See also local files:
- US MITRE STIX - a standardized language to represent structured cyber threat information
- US MITRE TAXII - the main transport mechanism for cyber threat information represented as STIX
NIST and CISA
Government and regulation
Information and threat exchange
The term 'SCAP Security Guide (SSG)' is an umbrella term to refer to a security policy written in a form of SCAP documents.
'SCAP content' typically refers to documents in the XCCDF, OVAL and Source DataStream formats.
SCAP content is published in repositories
- US NIST SCAP project - Wikipedia
- US NIST SCAP project - Security Content Automation Protocol, covering:
- Asset Identification
- Asset Reporting Format (ARF)
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Applicability Language
- Name Matching
- Open Vulnerability Assessment Language (OVAL)
- Open Checklist Interactive Language (OCIL)
- Trust Model for Security Automation Data (TMSAD)
- Extensible Configuration Checklist Description Format (XCCDF)
- Software Identification (SWID)
- Emerging Specifications
- Emerging Specification Listing
- Asset Summary Reporting (ASR)
- US NIST NCP - National Checklist Program - the U.S. government repository of publicly available security checklists that provide detailed low level guidance on setting the security configuration of operating systems and applications
XCCDF - to describe security checklists
Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents.
An XCCDF document represents a structured collection of security configuration rules for some set of target systems.
The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.
The specification also defines a data model and format for storing results of benchmark compliance testing.
The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance.
XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser.
XCCDF uses OVAL as its default configuration checking technology.
OVAL - for making logical assertions about the state of a system
Open Vulnerability and Assessment Language (OVAL): to assess and report upon the machine state of computer systems
CPE - Common Platform Enumeration
CPE serves to identify IT platforms and systems using unequivocally defined names. CPE also includes a method for checking names against a system, and a description format for binding text and tests to a name.
Use: vulnerability CVE-2009-1234 applies to "cpe:/a:vend:prod:8.0", which can be refined into a unique identifier for a specific product "cpe:/a:vend:prod:8.0:-:win"
- NIST CPE specification
- CPE encompasses:
- Two prescribed name formats
- An authoritative dictionary of vetted, approved names
- Algorithms for comparing names
- A language for describing complex platforms
Other components of SCAP
- DataStream is a format that packs other SCAP components into a single file.
- The Asset Reporting Format (ARF) consolidates multiple result files (OVAL results and XCCDF results). It is also often called Result DataStream.
- Common Vulnerabilities and Exposures (CVE) is a reference dictionary for publicly known security vulnerabilities and exposures. CVE provides standardized names (identifiers) of vulnerabilities.
- Common Weakness Enumeration (CWE) is a community-developed list of software weaknesses. CWE leads its effort to describe in detail known security weaknesses and flaws.
Refer also to LTK Open-SCAP info.
Project creates security policy content for various platforms -- Red Hat Enterprise Linux, Fedora, Ubuntu, Debian, SUSE Linux Enterprise Server (SLES),... -- as well as products -- Firefox, Chromium, JRE, ... in all the commonly used formats (SCAP, Ansible, bash fix files).
This project started in 2011 as a collaboration between government agencies and commercial operating system vendors. The original name was SCAP Security Guide. The original scope was to create SCAP datastreams. Over time, it grew into the biggest open-source beyond-SCAP content project. The next few years saw the introduction of not just government-specific security profiles but also commercial, such as PCI-DSS.
Later, the industry starts moving towards different security content formats, such as Ansible, Puppet, and Chef InSpec. The community reacted by evolving the tooling and helped transform SSG into a more general-purpose security content project. This change happened over time in 2017 and 2018. In September 2018, the name of the project was changed to avoid confusion.
The future will be format-agnostic. That's why an abstraction is used instead of XCCDF for the input format.
CERTs - see also ENISA
CERTs - large scale
CERTs - country-level
TOR and I2P
Anonymous - Telecomix
Fighting botnets etc
Virus and vulnerabilities