- Extensible Configuration Checklist Description Format
-
Element Dictionary
- Schema: XCCDF Language
- Version: 1.2
- Release Date: 2011-07-26
This schema defines the Extensible Configuration Checklist Description Format (XCCDF), a data format for defining security benchmarks and checklists, and for recording the results of applying such benchmarks. For more information, consult the specification document, NIST Interagency Report 7275 Revision 4, "Specification for the Extensible Configuration Checklist Description Format Version 1.2". This schema was developed by Neal Ziring, with ideas and assistance from David Waltermire. The following helpful individuals also contributed ideas to the definition of this schema: David Proulx, Andrew Buttner, Ryan Wilson, Matthew Kerr, and Stephen Quinn. Ian Crawford found numerous discrepancies between this schema and the spec document. Peter Mell and his colleagues also made many suggestions.
This document is for informational purposes only and is not normative. If discrepancies are found between this document and the XCCDF specification, the XCCDF specification always takes priority.
Index
Benchmark
Group
Item
model
Profile
Rule
status
Tailoring
TestResult
Value
benchmarkIdType
benchmarkReferenceType
ccOperatorEnumType
checkContentRefType
checkContentType
checkExportType
checkImportType
checkType
complexCheckType
complexValueType
CPE2idrefType
dc-statusType
factType
fixStrategyEnumType
fixTextType
fixType
groupIdType
groupType
htmlTextType
htmlTextWithSubType
identityType
identType
idrefListType
idrefType
instanceFixType
instanceResultType
interfaceHintType
itemType
messageType
metadataType
msgSevEnumType
noticeType
overrideableCPE2idrefType
overrideType
paramType
plainTextType
profileIdType
profileNoteType
profileRefineRuleType
profileRefineValueType
profileSelectType
profileSetComplexValueType
profileSetValueType
profileType
ratingEnumType
referenceType
resultEnumType
roleEnumType
ruleIdType
ruleResultType
ruleType
scoreType
selChoicesType
selComplexValueType
selectableItemType
selNumType
selStringType
severityEnumType
signatureType
statusType
subType
subUseEnumType
tailoringBenchmarkReferenceType
tailoringIdType
tailoringReferenceType
tailoringType
tailoringVersionType
targetFactsType
targetIdRefType
testresultIdType
testResultType
textType
textWithSubType
uriRefType
valueIdType
valueOperatorType
valueType
valueTypeType
versionType
warningCategoryEnumType
warningType
weightType
< Benchmark >
This is the root element of the XCCDF document; it must appear exactly once. It encloses the entire benchmark, and contains both descriptive information and structural information. Note that the order of <xccdf:Group> and <xccdf:Rule> child elements may matter for the appearance of a generated document. <xccdf:Group> and <xccdf:Rule> children may be freely intermingled, but they must appear after any <xccdf:Value> children. All the other children must appear in the order shown.
Attributes Type Comments id benchmarkIdType (required) Unique <xccdf:Benchmark> identifier.
Id xsd:ID (optional) An identifier used for referencing elements included in an XML signature.
resolved xsd:boolean (optional -- default='false') True if <xccdf:Benchmark> has already undergone the resolution process.
style xsd:string (optional) Name of an <xccdf:Benchmark> authoring style or set of conventions or constraints to which this <xccdf:Benchmark> conforms (e.g., “SCAP 1.2”).
style-href xsd:anyURI (optional) URL of a supplementary stylesheet or schema extension that can be used to verify conformance to the named style.
xml:lang n/a (optional)
Child Elements Type MinOccurs MaxOccurs status n/a 1 unbounded Status of the <xccdf:Benchmark> indicating its level of maturity or consensus. If more than one <xccdf:status> element appears, the element's @date attribute should be included.
dc-status dc-statusType 0 unbounded Holds additional status information using the Dublin Core format.
title textType 0 unbounded Title of the <xccdf:Benchmark>; an <xccdf:Benchmark> should have an <xccdf:title>.
description htmlTextWithSubType 0 unbounded Text that describes the <xccdf:Benchmark>; an <xccdf:Benchmark> should have an <xccdf:description>.
notice noticeType 0 unbounded Legal notices (licensing information, terms of use, etc.), copyright statements, warnings, and other advisory notices about this <xccdf:Benchmark> and its use.
front-matter htmlTextWithSubType 0 unbounded Introductory matter for the beginning of the <xccdf:Benchmark> document; intended for use during Document Generation.
rear-matter htmlTextWithSubType 0 unbounded Concluding material for the end of the <xccdf:Benchmark> document; intended for use during Document Generation.
reference referenceType 0 unbounded Supporting references for the <xccdf:Benchmark> document.
plain-text plainTextType 0 unbounded Definitions for reusable text blocks, each with a unique identifier.
platform-specification n/a 0 1 A list of identifiers for complex platform definitions, written in CPE applicability language format. Authors may define complex platforms within this element, and then use their locally unique identifiers anywhere in the <xccdf:Benchmark> element in place of a CPE name.
platform CPE2idrefType 0 unbounded Applicable platforms for this <xccdf:Benchmark>. Authors should use the element to identify the systems or products to which the <xccdf:Benchmark> applies.
version versionType 1 1 Version number of the <xccdf:Benchmark>.
metadata metadataType 0 unbounded XML metadata for the <xccdf:Benchmark>. Metadata allows many additional pieces of information, including authorship, publisher, support, and other similar details, to be embedded in an <xccdf:Benchmark>.
model n/a 0 unbounded URIs of suggested scoring models to be used when computing a score for this <xccdf:Benchmark>. A suggested list of scoring models and their URIs is provided in the XCCDF specification.
Profile n/a 0 unbounded <xccdf:Profile> elements that reference and customize sets of items in the <xccdf:Benchmark>.
Value n/a 0 unbounded Parameter <xccdf:Value> elements that support <xccdf:Rule> elements and descriptions in the <xccdf:Benchmark>.
Group n/a 0 see schema <xccdf:Group> elements that comprise the <xccdf:Benchmark>; each may contain additional <xccdf:Value>, <xccdf:Rule>, and other <xccdf:Group> elements.
Rule n/a 0 see schema <xccdf:Rule> elements that comprise the <xccdf:Benchmark>.
TestResult n/a 0 unbounded <xccdf:Benchmark> test result records (one per <xccdf:Benchmark> run).
signature signatureType 0 1 A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Benchmark>.
Return to top.
< Group >
An item that can hold other items. It allows an author to collect related items into a common structure and provide descriptive text and references about them.
groupTypeReturn to top.
< Item >
An item is a named constituent of an <xccdf:Benchmark>. There are three types of items: <xccdf:Group>, <xccdf:Rule> and <xccdf:Value>. The <xccdf:Item> element type imposes constraints shared by all <xccdf:Group>, <xccdf:Rule> and <xccdf:Value> elements. The itemType is abstract, so the element <xccdf:Item> can never appear in a valid XCCDF document.
itemTypeReturn to top.
