] with the following changes:~Once a resolvable <xccdf:check-content-ref> element is found, then checking system processing SHALL proceed. When evaluating a rule, an <xccdf:rule-result/xccdf:message> with the @severity attribute value of "info" SHALL be generated, indicating the <xccdf:check-content-ref> @href attribute and @name attribute, if provided.
Not Tested
If an XCCDF component has multiple <xccdf:check-content-ref> elements, then check processing SHALL be performed according to [XCCDF:7.2.3.5.1] with the following changes:~Once a resolvable <xccdf:check-content-ref> element is found, then checking system processing SHALL proceed. When evaluating a rule, an <xccdf:rule-result/xccdf:message> with the @severity attribute value of "info" SHALL be generated, indicating the <xccdf:check-content-ref> @href attribute and @name attribute, if provided.
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~Each XCCDF result data stream component SHALL comply with the XCCDF Results schema.
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~Each XCCDF result data stream component SHALL comply with the XCCDF Results schema. SCAPVal validates XCCDF content with the XCCDF schema
Not Tested
The following requirements and recommendations pertain to content consumers generating XCCDF result data stream components.~Each XCCDF result data stream component SHALL comply with the XCCDF Results schema. SCAPVal validates XCCDF content with the XCCDF schema
Not Tested
If no CCE entry exists for the configuration setting of interest, the content author SHOULD seek to have a CCE identifier issued for the configuration setting.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-269-1 | If no CCE entry exists for the configuration setting of interest, the content author SHOULD seek to have a CCE identifier issued for the configuration setting. | Not Tested |
If no CCE entry exists for the configuration setting of interest, the content author SHOULD seek to have a CCE identifier issued for the configuration setting.
Not Tested
If no CCE entry exists for the configuration setting of interest, the content author SHOULD seek to have a CCE identifier issued for the configuration setting.
Not Tested
When processing a patches up-to-date rule, only OVAL patch class definitions SHALL be evaluated; all other classes of definitions (e.g., inventory class definitions) SHALL NOT be evaluated except when they serve, directly or indirectly, as criteria (extended definitions) of patch definitions.
When processing a patches up-to-date rule, only OVAL patch class definitions SHALL be evaluated; all other classes of definitions (e.g., inventory class definitions) SHALL NOT be evaluated except when they serve, directly or indirectly, as criteria (extended definitions) of patch definitions.
Not Tested
When processing a patches up-to-date rule, only OVAL patch class definitions SHALL be evaluated; all other classes of definitions (e.g., inventory class definitions) SHALL NOT be evaluated except when they serve, directly or indirectly, as criteria (extended definitions) of patch definitions.
Not Tested
The <dsig:Signature> element SHALL follow the recommendations in [TMSAD]
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-283-1 | The <dsig:Signature> element SHALL follow the recommendations in [TMSAD] SCAPVal runs the tmsad.1.0.sch schematron against SCAP content along with XML schema validation. | Not Tested |
The <dsig:Signature> element SHALL follow the recommendations in [TMSAD] SCAPVal runs the tmsad.1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
The <dsig:Signature> element SHALL follow the recommendations in [TMSAD] SCAPVal runs the tmsad.1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
Content consumers SHOULD validate XML digital signatures if they exist in the content. Validating a signature includes confirming that the signature value is valid, all of the reference hashes in the signature and manifest are correct, and the public key used to verify the signature is from a trusted source. A data stream with a signature that does not validate SHOULD NOT be evaluated by a content consumer.
Content consumers SHOULD validate XML digital signatures if they exist in the content. Validating a signature includes confirming that the signature value is valid, all of the reference hashes in the signature and manifest are correct, and the public key used to verify the signature is from a trusted source. A data stream with a signature that does not validate SHOULD NOT be evaluated by a content consumer.
Not Tested
Content consumers SHOULD validate XML digital signatures if they exist in the content. Validating a signature includes confirming that the signature value is valid, all of the reference hashes in the signature and manifest are correct, and the public key used to verify the signature is from a trusted source. A data stream with a signature that does not validate SHOULD NOT be evaluated by a content consumer.
