The Center for Internet SecurityThe Center for Internet Security Site MapContact UsPrivacy Policy
The Center for Internet Security
HomeNewsWhat is CIS?Benchmarks/ToolsOther ResourcesJoin UsTestimonialsFAQ
CIS Members site

Become a Member of CIS - Click here for more info

More than 170 members, from around the wrold! Click here for more info

Get Involved - Click here for more info



CIS certifies commercial software. Click here for more info

CIS licenses resources for commercial use. Click here for more info.

click here to find out about CIS trademarks.

Click here to find out about upcoming conferences and events!

XCCDF/OVAL Editor Project

For more information on why CIS supports this project, Click Here.

Background
Security configuration checklists, such as the CIS consensus Benchmarks, define recommendations for secure configuration of systems and applications. The Benchmarks focus on brevity and practical instructions over extensive detail to help busy administrators check and remediate their system quickly and efficiently. Because benchmarks focus on simple, concise recommendations, they are good candidates for automation. Towards this end, two open XML standards have been adopted by the benchmark community: XCCDF and OVAL. These standards support the expression of benchmark structure and low-level data checking, respectively. However, both of these standards are expressed in large and complicated XML files. Currently, these files must be created and edited by hand, which requires a fair amount of technical expertise. The XCCDF/OVAL Editor Project attempts to address this by creating a tool that will support creation and editing of XCCDF and OVAL files.

The Project
The XCCDF/OVAL Editor Project seeks to create a security checklist editing application to allow authors to view and make edits an intuitive way, without any need to understand the details of the underlying XML. We hope this will encourage more vendors and application experts to create XCCDF and OVAL content for a wider range of products. This effort, in conjunction with the CIS consensus efforts, will result in a large body of community content available to everyone.

Features of the tool include:
  • Tree structures displaying the relationship between checklist elements
  • Individual editing views for different checklist elements to allow modular construction
  • Verification of the validity of content
  • Support for snap-ins to convert between XCCDF and OVAL checklists and those expressed in other formats
  • XML editing windows to support low level editing of checklist content
  • Comparison of checklists and checklist elements
What We Need
The XCCDF/OVAL Editor Project started in October of 2005 as a joint effort of multiple security vendors, government agencies, contractors, and end users. In early June we completed design development and started implementation. We are looking for people and organizations who would be interested in supporting the project by contributing time to the development effort. The application we are developing is written in Java, so we have a large need for Java developers. Other useful skills include knowledge of XML, especially validation APIs. OVAL and/or XCCDF expertise would be helpful but is not essential.

The implementation effort is being coordinated by The MITRE Corporation. MITRE will work with potential volunteers to identify application components that best fit with the volunteer's skills and time commitment. MITRE will also work with the implementer to help ensure compatibility of their work with the rest of the tool. Implementers are requested to produce testing modules for their components as well. MITRE will use these modules to ensure future work on the tool does not break previously developed components. Those interested in volunteering should contact Charles Schmidt of MITRE at cmschmidt@mitre.org, or CIS at feedback@cisecurity.org.

Links:
XCCDF: http://checklists.nist.gov/xccdf.html
OVAL: http://oval.mitre.org

Logo and Design by Keiler
© 2003, the Center for Internet Security.