< model >
A suggested scoring model for an <xccdf:Benchmark>, also encapsulating any parameters needed by the model. Every model is designated with a URI, which appears here as the system attribute. See the XCCDF specification for a list of standard scoring models and their associated URIs. Vendors may define their own scoring models and provide additional URIs to designate them. Some models may need additional parameters; to support such a model, zero or more <xccdf:param> elements may appear as children of the <xccdf:model> element.
Attributes Type Comments system xsd:anyURI (required) A URI designating a scoring model.
Child Elements Type MinOccurs MaxOccurs param paramType 0 unbounded Parameters provided as input to the designated scoring model.
Return to top.
< Profile >
The <xccdf:Profile> element is a named tailoring for an <xccdf:Benchmark>. While an <xccdf:Benchmark> can be tailored in place by setting properties of various elements, <xccdf:Profile> elements allow one <xccdf:Benchmark> document to hold several independent tailorings.
profileTypeReturn to top.
< Rule >
The <xccdf:Rule> element contains the description for a single item of guidance or constraint. <xccdf:Rule> elements form the basis for testing a target platform for compliance with an <xccdf:Benchmark>, for scoring, and for conveying descriptive prose, identifiers, references, and remediation information.
ruleTypeReturn to top.
< status >
The acceptance status of an element with an optional date attribute, which signifies the date of the status change. If an element does not have its own <xccdf:status> element, its status is that of its parent element. If there is more than one <xccdf:status> for a single element, then every instance of the <xccdf:status> element must have a @date attribute, and the <xccdf:status> element with the latest date is considered the current status.
Attributes Type Comments date xsd:date (optional) The date the parent element achieved the indicated status.
Return to top.
< Tailoring >
The <xccdf:Tailoring> element holds one or more <xccdf:Profile> elements. These <xccdf:Profile> elements record additional tailoring activities that apply to a given <xccdf:Benchmark>. <xccdf:Tailoring> elements are separate from <xccdf:Benchmark> documents, but each <xccdf:Tailoring> element is associated with a specific <xccdf:Benchmark> document. By defining these tailoring actions separately from the <xccdf:Benchmark> document to which they apply, these actions can be recorded without affecting the integrity of the source itself.
tailoringTypeReturn to top.
< TestResult >
The <xccdf:TestResult> element encapsulates the results of a single application of an <xccdf:Benchmark> to a single target platform. The <xccdf:TestResult> element normally appears as the child of the <xccdf:Benchmark> element, although it may also appear as the top-level element of an XCCDF results document. XCCDF is not intended to be a database format for detailed results; the <xccdf:TestResult> element offers a way to store the results of individual tests in modest detail, with the ability to reference lower-level testing data.
testResultTypeReturn to top.
< Value >
The <xccdf:Value> element is a named parameter that can be substituted into properties of other elements within the <xccdf:Benchmark>, including the interior of structured check specifications and fix scripts.
valueTypeReturn to top.
-- benchmarkIdType --
The format required for the @id property of <xccdf:Benchmark> elements. xccdf_N_benchmark_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string.
xccdf_[^_]+_benchmark_.+
Return to top.
== benchmarkReferenceType ==
Type for a reference to the <xccdf:Benchmark> document.
Attributes Type Comments href xsd:anyURI (required) The URI of the <xccdf:Benchmark> document.
id xsd:NCName (optional) The value of that <xccdf:Benchmark> element's @id attribute.
Return to top.
-- ccOperatorEnumType --
The type for the allowed @operator names for the <xccdf:complex-check> operator attribute. Only AND and OR operators are supported. (The <xccdf:complex-check> has a separate mechanism for negation.)
Value Description OR
The logical OR of the component terms
AND
The logical AND of the component terms
Return to top.
== checkContentRefType ==
Data type for the <xccdf:check-content-ref> element, which points to the code for a detached check in another file. This element has no body, just a couple of attributes: @href and @name. The @name is optional, if it does not appear then this reference is to the entire document.
Attributes Type Comments href xsd:anyURI (required) Identifies the referenced document containing checking instructions.
name xsd:string (optional) Identifies a particular part or element of the referenced check document.
Return to top.
== checkContentType ==
Data type for the <xccdf:check-content> element. The body of this element holds the actual code of a check, in the language or system specified by the <xccdf:check> element’s @system attribute. The body of this element may be any XML, but cannot contain any XCCDF elements. XCCDF tools do not process its content directly but instead pass the content directly to checking engines.
Child Elements Type MinOccurs MaxOccurs xsd:any ##other -- skip 0 see schema
Return to top.
== checkExportType ==
Data type for the <xccdf:check-export> element, which specifies a mapping from an <xccdf:Value> element to a checking system variable (i.e., external name or id for use by the checking system). This supports export of tailoring <xccdf:Value> elements from the XCCDF processing environment to the checking system. The interface between the XCCDF benchmark consumer and the checking system should support, at a minimum, passing the <xccdf:value> property of the <xccdf:Value> element, but may also support passing the <xccdf:Value> element's @type and @operator properties.
Attributes Type Comments export-name xsd:string (required) An identifier indicating some structure in the checking system into which the identified <xccdf:Value> element's properties will be mapped.
value-id xsd:NCName (required) The id of the <xccdf:Value> element to export.
Return to top.
== checkImportType ==
Data type for the <xccdf:check-import> element, which specifies a value that the <xccdf:Benchmark> author wishes to retrieve from the checking system during testing of a target system. The @import-name attribute identifies some structure in the checking system that is then retrieved. The mapping from the values of this attribute to specific checking system structures is beyond the scope of the XCCDF specification. When the <xccdf:check-import> element appears in the context of an <xccdf:Rule>, then it should be empty and any content must be ignored. When the <xccdf:check-import> element appears in the context of an <xccdf:rule-result>, then its body holds the imported value.
Attributes Type Comments import-name xsd:string (required) An identifier indicating some structure in the checking system to be collected.
import-xpath xsd:string (optional) An XPath that is used to select specific values or structures from the imported structure. This allows further refinement of the collected data if the imported value takes the form of XML structures.
Child Elements Type MinOccurs MaxOccurs xsd:any ##any -- skip 0 1
Return to top.
== checkType ==
Data type for the <xccdf:check> element. The <xccdf:check> element identifies instructions for tests to determine compliance with the <xccdf:Rule> as well as parameters controlling the reporting of those test results. The <xccdf:check> element must have at least one child element.