Not Tested
If more than one <ds:data-stream> element is specified on the <ds:data-stream-collection>, the ID of the <ds:data-stream> to execute SHALL be indicated to the content consumer, and the content consumer SHALL use the specified <ds:data-stream>
If more than one <ds:data-stream> element is specified on the <ds:data-stream-collection>, the ID of the <ds:data-stream> to execute SHALL be indicated to the content consumer, and the content consumer SHALL use the specified <ds:data-stream>
Not Tested
If more than one <ds:data-stream> element is specified on the <ds:data-stream-collection>, the ID of the <ds:data-stream> to execute SHALL be indicated to the content consumer, and the content consumer SHALL use the specified <ds:data-stream>
Not Tested
If more than one <xccdf:Benchmark> is referenced by a <ds:data-stream>, the ID of the <xccdf:Benchmark> to execute SHALL be indicated to the content consumer, and the content consumer SHALL process the indicated <xccdf:Benchmark>
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-294-1 | If more than one <xccdf:Benchmark> is referenced by a <ds:data-stream>, the ID of the <xccdf:Benchmark> to execute SHALL be indicated to the content consumer, and the content consumer SHALL process the indicated <xccdf:Benchmark> | Not Tested |
If more than one <xccdf:Benchmark> is referenced by a <ds:data-stream>, the ID of the <xccdf:Benchmark> to execute SHALL be indicated to the content consumer, and the content consumer SHALL process the indicated <xccdf:Benchmark>
Not Tested
If more than one <xccdf:Benchmark> is referenced by a <ds:data-stream>, the ID of the <xccdf:Benchmark> to execute SHALL be indicated to the content consumer, and the content consumer SHALL process the indicated <xccdf:Benchmark>
Not Tested
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~The CPE SHALL be matched against all CPEs in all of the dictionaries referenced by the <ds:data-stream> element. All CPEs that return an EQUAL or SUPERSET result as defined in CPE Name Matching [CPE-M] SHALL be used in evaluating the <xccdf:platform> or <cpe2:fact-ref>.
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~The CPE SHALL be matched against all CPEs in all of the dictionaries referenced by the <ds:data-stream> element. All CPEs that return an EQUAL or SUPERSET result as defined in CPE Name Matching [CPE-M] SHALL be used in evaluating the <xccdf:platform> or <cpe2:fact-ref>.
Not Tested
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~The CPE SHALL be matched against all CPEs in all of the dictionaries referenced by the <ds:data-stream> element. All CPEs that return an EQUAL or SUPERSET result as defined in CPE Name Matching [CPE-M] SHALL be used in evaluating the <xccdf:platform> or <cpe2:fact-ref>.
Not Tested
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~Either a list of CPEs found on the target asset MUST be known before the scan, or a list SHALL be generated. If a previously known list is used, it MUST be equivalent to a newly generated list. To generate the list, the <cpe2_dict:check> element data associated with the found <cpe2_dict:cpe-item> elements SHALL be evaluated against the target using the referenced OVAL inventory class definition. If a <cpe2_dict:check> returns "pass", then the corresponding CPE SHALL be added to the list of CPEs found on the target.
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~Either a list of CPEs found on the target asset SHALL be known before the scan, or a list SHALL be generated. If a previously known list is used, it SHALL be equivalent to a newly generated list. To generate the list, the <cpe2_dict:check> element data associated with the found <cpe2_dict:cpe-item> elements SHALL be evaluated against the target using the referenced OVAL inventory class definition. If a <cpe2_dict:check> returns "pass", then the corresponding CPE SHALL be added to the list of CPEs found on the target.
Not Tested
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~Either a list of CPEs found on the target asset SHALL be known before the scan, or a list SHALL be generated. If a previously known list is used, it SHALL be equivalent to a newly generated list. To generate the list, the <cpe2_dict:check> element data associated with the found <cpe2_dict:cpe-item> elements SHALL be evaluated against the target using the referenced OVAL inventory class definition. If a <cpe2_dict:check> returns "pass", then the corresponding CPE SHALL be added to the list of CPEs found on the target.
Not Tested
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~The list of CPEs found on the target asset, along with the <xccdf:platform> or <cpe2:platform-specification> SHALL be used as input to the CPE Applicability Language [CPE-L] algorithm to determine the XCCDF Benchmark applicability to the target asset.
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~The list of CPEs found on the target asset, along with the <xccdf:platform> or <cpe2:platform-specification> SHALL be used as input to the CPE Applicability Language [CPE-L] algorithm to determine the XCCDF Benchmark applicability to the target asset.
Not Tested
CPEs referenced in an <xccdf:platform> element directly or by a <cpe2:fact-ref> contained within a referenced <cpe2:platform-specification> element SHALL be evaluated as follows to determine their presence on a machine:~The list of CPEs found on the target asset, along with the <xccdf:platform> or <cpe2:platform-specification> SHALL be used as input to the CPE Applicability Language [CPE-L] algorithm to determine the XCCDF Benchmark applicability to the target asset.
