XCCDF - The Extensible Configuration Checklist Description Format

XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices.

XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser.

Development of the XCCDF specification is being led by NSA, with contributions from other agencies and organizations. The current public draft of the specification document and related files can be downloaded below. A mailing list for XCCDF developers is available, please subscribe to participate in discussions. A publicly available archive of the XCCDF mailing list is also available.

XCCDF 1.2 Resources

Documents:

XCCDF Specification 1.2 (PDF) - September 2011

XML Schema Files: [what is a schema?]

XCCDF 1.2 Schema (XSD 1.0) - xsd:import statements use absolute URLs

Complete 1.2 Schema Bundle (Zip) - xsd:import statements use relative URLs

*	ZIP file was updated on Mar 19, 2012
	The correct version of cpe-language_2.3.xsd was added

*	Files were updated on Feb 23, 2012
	See the revised specification for details

XML Schematron Files: [what is Schematron?]

XCCDF 1.2 Schematron

XCCDF Validation tool:

Version: 1.2.0.0

Size: 5.61 MB

SHA-256: E812DE3DD3BBBBEC2EC597E4C7969BC9B5F20BB2A4BC7F215EE83649B2DFD332

Data Dictionaries:

XCCDF 1.2 Element Dictionary (Non-normative)

Upgrade Utility:

XSL Utility to Upgrade XCCDF content from 1.1.4 to 1.2 (See the README.txt)

*	ZIP file was updated on Mar 23, 2012
	Bug was corrected in XSL converter

Check Implementations:

Open Checklist Interactive Language (OCIL)

Open Vulnerability and Assessment Language (OVAL)

XCCDF 1.1.4 Resources

Documents:: XCCDF Specification 1.1.4 (PDF) - January 2008; Changes to XCCDF Specification since 1.1.3 (DOC)
XML Schema Files: [what is a schema?]: XCCDF 1.1.4 Schema (XSD 1.0); Complete 1.1.4 Schema Bundle (Zip)
Reference Implementation: The XCCDF reference implementation was developed at the National Institute of Standards and Technology.; Includes OVALDI and OCIL developed by MITRE; XCCDF Interpreter (Sourceforge Project)
Check Implementations:: Open Checklist Interactive Language (OCIL); Open Vulnerability and Assessment Language (OVAL)

XCCDF 1.1.3 Resources

Documents:: XCCDF Specification 1.1.3 draft (PDF)
XML Schema Files: [what is a schema?]: XCCDF 1.1.3 Schema (XSD 1.0); Complete 1.1.3 Schema Bundle (Zip)
Samples:: Example XCCDF 1.1.3 Benchmark (XCCDF, raw XML)

XCCDF 1.1.2 Resources

Documents:: XCCDF Specification 1.1.2 (PDF)
XML Schema Files: [what is a schema?]: XCCDF 1.1.2 Schema (XSD 1.0); Complete 1.1.2 Schema Bundle (Zip)

XCCDF 1.1 Resources

Documents:: XCCDF Specification 1.1 (PDF)
XML Schema Files: [what is a schema?]: XCCDF 1.1 Schema (XSD 1.0); XCCDF-P 1.1 Schema (XSD 1.0); Complete 1.1 Schema Bundle (Zip)
Samples:: Example XCCDF 1.1 Benchmark (XCCDF, raw XML)
[note: sample uses XCCDF-P 1.0 specification which will be subsumed by XCCDF-P 1.1]

XCCDF 1.0 Resources

Documents:: XCCDF Specification 1.0 (PDF)
XML Schema Files: [what is a schema?]: XCCDF 1.0 Schema (XSD 1.0); CIS Platform Schema (XSD 1.0); Complete 1.0 Schema Bundle (Zip)
Samples:: Example XCCDF 1.0 Benchmark (XCCDF, raw XML); Example (Proof-of-Concept) XCCDF->XHTML stylesheet(XSLT)
Stylesheet output samples:: XHTML (pre-transformed); XML (transform at browser)

Additional Notes:

XCCDF was designed to support integration with multiple underlying configuration checking 'engines'. The expected or default checking technology is MITRE's OVAL(™). More information about OVAL maybe found at The MITRE Corporation OVAL web site.

For document and reference metadata, XCCDF uses the Dublin Core Metadata element set. For more information about Dublin Core Metadata, visit the DCMI web site.

Validating an XCCDF document against the XCCDF schema requires several supplementary schema and DTD files. To download all of the required files, select 'Complete Schema Bundle' above.