Attributes Type Comments id xsd:NCName (optional) Unique identifier for this element. Optional, but must be globally unique if present.
multi-check xsd:boolean (optional -- default='false') Applicable in cases where multiple checks are executed to determine compliance with a single <xccdf:Rule>. This situation can arise when an <xccdf:check> includes an <xccdf:check-content-ref> element that does not include a @name attribute. The default behavior of a nameless <xccdf:check-content-ref> is to execute all checks in the referenced check content location and AND their results together into a single <xccdf:rule-result> using the AND truth table below. This corresponds to a @multi-check attribute value of “false”. If, however, the @multi-check attribute is set to "true" and a nameless <xccdf:check-content-ref> is used, the <xccdf:Rule> produces a separate <xccdf:rule-result> for each check.
negate xsd:boolean (optional -- default='false') If set to true, the final result of the <xccdf:check> is negated according to the truth table given below.
selector xsd:string (optional -- default='') This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of the <xccdf:Rule>. If no selector values are specified for a given <xccdf:Rule> by <xccdf:Profile> elements or manual tailoring, all <xccdf:check> elements with non-empty @selector attributes are ignored. If an <xccdf:Rule> has multiple <xccdf:check> elements with the same @selector attribute, each must employ a different checking system, as identified by the @system attribute of the <xccdf:check> element.
system xsd:anyURI (required) The URI for a checking system. If the checking system uses XML namespaces, then the system attribute for the system should be its namespace.
xml:base n/a (optional)
Child Elements Type MinOccurs MaxOccurs check-import checkImportType 0 unbounded Identifies a value to be retrieved from the checking system during testing of a target system. This element's body must be empty within an <xccdf:check>. After the associated check results have been collected, the result structure returned by the checking engine is processed to collect the named information. This information is then recorded in the check-import element in the corresponding <xccdf:rule-result>.
check-export checkExportType 0 unbounded A mapping from an <xccdf:Value> element to a checking system variable (i.e., external name or id for use by the checking system). This supports export of tailoring values from the XCCDF processing environment to the checking system.
check-content-ref checkContentRefType 0 unbounded Points to code for a detached check in another location that uses the language or system specified by the <xccdf:check> element’s @system attribute. If multiple <xccdf:check-content-ref> elements appear, they represent alternative locations from which a benchmark consumer may obtain the check content. Benchmark consumers should process the alternatives in the order in which they appear in the XML. The first <xccdf:check-content-ref> from which content can be successfully retrieved should be used.
check-content checkContentType 0 1 Holds the actual code of a check, in the language or system specified by the <xccdf:check> element’s @system attribute. If both <xccdf:check-content-ref> and <xccdf:check-content> elements appear in a single <xccdf:check> element, benchmark consumers should use the <xccdf:check-content> element only if none of the references can be resolved to provide content.
The two axes represent a pairwise combination of results. Order of evaluation will not matter. Possible results are abbreviated as follows: P = Pass, F = Fail, U = Unknown, E = Error, N = Not Applicable, K = Not Checked, S = Not Selected, I = Informational.
AND || P | F | U | E | N | K | S | I || -------------------||-------------------------------|| Pass (P) || P | F | U | E | P | P | P | P || Fail (F) || F | F | F | F | F | F | F | F || Unknown (U) || U | F | U | U | U | U | U | U || Error (E) || E | F | U | E | E | E | E | E || Notapplicable (N) || P | F | U | E | N | N | N | N || Notchecked (K) || P | F | U | E | N | K | K | K || Notselected (S) || P | F | U | E | N | K | S | S || Informational (I) || P | F | U | E | N | K | S | I || ------------------------------------------------------
NOT || P | F | U | E | N | K | S | I || ----||-------------------------------|| || F | P | U | E | N | K | S | I || ---------------------------------------
Return to top.
== complexCheckType ==
The type for an element that contains a boolean combination of <xccdf:checks>. This element can have only <xccdf:complex-check> and <xccdf:check> elements as children. Child elements may appear in any order but at least one child element must be present. It has two attributes, @operator and @negate, which dictate how <xccdf:check> or <xccdf:complex-check> child elements are to be combined. Truth tables for these operations appear below.
Attributes Type Comments negate xsd:boolean (optional -- default='0') If true, negate the final result of this <xccdf:complex-check> after the child elements are combined using the identified operator.
operator ccOperatorEnumType (required) Indicates whether the child <xccdf:check> and/or <xccdf:complex-check> elements of this <xccdf:complex-check> should be combined using an AND or OR operation
Child Elements Type MinOccurs MaxOccurs check checkType 1 see schema Instructions for a single test.
complex-check complexCheckType 1 see schema A child <xccdf:complex-check>, allowing another level of logic in combining component checks.
The two axes represent a pairwise combination of results. Order of evaluation will not matter. Possible results are abbreviated as follows: P = Pass, F = Fail, U = Unknown, E = Error, N = Not Applicable, K = Not Checked, S = Not Selected, I = Informational.
AND || P | F | U | E | N | K | S | I || -------------------||-------------------------------|| Pass (P) || P | F | U | E | P | P | P | P || Fail (F) || F | F | F | F | F | F | F | F || Unknown (U) || U | F | U | U | U | U | U | U || Error (E) || E | F | U | E | E | E | E | E || Notapplicable (N) || P | F | U | E | N | N | N | N || Notchecked (K) || P | F | U | E | N | K | K | K || Notselected (S) || P | F | U | E | N | K | S | S || Informational (I) || P | F | U | E | N | K | S | I || ------------------------------------------------------
OR || P | F | U | E | N | K | S | I || -------------------||-------------------------------|| Pass (P) || P | P | P | P | P | P | P | P || Fail (F) || P | F | U | E | F | F | F | F || Unknown (U) || P | U | U | U | U | U | U | U || Error (E) || P | E | U | E | E | E | E | E || Notapplicable (N) || P | F | U | E | N | N | N | N || Notchecked (K) || P | F | U | E | N | K | K | K || Notselected (S) || P | F | U | E | N | K | S | S || Informational (I) || P | F | U | E | N | K | S | I || ------------------------------------------------------
NOT || P | F | U | E | N | K | S | I || ----||-------------------------------|| || F | P | U | E | N | K | S | I || ---------------------------------------
Return to top.
== complexValueType ==
Data type that supports values that are lists of simple types. Each element in the list is represented by an instance of the <xccdf:item> child element. If there are no <xccdf:item> child elements then this represents an empty list.
Child Elements Type MinOccurs MaxOccurs item xsd:string 0 unbounded A single item in the list of values.
Return to top.
== CPE2idrefType ==
Data type for <xccdf:platform> elements that do not need @override attributes. (I.e., <xccdf:platform> elements that are in structures that cannot be extended, such as <xccdf:TestResult> and <xccdf:Benchmark> elements.) This is used to identify the applicable target platform for its respective parent elements.
Attributes Type Comments idref xsd:string (required) Should be a CPE 2.3 Applicability Language identifier using the Formatted String binding or the value of a <cpe:platform-specification> element's @id attribute, the latter acting as a reference to some expression defined using the CPE schema in the <xccdf:Benchmark> element's <cpe:platform-specification> element. The @idref may be a CPE Applicability Language identifier using the URI binding, although this is less preferred.