Not Tested
The ARF report SHALL contain a report object for each XCCDF, OVAL, and OCIL component executed when a source data stream is evaluated against a target
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-298-1 | The ARF report SHALL contain a report object for each XCCDF, OVAL, and OCIL component executed when a source data stream is evaluated against a target | Not Tested |
The ARF report SHALL contain a report object for each XCCDF, OVAL, and OCIL component executed when a source data stream is evaluated against a target
Not Tested
The ARF report SHALL contain a report object for each XCCDF, OVAL, and OCIL component executed when a source data stream is evaluated against a target
Not Tested
The signature MUST be represented as a <dsig:Signature> element and MUST follow the W3C recommendation [DSIG].
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-308-1 | The signature MUST be represented as a <dsig:Signature> element and MUST follow the W3C recommendation [DSIG]. SCAPVal runs the tmsad.1.0.sch schematron against SCAP content along with XML schema validation. | Not Tested |
The signature MUST be represented as a <dsig:Signature> element and MUST follow the W3C recommendation [DSIG]. SCAPVal runs the tmsad.1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
The signature MUST be represented as a <dsig:Signature> element and MUST follow the W3C recommendation [DSIG]. SCAPVal runs the tmsad.1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
The <dsig:Signature> element SHALL follow the recommendations in [TMSAD]
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-310-1 | The <dsig:Signature> element SHALL follow the recommendations in [TMSAD] SCAPVal runs the tmsad-1.0.sch schematron against SCAP content along with XML schema validation. | Not Tested |
The <dsig:Signature> element SHALL follow the recommendations in [TMSAD] SCAPVal runs the tmsad-1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
The <dsig:Signature> element SHALL follow the recommendations in [TMSAD] SCAPVal runs the tmsad-1.0.sch schematron against SCAP content along with XML schema validation.
Not Tested
Schematron rules to check well-formed SCAP content. The Schematron schemas for the SCAP specification and its applicable component specifications are located at https://scap.nist.gov/revision/1.3/#schematron. Source content SHOULD pass all Schematron assertions in the Schematron rule files. When creating source content, failed assertions with a "WARNING" or "INFO" flag MAY be disregarded if the assertion discovers an issue in the content that is justifiable and expected based on the needs of the content author. When executing source content, all failed assertions with a "WARNING" or "INFO" flag SHALL be disregarded.
Schematron rules to check well-formed SCAP content. The Schematron schemas for the SCAP specification and its applicable component specifications are located at https://scap.nist.gov/revision/1.3/#schematron. Source content SHOULD pass all Schematron assertions in the Schematron rule files. When creating source content, failed assertions with a "WARNING" or "INFO" flag MAY be disregarded if the assertion discovers an issue in the content that is justifiable and expected based on the needs of the content author. When executing source content, all failed assertions with a "WARNING" or "INFO" flag SHALL be disregarded.
Not Tested
Schematron rules to check well-formed SCAP content. The Schematron schemas for the SCAP specification and its applicable component specifications are located at https://scap.nist.gov/revision/1.3/#schematron. Source content SHOULD pass all Schematron assertions in the Schematron rule files. When creating source content, failed assertions with a "WARNING" or "INFO" flag MAY be disregarded if the assertion discovers an issue in the content that is justifiable and expected based on the needs of the content author. When executing source content, all failed assertions with a "WARNING" or "INFO" flag SHALL be disregarded.
Not Tested
The latest Schematron schema SHOULD be used in place of any earlier versions. If the latest file is unavailable, the version specified on the <ds:data-stream-collection> element's @schematron-version attribute SHALL be used instead.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-336-1 | The latest Schematron schema SHOULD be used in place of any earlier versions. If the latest file is unavailable, the version specified on the <ds:data-stream-collection> element's @schematron-version attribute SHALL be used instead. | Not Tested |
The latest Schematron schema SHOULD be used in place of any earlier versions. If the latest file is unavailable, the version specified on the <ds:data-stream-collection> element's @schematron-version attribute SHALL be used instead.
Not Tested
The latest Schematron schema SHOULD be used in place of any earlier versions. If the latest file is unavailable, the version specified on the <ds:data-stream-collection> element's @schematron-version attribute SHALL be used instead.
Not Tested
Also, for the component specifications, the Schematron schema on the SCAP website SHALL be used in place of any corresponding Schematron schema available elsewhere.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-337-1 | Also, for the component specifications, the Schematron schema on the SCAP website SHALL be used in place of any corresponding Schematron schema available elsewhere. | Not Tested |
Also, for the component specifications, the Schematron schema on the SCAP website SHALL be used in place of any corresponding Schematron schema available elsewhere.