Return to top.
== dc-statusType ==
Data type element for the <xccdf:dc-status> element, which holds status information about its parent element using the Dublin Core format, expressed as elements of the DCMI Simple DC Element specification.
Child Elements Type MinOccurs MaxOccurs xsd:any http://purl.org/dc/elements/1.1/ -- strict 1 unbounded
Return to top.
== factType ==
Data type for an <xccdf:fact> element, which holds information about a target system: a name-value pair with a type. The content of the element is the value, and the @name attribute indicates the name. The @name is in the form of a URI that indicates the nature of the fact. A table of defined fact URIs appears in section 6.6.3 of the XCCDF specification. Additional URIs may be defined by authors to indicate additional kinds of facts.
Attributes Type Comments name xsd:anyURI (required) A URI that indicates the name of the fact.
type valueTypeType (optional -- default='boolean') The data type of the fact value.
Simple Content xsd:string
Return to top.
-- fixStrategyEnumType --
Allowed @strategy keyword values for an <xccdf:Rule> element's <xccdf:fix> or <xccdf:fixtext> elements. The values indicate the method or approach for fixing non-compliance with a particular <xccdf:Rule>.
Value Description unknown
Strategy not defined (default)
configure
Adjust target configuration/settings
combination
Combination of two or more approaches
disable
Turn off or uninstall a target component
enable
Turn on or install a target component
patch
Apply a patch, hotfix, update, etc.
policy
Remediation requires out-of-band adjustments to policies or procedures
restrict
Adjust permissions, access rights, filters, or other access restrictions
update
Install, upgrade or update the system
Return to top.
== fixTextType ==
Data type for the <xccdf:fixtext> element, which contains data that describes how to bring a target system into compliance with an <xccdf:Rule>. Each <xccdf:fixtext> element may be associated with one or more <xccdf:fix> elements through the @fixref attribute. The body holds explanatory text about the fix procedures.
Extends: htmlTextWithSubType
Attributes Type Comments complexity ratingEnumType (optional -- default='unknown') The estimated complexity or difficulty of applying the fix to the target.
disruption ratingEnumType (optional -- default='unknown') An estimate of the potential for disruption or operational degradation that the application of this fix will impose on the target.
fixref xsd:NCName (optional) A reference to the @id of an <xccdf:fix> element.
reboot xsd:boolean (optional -- default='0') True if a reboot is known to be required and false otherwise.
strategy fixStrategyEnumType (optional -- default='unknown') The method or approach for making the described fix.
Return to top.
== fixType ==
Data type for the <xccdf:fix> element. The body of this element contains a command string, script, or other system modification statement that, if executed on the target system, can bring it into full, or at least better, compliance with this <xccdf:Rule>.
Attributes Type Comments complexity ratingEnumType (optional -- default='unknown') The estimated complexity or difficulty of applying the fix to the target.
disruption ratingEnumType (optional -- default='unknown') An estimate of the potential for disruption or operational degradation that the application of this fix will impose on the target.
id xsd:NCName (optional) A local identifier for the element. It is optional for the @id to be unique; multiple <xccdf:fix> elements may have the same @id but different values for their other attributes. It is used primarily to allow <xccdf:fixtext> elements to be associated with one or more <xccdf:fix> elements
platform xsd:anyURI (optional) In case different fix scripts or procedures are required for different target platform types (e.g., different patches for Windows Vista and Windows 7), this attribute allows a CPE name or CPE applicability language expression to be associated with an <xccdf:fix> element. This should appear on an <xccdf:fix> when the content applies to only one platform out of several to which the <xccdf:Rule> could apply.
reboot xsd:boolean (optional -- default='0') True if a reboot is known to be required and false otherwise.
strategy fixStrategyEnumType (optional -- default='unknown') The method or approach for making the described fix.
system xsd:anyURI (optional) A URI that identifies the scheme, language, engine, or process for which the fix contents are written. Table 17 in the XCCDF specification defines several general-purpose URNs that may be used for this, and tool vendors and system providers may define and use target-specific URNs.
Child Elements Type MinOccurs MaxOccurs sub subType 0 see schema Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution
instance instanceFixType 0 see schema Designates a spot where the name of the instance should be substituted into the fix template to generate the final fix data. If the @context attribute is omitted, the value of the @context defaults to “undefined”.
Return to top.
-- groupIdType --
The format required for the @id property of <xccdf:Group> elements. xccdf_N_group_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string.
xccdf_[^_]+_group_.+
Return to top.
== groupType ==
Data type for the <xccdf:Group> element. A <xccdf:Group> element contains descriptive information about a portion of an <xccdf:Benchmark>, as well as <xccdf:Rule>, <xccdf:Value>, and/or other <xccdf:Group> elements
Extends: selectableItemType
Attributes Type Comments id groupIdType (required) Unique element identifier; used by other elements to refer to this element.
Child Elements Type MinOccurs MaxOccurs Value n/a 0 unbounded <xccdf:Value> elements that belong to this <xccdf:Group>.
Group n/a 0 see schema Sub-<xccdf:Groups> under this <xccdf:Group>.
Rule n/a 0 see schema <xccdf:Rule> elements that belong to this <xccdf:Group>.
signature signatureType 0 1 A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Group>.
Return to top.
== htmlTextType ==
The type for a string with optional XHTML elements and an @xml:lang attribute.
Attributes Type Comments override xsd:boolean (optional -- default='0') Used to manage inheritance.
xml:lang n/a (optional)
Child Elements Type MinOccurs MaxOccurs xsd:any http://www.w3.org/1999/xhtml -- skip 0 unbounded
Return to top.
== htmlTextWithSubType ==
The type for a string with optional XHTML elements, and an @xml:lang attribute.
Attributes Type Comments override xsd:boolean (optional -- default='0') Used to manage inheritance.
xml:lang n/a (optional)
Child Elements Type MinOccurs MaxOccurs sub subType 0 see schema Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution
xsd:any http://www.w3.org/1999/xhtml -- skip 0 see schema
Return to top.
== identityType ==
Type for an <xccdf:identity> element in an <xccdf:TestResult>. It contains information about the system identity or user employed during application of the <xccdf:Benchmark>. If used, shall specify the name of the authenticated identity.
Attributes Type Comments authenticated xsd:boolean (required) Whether the identity was authenticated with the target system during the application of the <xccdf:Benchmark>.
privileged xsd:boolean (required) Whether the identity was granted administrative or other special privileges beyond those of a normal user.
Simple Content xsd:string
Return to top.
== identType ==
Data type for the <xccdf:ident> element, a globally meaningful identifier for an <xccdf:Rule>. The body of <xccdf:ident> element is the name or identifier of a security configuration issue or vulnerability that the <xccdf:Rule> addresses. It has an associated URI that denotes the organization or naming scheme that assigned the name. By setting an <xccdf:ident> element on an <xccdf:Rule>, the <xccdf:Benchmark> author effectively declares that the <xccdf:Rule> instantiates, implements, or remediates the issue for which the name was assigned.
Attributes Type Comments system xsd:anyURI (required) Denotes the organization or naming scheme that assigned the identifier.
Simple Content xsd:string
Return to top.
== idrefListType ==
Data type for elements contain list of references to other XCCDF elements
Attributes Type Comments idref xsd:NMTOKENS (required) A space-separated list of id values from other XCCDF elements
Return to top.
== idrefType ==
Data type for elements that contain a reference to another XCCDF element
Attributes Type Comments idref xsd:NCName (required) The id value of another XCCDF element
Return to top.
== instanceFixType ==
Type for an <xccdf:instance> element which may appear in an <xccdf:fix> element. The <xccdf:instance> element inside an <xccdf:fix> element designates a spot where the name of the instance should be substituted into the fix template to generate the final fix data.
Attributes Type Comments context xsd:string (optional -- default='undefined') Describes the scope or significance of the instance content. The context attribute is intended to be informative and does not affect basic processing.
Return to top.
== instanceResultType ==
Type for an <xccdf:instance> element in an <xccdf:rule-result>. The content is a string, but the element may also have two attributes: @context and @parentContext. Both attributes are intended to provide hints as to the nature of the substituted content. This body of this type records the details of the target system instance for multiply instantiated <xccdf:Rule> elements.
Attributes Type Comments context xsd:string (optional -- default='undefined') Describes the scope or significance of the instance content.
parentContext xsd:string (optional) Used to express nested structure in instance context structures.
Simple Content xsd:string
Return to top.
-- interfaceHintType --
Allowed interface hint values. <xccdf:Value> elements may contain a hint or recommendation to a benchmark consumer or producer about how the user might select or adjust the <xccdf:Value>. This type enumerates the possible values of this hint.
Value Description choice
Multiple choice
textline
Multiple lines of text
text
Single line of text
date
Date
datetime
Date and time
Return to top.
== itemType ==
This abstract itemType represents the basic data shared by all <xccdf:Group>, <xccdf:Rule> and <xccdf:Value> elements. All elements in an itemType are optional, although each element that builds on the itemType may add its own elements, some of which will be required for that element.
Attributes Type Comments abstract xsd:boolean (optional -- default='false') If true, then this item is abstract and exists only to be extended. The use of this attribute for <xccdf:Group> elements is deprecated and should be avoided.
cluster-id xsd:NCName (optional) An identifier to be used as a means to identify (refer to) related items. It designates membership in a cluster of items, which are used for controlling items via <xccdf:Profile> elements. All the items with the same cluster identifier belong to the same cluster. A selector in an <xccdf:Profile> may refer to a cluster, thus making it easier for authors to create and maintain <xccdf:Profile> elements in a complex <xccdf:Benchmark>.
extends xsd:NCName (optional) The identifier of an item on which to base this item. If present, it must have a value equal to the @id attribute of another item. The use of this attribute for <xccdf:Group> elements is deprecated and should be avoided.
hidden xsd:boolean (optional -- default='false') If this item should be excluded from any generated documents although it may still be used during assessments.
Id xsd:ID (optional) An identifier used for referencing elements included in an XML signature
prohibitChanges xsd:boolean (optional -- default='false') If benchmark producers should prohibit changes to this item during tailoring. An author should use this when they do not want to allow end users to change the item.
xml:base n/a (optional) xml:lang n/a (optional)
Child Elements Type MinOccurs MaxOccurs status n/a 0 unbounded Status of the item and date at which it attained that status. <xccdf:Benchmark> authors may use this element to record the maturity or consensus level for elements in the <xccdf:Benchmark>. If an item does not have an explicit <xccdf:status> given, then its status is that of its parent.
dc-status dc-statusType 0 unbounded Holds additional status information using the Dublin Core format.
version versionType 0 1 Version information about this item.
title textWithSubType 0 unbounded Title of the item. Every item should have an <xccdf:title>, because this helps people understand the purpose of the item.
description htmlTextWithSubType 0 unbounded Text that describes the item.
warning warningType 0 unbounded A note or caveat about the item intended to convey important cautionary information for the <xccdf:Benchmark> user (e.g., “Complying with this rule will cause the system to reject all IP packets”). If multiple <xccdf:warning> elements appear, benchmark consumers should concatenate them for generating reports or documents. Benchmark consumers may present this information in a special manner in generated documents.
question textType 0 unbounded Interrogative text to present to the user during tailoring. It may also be included into a generated document. For <xccdf:Rule> and <xccdf:Group> elements, the <xccdf:question> text should be a simple binary (yes/no) question because it is supporting the selection aspect of tailoring. For <xccdf:Value> elements, the <xccdf:question> should solicit the user to provide a specific value. Tools may also display constraints on values and any defaults as specified by the other <xccdf:Value> properties.
reference referenceType 0 unbounded References where the user can learn more about the subject of this item.
metadata metadataType 0 unbounded XML metadata associated with this item, such as sources, special information, or other details.
Return to top.
== messageType ==
Type for a message generated by the checking engine or XCCDF tool during <xccdf:Benchmark> testing. The message is contained in string format in the body of the element.
Attributes Type Comments severity msgSevEnumType (required) Denotes the seriousness of the message.
Simple Content xsd:string
Return to top.
== metadataType ==
Data type that supports inclusion of metadata about a document or element. This is particularly useful for facilitating the discovery and retrieval of XCCDF checklists from public repositories. When used, the contents of the <xccdf:metadata> element are expressed in XML. The <xccdf:Benchmark> element's metadata should contain information formatted using the Dublin Core Metadata Initiative (DCMI) Simple DC Element specification, as described in [DCES] and [DCXML]. Benchmark consumers should be prepared to process Dublin Core metadata in the <xccdf:metadata> element. Other metadata schemes, including ad-hoc elements, are also allowed, both in the <xccdf:Benchmark> and in other elements.
Child Elements Type MinOccurs MaxOccurs xsd:any ##other -- lax 1 unbounded
Return to top.
-- msgSevEnumType --
Allowed values to indicate the severity of messages from the checking engine. These values don't affect scoring themselves but are present merely to convey diagnostic information from the checking engine. Benchmark consumers may choose to log these messages or display them to the user.
Value Description error
Denotes a serious problem identified; test did not run.
warning
Denotes a possible issue; test may not have run.
info
Denotes important information about the tests.
Return to top.
== noticeType ==
Data type for an <xccdf:notice> element. <xccdf:notice> elements are used to include legal notices (licensing information, terms of use, etc.), copyright statements, warnings, and other advisory notices about this <xccdf:Benchmark> and its use. This information may be expressed using XHTML or may be a simply text expression. Each <xccdf:notice> element must have a unique identifier.