Not Tested
Also, for the component specifications, the Schematron schema on the SCAP website SHALL be used in place of any corresponding Schematron schema available elsewhere.
Not Tested
All remaining OPTIONAL elements in the XCCDF schema MAY be included at the author's discretion unless otherwise noted in this document.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-340-1 | All remaining OPTIONAL elements in the XCCDF schema MAY be included at the author's discretion unless otherwise noted in this document. | Not Tested |
All remaining OPTIONAL elements in the XCCDF schema MAY be included at the author's discretion unless otherwise noted in this document.
Not Tested
All remaining OPTIONAL elements in the XCCDF schema MAY be included at the author's discretion unless otherwise noted in this document.
Not Tested
As stated in the XCCDF specification, the use of an <xccdf:Profile> element is not required.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-342-1 | As stated in the XCCDF specification, the use of an <xccdf:Profile> element is not required. | Not Tested |
As stated in the XCCDF specification, the use of an <xccdf:Profile> element is not required.
Not Tested
As stated in the XCCDF specification, the use of an <xccdf:Profile> element is not required.
Not Tested
See Section 4.5.1 for information on the meaning of a "pass/fail" rule result relating to each of the identifier types in Table 17. All rules that contain CCE, CPE, or CVE entries in their <xccdf:ident> elements SHALL obey these meanings. As a result, such <xccdf:ident> elements SHALL only be included either if the recommendation is identical to these associated meanings or if they have a @con:negate attribute (as described in Section 4.5.1) set to comply with the intended meaning (by default, @con:negate is set to false). In SCAP, an <xccdf:ident> element is not simply a reference to related material – it is a declaration of exact alignment with the described meanings.
See Section 4.5.1 for information on the meaning of a "pass/fail" rule result relating to each of the identifier types in Table 17. All rules that contain CCE, CPE, or CVE entries in their <xccdf:ident> elements SHALL obey these meanings. As a result, such <xccdf:ident> elements SHALL only be included either if the recommendation is identical to these associated meanings or if they have a @con:negate attribute (as described in Section 4.5.1) set to comply with the intended meaning (by default, @con:negate is set to false). In SCAP, an <xccdf:ident> element is not simply a reference to related material – it is a declaration of exact alignment with the described meanings.
Not Tested
See Section 4.5.1 for information on the meaning of a "pass/fail" rule result relating to each of the identifier types in Table 17. All rules that contain CCE, CPE, or CVE entries in their <xccdf:ident> elements SHALL obey these meanings. As a result, such <xccdf:ident> elements SHALL only be included either if the recommendation is identical to these associated meanings or if they have a @con:negate attribute (as described in Section 4.5.1) set to comply with the intended meaning (by default, @con:negate is set to false). In SCAP, an <xccdf:ident> element is not simply a reference to related material – it is a declaration of exact alignment with the described meanings.
Not Tested
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system ~OCIL questionnaires SHOULD NOT be used if OVAL can perform the same check correctly.
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system ~OCIL questionnaires SHOULD NOT be used if OVAL can perform the same check correctly.
Not Tested
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system ~OCIL questionnaires SHOULD NOT be used if OVAL can perform the same check correctly.
Not Tested
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~All requirements in Appendix B of NIST IR 7692, Specifications for the Open Checklist Interactive Language (OCIL) [OCIL] SHALL be followed.
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~All requirements in Appendix B of NIST IR 7692, Specifications for the Open Checklist Interactive Language (OCIL) [OCIL] SHALL be followed. SCAPVal performs the Schematron rules and Schema validation for OCIL.
Not Tested
The following requirements and recommendations apply to the <xccdf:check> element:~~Content containing the use of checking systems other than the OVAL and OCIL checking systems SHALL NOT be considered well-formed with regards to SCAP.~~OCIL checking system~All requirements in Appendix B of NIST IR 7692, Specifications for the Open Checklist Interactive Language (OCIL) [OCIL] SHALL be followed. SCAPVal performs the Schematron rules and Schema validation for OCIL.
Not Tested
An OVAL source data stream component MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that SHALL reference an OVAL source data stream component. ~When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, the following approach SHALL be used:~The <xccdf:Rule> element that references an OVAL source data stream component SHALL have the @id attribute value of "xccdf_NAMESPACE_rule_security_patches_up_to_date", where NAMESPACE is the reverse DNS format namespace associated with the content maintainer.
An OVAL source data stream component MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that SHALL reference an OVAL source data stream component. ~When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, the following approach SHALL be used:~The <xccdf:Rule> element that references an OVAL source data stream component SHALL have the @id attribute value of "xccdf_NAMESPACE_rule_security_patches_up_to_date", where NAMESPACE is the reverse DNS format namespace associated with the content maintainer.