Attributes Type Comments id xsd:NCName (optional) The unique identifier for this <xccdf:notice>.
xml:base n/a (optional) xml:lang n/a (optional)
Child Elements Type MinOccurs MaxOccurs xsd:any http://www.w3.org/1999/xhtml -- skip 0 unbounded
Return to top.
== overrideableCPE2idrefType ==
Data type for <xccdf:platform> elements that need @override attributes. (I.e., <xccdf:platform> elements that are in structures that can be extended, such as Items and <xccdf:Profile> elements.) This is used to identify the applicable target platform for its respective parent elements.
Extends: CPE2idrefType
Attributes Type Comments override xsd:boolean (optional -- default='0') Used to manage inheritance.
Return to top.
== overrideType ==
Type for an <xccdf:override> element in an <xccdf:rule-result>. This element is used to record manual modification or annotation of a particular <xccdf:rule-result>. All attributes and child elements are required. It will not always be the case that the <xccdf:new-result> value will differ from the <xccdf:old-result> value. They might match if an authority wished to make a remark on the result without changing it. If <xccdf:new-result> and <xccdf:old-result> differ, the <xccdf:result> element of the enclosing <xccdf:rule-result> must match the <xccdf:new-result> value.
Attributes Type Comments authority xsd:string (required) Name or other identification for the human principal authorizing the override.
time xsd:dateTime (required) When the override was applied.
Child Elements Type MinOccurs MaxOccurs old-result resultEnumType 1 1 The <xccdf:rule-result> status before this override.
new-result resultEnumType 1 1 The new, override <xccdf:rule-result> status.
remark textType 1 1 Rationale or explanation text for why or how the override was applied.
Return to top.
== paramType ==
Type for a parameter used in the <xccdf:model> element, which records scoring model information. The contents of this type represent a name-value pair, where the name is recorded in the @name attribute and the value appears in the element body. <xccdf:param> elements with equal values for the @name attribute may not appear as children of the same <xccdf:model> element.
Attributes Type Comments name xsd:NCName (required) The name associated with the contained value.
Simple Content xsd:string
Return to top.
== plainTextType ==
The data type for an <xccdf:plain-text> element, which is a reusable text block for reference by the <xccdf:sub> element. This allows text to be defined once and then reused multiple times. Each <xccdf:plain-text> element mush have a unique id.
Attributes Type Comments id xsd:NCName (required) The unique identifier for this <xccdf:plain-text> element.
Simple Content xsd:string
Return to top.
-- profileIdType --
The format required for the @id property of <xccdf:Profile> elements. xccdf_N_profile_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string.
xccdf_[^_]+_profile_.+
Return to top.
== profileNoteType ==
Type for an <xccdf:profile-note> within an <xccdf:Rule>. This element contains text that describes special aspects of an <xccdf:Rule> relative to one or more <xccdf:Profile> elements. This allows an author to document things within <xccdf:Rule> elements that are specific to a given <xccdf:Profile>. This information might then be displayed to a reader based on the selection of a particular <xccdf:Profile>. The body text may include XHTML mark-up as well as <xccdf:sub> elements.
Attributes Type Comments tag xsd:NCName (required) The identifier of this note.
xml:lang n/a (optional)
Child Elements Type MinOccurs MaxOccurs sub subType 0 see schema Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution
xsd:any http://www.w3.org/1999/xhtml -- skip 0 see schema
Return to top.
== profileRefineRuleType ==
Type for the <xccdf:refine-rule> element in an <xccdf:Profile>. A <xccdf:refine-rule> element allows the author to select <xccdf:check> statements and override the @weight, @severity, and @role of an <xccdf:Rule>, <xccdf:Group>, or cluster of <xccdf:Rule> and <xccdf:Group> elements. Despite the name, this selector does apply for <xccdf:Group> elements and for clusters that include <xccdf:Group> elements, but it only affects their @weight attribute.
Attributes Type Comments idref xsd:NCName (required) The @id value of an <xccdf:Rule> or <xccdf:Group>, or the @cluster-id value of one or more <xccdf:Rule> or <xccdf:Group> elements.
role roleEnumType (optional) The new value for the identified <xccdf:Rule> element's @role property.
selector xsd:string (optional) Holds a selector value corresponding to the value of a @selector property in an <xccdf:Rule> element's <xccdf:check> element. If the selector specified does not match any of the @selector attributes specified on any of the <xccdf:check> children of an <xccdf:Rule>, then the <xccdf:check> child element without a @selector attribute is used. If there is no child without a @selector attribute, then that Rule would have no effective <xccdf:check> element.
severity severityEnumType (optional) The new value for the identified <xccdf:Rule> element's @severity property.
weight weightType (optional) The new value for the identified element's @weight property.
Child Elements Type MinOccurs MaxOccurs remark textType 0 unbounded Explanatory material or other prose.
Return to top.
== profileRefineValueType ==
Type for the <xccdf:refine-value> element in an <xccdf:Profile>. This element designates the <xccdf:Value> constraints to be applied during tailoring for an <xccdf:Value> element or the <xccdf:Value> members of a cluster.
Attributes Type Comments idref xsd:NCName (required) The @id value of an <xccdf:Value> or the @cluster-id value of one or more <xccdf:Value> elements
operator valueOperatorType (optional) The new value for the identified <xccdf:Value> element's @operator property.
selector xsd:string (optional) Holds a selector value corresponding to the value of a @selector property in an <xccdf:Value> element's child properties. Properties with a matching @selector are considered active and all other properties are inactive. This may mean that, after selector application, some classes of <xccdf:Value> properties will be completely inactive because none of those properties had a matching @selector. The only exception is the <xccdf:value> and <xccdf:complex-value> properties of an <xccdf:Value> element - if there is no <xccdf:value> or <xccdf:complex-value> property with a matching @selector value then the <xccdf:value>/<xccdf:complex-value> property with an empty or absent @selector attribute becomes active. If there is no such <xccdf:value> or <xccdf:complex-value>, then the first <xccdf:value> or <xccdf:complex-value> listed in the XML becomes active. This reflects the fact that all <xccdf:Value> elements require an active value property at all times.
Child Elements Type MinOccurs MaxOccurs remark textType 0 unbounded Explanatory material or other prose.
Return to top.
== profileSelectType ==
Type for the <xccdf:select> element in an <xccdf:Profile>. This element designates an <xccdf:Rule>, <xccdf:Group>, or cluster of <xccdf:Rule> and <xccdf:Group> elements and overrides the @selected attribute on the designated items, providing a means for including or excluding <xccdf:Rule> elements from an assessment.
Attributes Type Comments idref xsd:NCName (required) The @id value of an <xccdf:Rule> or <xccdf:Group>, or the @cluster-id value of one or more <xccdf:Rule> or <xccdf:Group> elements.
selected xsd:boolean (required) The new value for the indicated item's @selected property.
Child Elements Type MinOccurs MaxOccurs remark textType 0 unbounded Explanatory material or other prose.
Return to top.
== profileSetComplexValueType ==
Type for the <xccdf:set-complex-value> element in an <xccdf:Profile>. This element supports the direct specification of complex value types such as lists. Zero or more <xccdf:item> elements may appear as children of this element; if no child elements are present, this element represents an empty list. This overrides the <xccdf:value> and <xccdf:complex-value> element(s) of an <xccdf:Value> element.
Extends: complexValueType
Attributes Type Comments idref xsd:NCName (required) The @id value of an <xccdf:Value> or the @cluster-id value of one or more <xccdf:Value> elements
Return to top.
== profileSetValueType ==
Type for the <xccdf:set-value> element in an <xccdf:Profile>. This element upports the direct specification of simple value types such as numbers, strings, and boolean values. This overrides the <xccdf:value> and <xccdf:complex-value> element(s) of an <xccdf:Value> element.
Attributes Type Comments idref xsd:NCName (required) The @id value of an <xccdf:Value> or the @cluster-id value of one or more <xccdf:Value> elements
Simple Content xsd:string
Return to top.
== profileType ==
Data type for the <xccdf:Profile> element, which holds a specific tailoring of the <xccdf:Benchmark>. The main part of an <xccdf:Profile> is the selectors: <xccdf:select>, <xccdf:set-value>, <xccdf:set-complex-value>, <xccdf:refine-rule>, and <xccdf:refine-value>. An <xccdf:Profile> may also be signed with an XML-Signature.
Attributes Type Comments abstract xsd:boolean (optional -- default='false') If true, then this <xccdf:Profile> exists solely to be extended by other <xccdf:Profile> elements.
extends xsd:NCName (optional) The id of an <xccdf:Profile> on which to base this <xccdf:Profile>.
id profileIdType (required) Unique identifier for this <xccdf:Profile>.
Id xsd:ID (optional) An identifier used for referencing elements included in an XML signature.
note-tag xsd:NCName (optional) Tag identifier to specify which <xccdf:profile-note> element from an <xccdf:Rule> should be associated with this <xccdf:Profile>.
prohibitChanges xsd:boolean (optional -- default='false') Whether or not products should prohibit changes to this <xccdf:Profile>.
xml:base n/a (optional)
Child Elements Type MinOccurs MaxOccurs status n/a 0 unbounded Status of the <xccdf:Profile> and date at which it attained that status. Authors may use this element to record the maturity or consensus level of an <xccdf:Profile>. If the <xccdf:status> is not given explicitly, then the <xccdf:Profile> is taken to have the same status as its parent <xccdf:Benchmark>.
dc-status dc-statusType 0 unbounded Holds additional status information using the Dublin Core format.
version versionType 0 1 Version information about this <xccdf:Profile>.
title textWithSubType 1 unbounded Title of the <xccdf:Profile>.
description htmlTextWithSubType 0 unbounded Text that describes the <xccdf:Profile>.
reference referenceType 0 unbounded A reference where the user can learn more about the subject of this <xccdf:Profile>.
platform overrideableCPE2idrefType 0 unbounded A target platform for this <xccdf:Profile>.
select profileSelectType 0 see schema Select or deselect <xccdf:Group> and <xccdf:Rule> elements.
set-complex-value profileSetComplexValueType 0 see schema Set the value of an <xccdf:Value> to a list.
set-value profileSetValueType 0 see schema Set the value of an <xccdf:Value> to a simple data value.
refine-value profileRefineValueType 0 see schema Customize the properties of an <xccdf:Value>.
refine-rule profileRefineRuleType 0 see schema Customize the properties of an <xccdf:Rule> or <xccdf:Group>.
metadata metadataType 0 unbounded Metadata associated with this <xccdf:Profile>.
signature signatureType 0 1 A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Profile>.
Return to top.
-- ratingEnumType --
This type enumerates allowed rating values the disruption and complexity properties of an <xccdf:Rule> element's <xccdf:fix> or <xccdf:fixtext> elements.
Value Description unknown
Rating unknown or impossible to estimate (default)
low
Little or no potential for disruption, very modest complexity
medium
Some chance of minor disruption, substantial complexity
high
Likely to cause serious disruption, very complex
Return to top.
== referenceType ==
This element provides supplementary descriptive text for a XCCDF elements. When used, it has either a simple string value or a value consisting of simple Dublin Core elements. If a bare string appears, then it is taken to be the string content for a Dublin Core title element. Multiple <xccdf:reference> elements may appear; a document generation processing tool may concatenate them, or put them into a reference list, and may choose to number them.
Attributes Type Comments href xsd:anyURI (optional) A URL pointing to the referenced resource.
override xsd:boolean (optional) Used to manage inheritance processing.
Child Elements Type MinOccurs MaxOccurs xsd:any http://purl.org/dc/elements/1.1/ -- lax 0 unbounded
Return to top.
-- resultEnumType --
Allowed result indicators for a test.
Value Description pass
The target system or system component satisfied all the conditions of the <xccdf:Rule>.
fail
The target system or system component did not satisfy all the conditions of the <xccdf:Rule>.
error
The checking engine could not complete the evaluation; therefore the status of the target’s compliance with the <xccdf:Rule> is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.
unknown
The testing tool encountered some problem and the result is unknown. For example, a result of ‘unknown’ might be given if the testing tool was unable to interpret the output of the checking engine (the output has no meaning to the testing tool).
notapplicable
The <xccdf:Rule> was not applicable to the target of the test. For example, the <xccdf:Rule> might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.
notchecked
The <xccdf:Rule> was not evaluated by the checking engine. This status is designed for <xccdf:Rule> elements that have no check. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.
notselected
The <xccdf:Rule> was not selected in the <xccdf:Benchmark>.
informational
The <xccdf:Rule> was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for <xccdf:Rule> elements whose main purpose is to extract information from the target rather than test the target.
fixed
The <xccdf:Rule> had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).
Return to top.
-- roleEnumType --
Allowed checking and scoring roles for an <xccdf:Rule>.
Value Description full
If the <xccdf:Rule> is selected, then check it and let the result contribute to the score and appear in reports (default).
unscored
If the <xccdf:Rule> is selected, then check it and include it in the test report, but give the result a status of informational and do not use the result in score computations.
unchecked
Do not check the <xccdf:Rule>; just force the result status to notchecked.
Return to top.
-- ruleIdType --
The format required for the @id property of <xccdf:Rule> elements. xccdf_N_rule_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string.
xccdf_[^_]+_rule_.+
Return to top.
== ruleResultType ==
Type for the <xccdf:rule-result> element within an <xccdf:TestResult>. An <xccdf:rule-result> holds the result of applying an <xccdf:Rule> from the <xccdf:Benchmark> to a target system or component of a target system.