Not Tested
An OVAL source data stream component MAY be used to represent a series of checks to verify that patches have been installed. Historically, an XCCDF convention has been used to identify such a reference. An XCCDF benchmark MAY include a patches up-to-date rule that SHALL reference an OVAL source data stream component. ~When implementing a patches up-to-date XCCDF rule that checks for patches via numerous OVAL patch class definitions, the following approach SHALL be used:~The <xccdf:Rule> element that references an OVAL source data stream component SHALL have the @id attribute value of "xccdf_NAMESPACE_rule_security_patches_up_to_date", where NAMESPACE is the reverse DNS format namespace associated with the content maintainer.
Not Tested
CCSS scores are more stable than CVSS scores, but they still may change over time. Accordingly, during scoring, current CCSS scores acquired dynamically, such as from a data feed, MAY be used in place of the @weight attribute within XCCDF configuration setting-related rules.
CCSS scores are more stable than CVSS scores, but they still may change over time. Accordingly, during scoring, current CCSS scores acquired dynamically, such as from a data feed, MAY be used in place of the @weight attribute within XCCDF configuration setting-related rules.
Not Tested
CCSS scores are more stable than CVSS scores, but they still may change over time. Accordingly, during scoring, current CCSS scores acquired dynamically, such as from a data feed, MAY be used in place of the @weight attribute within XCCDF configuration setting-related rules.
Not Tested
XCCDF group extension SHALL NOT be allowed.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-354-1 | XCCDF group extension SHALL NOT be allowed. SCAPVal does not implement this. | Not Tested |
XCCDF group extension SHALL NOT be allowed. SCAPVal does not implement this.
Not Tested
XCCDF group extension SHALL NOT be allowed. SCAPVal does not implement this.
Not Tested
OCIL content SHOULD be used for checking rules that cannot be fully automated with OVAL.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-356-1 | OCIL content SHOULD be used for checking rules that cannot be fully automated with OVAL. | Not Tested |
OCIL content SHOULD be used for checking rules that cannot be fully automated with OVAL.
Not Tested
OCIL content SHOULD be used for checking rules that cannot be fully automated with OVAL.
Not Tested
If an <ocil:questionnaire> element maps to one or more CCE, CVE, and/or CPE identifiers, it SHOULD include <ocil:reference> elements that reference those identifiers using the corresponding following format:~<ocil:reference href="http://cce.mitre.org">CCE_identifier</ocil:reference>_x000B__x000B_<ocil:reference href="http://cve.mitre.org">CVE_identifier</ocil:reference>_x000B__x000B_<ocil:reference href="http://cpe.mitre.org">CPE_identifier</ocil:reference>
If an <ocil:questionnaire> element maps to one or more CCE, CVE, and/or CPE identifiers, it SHOULD include <ocil:reference> elements that reference those identifiers using the corresponding following format:~<ocil:reference href="http://cce.mitre.org">CCE_identifier</ocil:reference>_x000B__x000B_<ocil:reference href="http://cve.mitre.org">CVE_identifier</ocil:reference>_x000B__x000B_<ocil:reference href="http://cpe.mitre.org">CPE_identifier</ocil:reference>
Not Tested
If an <ocil:questionnaire> element maps to one or more CCE, CVE, and/or CPE identifiers, it SHOULD include <ocil:reference> elements that reference those identifiers using the corresponding following format:~<ocil:reference href="http://cce.mitre.org">CCE_identifier</ocil:reference>_x000B__x000B_<ocil:reference href="http://cve.mitre.org">CVE_identifier</ocil:reference>_x000B__x000B_<ocil:reference href="http://cpe.mitre.org">CPE_identifier</ocil:reference>
Not Tested
As such, content authors MAY digitally sign source content following the guidelines in [TMSAD], along with the following requirements.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-359-1 | As such, content authors MAY digitally sign source content following the guidelines in [TMSAD], along with the following requirements. | Not Tested |
As such, content authors MAY digitally sign source content following the guidelines in [TMSAD], along with the following requirements.
Not Tested
As such, content authors MAY digitally sign source content following the guidelines in [TMSAD], along with the following requirements.
Not Tested
Content consumers that process legacy SCAP content SHALL be capable of outputting results in the current SCAP revision. Additionally, content consumers MAY output results in the same SCAP version as the source content. For producers of results in legacy formats, legacy results MAY also be converted into results based on the current SCAP revision.
Content consumers that process legacy SCAP content SHALL be capable of outputting results in the current SCAP revision. Additionally, content consumers MAY output results in the same SCAP version as the source content. For producers of results in legacy formats, legacy results MAY also be converted into results based on the current SCAP revision.
Not Tested
Content consumers that process legacy SCAP content SHALL be capable of outputting results in the current SCAP revision. Additionally, content consumers MAY output results in the same SCAP version as the source content. For producers of results in legacy formats, legacy results MAY also be converted into results based on the current SCAP revision.
Not Tested
Whenever a <ds:extended-component> that is not recognized by the tool is referenced from a <ds:data-stream>, <ds:component>, or <ds:extended-component> element, the tool SHALL issue a warning.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-362-1 | Whenever a <ds:extended-component> that is not recognized by the tool is referenced from a <ds:data-stream>, <ds:component>, or <ds:extended-component> element, the tool SHALL issue a warning. | Not Tested |
Whenever a <ds:extended-component> that is not recognized by the tool is referenced from a <ds:data-stream>, <ds:component>, or <ds:extended-component> element, the tool SHALL issue a warning.
Not Tested
Whenever a <ds:extended-component> that is not recognized by the tool is referenced from a <ds:data-stream>, <ds:component>, or <ds:extended-component> element, the tool SHALL issue a warning.
Not Tested
Validation of each component SHALL be done in accordance with the portions of this document that define requirements for the component.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-368-1 | Validation of each component SHALL be done in accordance with the portions of this document that define requirements for the component. | Not Tested |
Validation of each component SHALL be done in accordance with the portions of this document that define requirements for the component.
Not Tested
Validation of each component SHALL be done in accordance with the portions of this document that define requirements for the component.
Not Tested
When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL definition, the following approach SHALL be used:~The <xccdf:Rule> element that references an OVAL source data stream component SHALL have the @id attribute value of "xccdf_NAMESPACE_rule_security_patches_up_to_date", where NAMESPACE is the reverse DNS format namespace associated with the content maintainer.
Various other schematron rules check for this @id "xccdf_NAMESPACE_rule_security_patches_up_to_date" when evaluating a Patches Up-To-Date Rule. If the id is present, the content is treated as a Patches Up-To-Date Rule or its not. There is nothing to test for this requirement.
Not Tested
Various other schematron rules check for this @id "xccdf_NAMESPACE_rule_security_patches_up_to_date" when evaluating a Patches Up-To-Date Rule. If the id is present, the content is treated as a Patches Up-To-Date Rule or its not. There is nothing to test for this requirement.
Not Tested
The version(s) that is specified using the <oval:schema_version> content element SHALL correspond to the version(s) specified by the @xsi:schemaLocation attribute value for the OVAL schema, if an @xsi:schemaLocation attribute is specified.
The version(s) that is specified using the <oval:schema_version> content element SHALL correspond to the version(s) specified by the @xsi:schemaLocation attribute value for the OVAL schema, if an @xsi:schemaLocation attribute is specified. This is a SCAP tool requirement. SCAPVal properly implements this when validating OVAL content.
Not Tested
The version(s) that is specified using the <oval:schema_version> content element SHALL correspond to the version(s) specified by the @xsi:schemaLocation attribute value for the OVAL schema, if an @xsi:schemaLocation attribute is specified. This is a SCAP tool requirement. SCAPVal properly implements this when validating OVAL content.
Not Tested
A SWID tag installed on a target asset SHALL be identified by an OVAL inventory class definition.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-383-1 | A SWID tag installed on a target asset SHALL be identified by an OVAL inventory class definition. SCAPVAL does not check for SWID tags. | Not Tested |
A SWID tag installed on a target asset SHALL be identified by an OVAL inventory class definition. SCAPVAL does not check for SWID tags.
Not Tested
A SWID tag installed on a target asset SHALL be identified by an OVAL inventory class definition. SCAPVAL does not check for SWID tags.
Not Tested
The definition SHOULD use the <independent-def:xmlfilecontent_object> to search the file system for one or more SWID tags expressed in XML that match a desired XPath expression.
| Derived Requirement # | Summary | Result |
|---|---|---|
| TOOL-384-1 | The definition SHOULD use the <independent-def:xmlfilecontent_object> to search the file system for one or more SWID tags expressed in XML that match a desired XPath expression. SCAPVAL does not check for SWID tags. | Not Tested |
The definition SHOULD use the <independent-def:xmlfilecontent_object> to search the file system for one or more SWID tags expressed in XML that match a desired XPath expression. SCAPVAL does not check for SWID tags.
Not Tested
The definition SHOULD use the <independent-def:xmlfilecontent_object> to search the file system for one or more SWID tags expressed in XML that match a desired XPath expression. SCAPVAL does not check for SWID tags.
Not Tested
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~One or more <cpe2-dict:check> elements that reference an OVAL inventory class definition that searches for the presence of a matching SWID tag.
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~One or more <cpe2-dict:check> elements that reference an OVAL inventory class definition that searches for the presence of a matching SWID tag. SCAPVAL does not check for SWID tags.
Not Tested
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~One or more <cpe2-dict:check> elements that reference an OVAL inventory class definition that searches for the presence of a matching SWID tag. SCAPVAL does not check for SWID tags.
Not Tested
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~A <cpe:check-fact-ref> element that references an OVAL inventory class definition that searches for the presence of a matching SWID tag.
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~A <cpe:check-fact-ref> element that references an OVAL inventory class definition that searches for the presence of a matching SWID tag. SCAPVAL does not check for SWID tags.
Not Tested
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~A <cpe:check-fact-ref> element that references an OVAL inventory class definition that searches for the presence of a matching SWID tag. SCAPVAL does not check for SWID tags.
Not Tested
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~An OVAL definition that references another OVAL inventory class definition using the <oval-def:extend_definition> element where the extended definition searches for the presence of a matching SWID tag.
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~An OVAL definition that references another OVAL inventory class definition using the <oval-def:extend_definition> element where the extended definition searches for the presence of a matching SWID tag. SCAPVAL does not check for SWID tags.
Not Tested
If a SWID tag has been installed on the target endpoint for a software product or patch, then one of the following methods SHALL be used to detect the SWID tag on the target asset:~An OVAL definition that references another OVAL inventory class definition using the <oval-def:extend_definition> element where the extended definition searches for the presence of a matching SWID tag. SCAPVAL does not check for SWID tags.
Not Tested
The SCAP content must conform to all associated XML schemas. This requirement covers SCAP Component schema validation. SCAP Source Data Stream schema validation is covered under requirement SRC-329-1 SCAP Result Data Stream schema validation is covered under requirement RES-363-1
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-10-1 | XML content failed schema validation. | Not Tested |
XML content failed schema validation.
Not Tested
XML content failed schema validation.
Pass
Check for unused OVAL definitions.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-15-1 | Unused OVAL definitions exis.t | Pass |
Unused OVAL definitions exis.t
Pass
Unused OVAL definitions exis.t
Pass
CCE number is expected, but missing as a reference.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-16-1 | CCE number is expected, but missing as a reference | Pass |
CCE number is expected, but missing as a reference
Pass
CCE number is expected, but missing as a reference
Pass
CCE number is in an invalid format or the check-digit does not match. It should be of format CCE-XXXX-X or CCE-XXXXX-X where each X is a digit, and the final X is a check-digit.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-17-1 | CCE number is in an invalid format or the check-digit does not match. It should be of format CCE-XXXX-X or CCE-XXXXX-X where each X is a digit, and the final X is a check-digit. | Pass |
CCE number is in an invalid format or the check-digit does not match. It should be of format CCE-XXXX-X or CCE-XXXXX-X where each X is a digit, and the final X is a check-digit.
Pass
CCE number is in an invalid format or the check-digit does not match. It should be of format CCE-XXXX-X or CCE-XXXXX-X where each X is a digit, and the final X is a check-digit.
Not Applicable
The attribute @content-type on <scap:check-system-content> must match the content as such: OVAL_COMPLIANCE, OVAL_PATCH, CPE_INVENTORY, OVAL_VULNERABILITY must contain an <oval-def:oval_definitions> element; OCIL_QUESTIONS must contain an <ocil:ocil> element.
The attribute @content-type on <scap:check-system-content> must match the content as such: OVAL_COMPLIANCE, OVAL_PATCH, CPE_INVENTORY, OVAL_VULNERABILITY must contain an <oval-def:oval_definitions> element; OCIL_QUESTIONS must contain an <ocil:ocil> element.
Not Applicable
The attribute @content-type on <scap:check-system-content> must match the content as such: OVAL_COMPLIANCE, OVAL_PATCH, CPE_INVENTORY, OVAL_VULNERABILITY must contain an <oval-def:oval_definitions> element; OCIL_QUESTIONS must contain an <ocil:ocil> element.
Informational
The OVAL test type is not checked in the NIST SCAP Validation Program.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-21-1 | The OVAL test type is not checked in the NIST SCAP Validation Program. | Informational |
The OVAL test type is not checked in the NIST SCAP Validation Program.
Informational
The OVAL test type is not checked in the NIST SCAP Validation Program.
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Fail | 'OVAL test oval:ssg-test_disable_ctrlaltdel_exists:tst:1' | 11512 : 190 |
|
|||
| 2 | Fail | 'OVAL test oval:ssg-test_verify_all_rpms_user_ownership:tst:1' | 11840 : 207 |
|
|||
| 3 | Fail | 'OVAL test oval:ssg-test_verify_all_rpms_group_ownership:tst:1' | 11843 : 209 |
|
|||
| 4 | Fail | 'OVAL test oval:ssg-test_files_fail_md5_hash:tst:1' | 11846 : 164 |
|
|||
| 5 | Fail | 'OVAL test oval:ssg-test_verify_all_rpms_mode:tst:1' | 11849 : 187 |
|
|||
| 6 | Fail | 'OVAL test oval:ssg-test_crypto_policy_bind_symlink:tst:1' | 11946 : 236 |
|
|||
| 7 | Fail | 'OVAL test oval:ssg-test_crypto_policy_gnutls_symlink:tst:1' | 11950 : 240 |
|
|||
| 8 | Fail | 'OVAL test oval:ssg-test_crypto_policy_java_symlink:tst:1' | 11954 : 236 |
|
|||
| 9 | Fail | 'OVAL test oval:ssg-test_crypto_policy_krb5_symlink:tst:1' | 11958 : 236 |
|
|||
| 10 | Fail | 'OVAL test oval:ssg-test_crypto_policy_libreswan_symlink:tst:1' | 11962 : 246 |
|
|||
| Omitting 42 additional results. | |||
Informational
A custom XPath function is not available.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-22-1 | A custom XPath function is not available. | Informational |
A custom XPath function is not available.
Informational
A custom XPath function is not available.
Not Tested
The content contains an XML element in a namespace that is not governed by one of the officially supported SCAP specifications.
The content contains an XML element in a namespace that is not governed by one of the officially supported SCAP specifications. This tool will not load external XML schemas, so XML schema validation errors may be produced. The namespace is {0}
Not Tested
The content contains an XML element in a namespace that is not governed by one of the officially supported SCAP specifications. This tool will not load external XML schemas, so XML schema validation errors may be produced. The namespace is {0}
Pass
This requirement for unique xccdf:Profile @id cannot be handled by the XCCDF schema in SCAP source data streams. There is no direct reference to the req in 800-126r2 but this still needs to be checked.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-25-1 | The @id attribute of all <xccdf:Profile> elements in a SCAP source data stream must be unique. | Pass |
The @id attribute of all <xccdf:Profile> elements in a SCAP source data stream must be unique.
Pass
The @id attribute of all <xccdf:Profile> elements in a SCAP source data stream must be unique.
Explicitly specify all default attributes when creating content that will be signed.
Warning
Some parsers automatically fill in the values of default attributes before signing content, so if default attributes are not provided, signature verification will fail for other parsers that do not automatically fill in the values. If all default attributes are not explicitly defined when digitally signing SCAP content, certain parsers may fail to process the data stream signing correctly. This could lead to processing errors or a failure to recognize the legitimacy of signed content.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-26-1 | Explicitly provide values for all default attributes instead of assuming the default value. | Warning |
Explicitly provide values for all default attributes instead of assuming the default value.
Warning
Explicitly provide values for all default attributes instead of assuming the default value.
| # | Test Result | Message | Context (Line/Column) |
|---|---|---|---|
| 1 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 50724 : 121 |
|
|||
| 2 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 50862 : 115 |
|
|||
| 3 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 50990 : 125 |
|
|||
| 4 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 51038 : 123 |
|
|||
| 5 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 51121 : 134 |
|
|||
| 6 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 51164 : 134 |
|
|||
| 7 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 51247 : 127 |
|
|||
| 8 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 51316 : 122 |
|
|||
| 9 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 51385 : 124 |
|
|||
| 10 | Fail | ' - TEST: exists(@selected) and exists(@weight) and exists(@role) and exists(@severity)' | 51467 : 119 |
|
|||
| Omitting 1042 additional results. | |||
Check for @href and @id-ref value of <cpe:check-fact-ref> element
Not Applicable
According to section 5.4 "The <cpe:check-fact-ref> Element" of the NIST IR 7698 (CPE Applicability Language), the @href attribute indicates "The location of the check content, such as the OVAL or OCIL document holding the desired check." Within a source data stream, the @href SHALL be resolved in the context of the XML Catalog specified as part of the <ds:component-ref>.
| Derived Requirement # | Summary | Result |
|---|---|---|
| A-27-1 | cpe:check-fact-ref | Not Applicable |
cpe:check-fact-ref
Not Applicable
cpe:check-fact-ref