Attributes Type Comments idref xsd:NCName (required) The value of the @id property of an <xccdf:Rule>. This <xccdf:rule-result> reflects the result of applying this <xccdf:Rule> to a target or target component.
role roleEnumType (optional) The value of the @role property of the referenced <xccdf:Rule>.
severity severityEnumType (optional) The value of the @severity property of the referenced <xccdf:Rule>.
time xsd:dateTime (optional) Time when application of this instance of the referenced <xccdf:Rule> was completed.
version xsd:string (optional) The value of the @version property of the referenced <xccdf:Rule>.
weight weightType (optional) The value of the @weight property of the referenced <xccdf:Rule>.
Child Elements Type MinOccurs MaxOccurs result resultEnumType 1 1 Result of applying the referenced <xccdf:Rule> to a target or target component. (E.g., Pass, Fail, etc.)
override overrideType 0 unbounded An XML block explaining how and why an auditor chose to override the result.
ident identType 0 unbounded A long-term globally meaningful identifier for the issue, vulnerability, platform, etc. copied from the referenced <xccdf:Rule>.
metadata metadataType 0 unbounded XML metadata associated with this <xccdf:rule-result>.
message messageType 0 unbounded Diagnostic messages from the checking engine. These elements do not affect scoring; they are present merely to convey diagnostic information from the checking engine.
instance instanceResultType 0 unbounded Name of the target subsystem or component to which this result applies, for a multiply instantiated <xccdf:Rule>. The element is important for an <xccdf:Rule> that applies to components of the target system, especially when a target might have several such components, and where the @multiple attribute of the <xccdf:Rule> is set to true.
fix fixType 0 unbounded Fix script for this target platform, if available (would normally appear only for result values of “fail”). It is assumed to have been ‘instantiated’ by the testing tool and any substitutions or platform selections already made.
check checkType 0 unbounded Encapsulated or referenced results to detailed testing output from the checking engine (if any).
complex-check complexCheckType 0 1 A copy of the <xccdf:Rule> element’s <xccdf:complex-check> element where each component <xccdf:check> element of the <xccdf:complex-check> element is an encapsulated or referenced results to detailed testing output from the checking engine (if any) as described in the <xccdf:rule-result> <xccdf:check> property.
Return to top.
== ruleType ==
Data type for the <xccdf:Rule> element that represents a specific <xccdf:Benchmark> test.
Extends: selectableItemType
Attributes Type Comments id ruleIdType (required) Unique element identifier used by other elements to refer to this element.
multiple xsd:boolean (optional -- default='false') Applicable in cases where there are multiple instances of a target. For example, an <xccdf:Rule> may provide a recommendation about the configuration of application user accounts, but an application may have many user accounts. Each account would be considered an instance of the broader assessment target of user accounts. If the @multiple attribute is set to true, each instance of the target to which the <xccdf:Rule> can apply should be tested separately and the results should be recorded separately. If @multiple is set to false, the test results of such instances should be combined. If the checking system does not combine these results automatically, the results of each instance should be ANDed together to produce a single result. If the benchmark consumer cannot perform multiple instantiation, or if multiple instantiation of the <xccdf:Rule> is not applicable for the target system, then the benchmark consumer may ignore this attribute.
role roleEnumType (optional -- default='full') The <xccdf:Rule> element’s role in scoring and reporting.
severity severityEnumType (optional -- default='unknown') Severity level code to be used for metrics and tracking.
Child Elements Type MinOccurs MaxOccurs ident identType 0 unbounded A globally meaningful identifier for this <xccdf:Rule>. This may be the name or identifier of a security configuration issue or vulnerability that the <xccdf:Rule> assesses.
impact-metric xsd:string 0 1
Deprecated As Of Version: 1.2
Reason: The <xccdf:impact-metric> property was found to be of little use in the anticipated XCCDF use-cases.
Comment: While there is no direct replacement for this property, authors seeking to include equivalent information can use an <xccdf:Rule> element's <xccdf:metadata> property to hold this information.The potential impact of failure to conform to the <xccdf:Rule>, expressed as a CVSS 2.0 base vector.
profile-note profileNoteType 0 unbounded Text that describes special aspects of the <xccdf:Rule> related to one or more <xccdf:Profile> elements. This allows an author to document things within <xccdf:Rule> elements that are specific to a given <xccdf:Profile>, and then select the appropriate text based on the selected <xccdf:Profile> and display it to the reader.
fixtext fixTextType 0 unbounded Data that describes how to bring a target system into compliance with this <xccdf:Rule>.
fix fixType 0 unbounded A command string, script, or other system modification statement that, if executed on the target system, can bring it into full, or at least better, compliance with this <xccdf:Rule>.
check checkType 0 unbounded The definition of, or a reference to, the target system check needed to test compliance with this <xccdf:Rule>. Sibling <xccdf:check> elements must have different values for the combination of their @selector and @system attributes, and must have different values for their @id attribute (if any).
complex-check complexCheckType 0 1 A boolean expression composed of operators (and, or, not) and individual checks.
signature signatureType 0 1 A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Rule>.
Return to top.
== scoreType ==
Type for a score value in an <xccdf:TestResult>.
Attributes Type Comments maximum xsd:decimal (optional) The maximum possible score value that could have been achieved under the named scoring system.
system xsd:anyURI (optional) A URI indicating the scoring model used to create this score.
Simple Content xsd:decimal
Return to top.
== selChoicesType ==
The type of the <xccdf:choice> element, which specifies a list of legal or suggested choices for an <xccdf:Value> object.
Attributes Type Comments mustMatch xsd:boolean (optional) True if the listed choices are the only permissible settings for the given <xccdf:Value>. False if choices not specified in this <xccdf:choices> element are acceptable settings for this <xccdf:Value>.
selector xsd:string (optional -- default='') This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of the <xccdf:Rule>. If no selectors are specified for a given <xccdf:Value> by <xccdf:Profile> elements or manual tailoring, an <xccdf:choice> element with an empty or non-existent @selector attribute is activated. If a selector is applied that does not match the @selector attribute of any <xccdf:choices> element, then no <xccdf:choices> element is considered activated.
Child Elements Type MinOccurs MaxOccurs choice xsd:string 1 see schema A single choice holding a simple type. (I.e., number, string, or boolean.)
complex-choice complexValueType 1 see schema A single choice holding a list of simple types.
Return to top.
== selComplexValueType ==
Data type that supports values that are lists of simple types with an associated @selector attribute used in tailoring.
Extends: complexValueType
Attributes Type Comments selector xsd:string (optional -- default='') This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of this property. If no selectors are specified for a given item by <xccdf:Profile> elements or manual tailoring, properties with empty or non-existent @selector attributes are activated. If a selector is applied that does not match the @selector attribute of any of a given type of property, then no <xccdf:choices> element is considered activated. The only exception is the <xccdf:value> and <xccdf:complex-value> properties of an <xccdf:Value> element - if there is no <xccdf:value> or <xccdf:complex-value> property with a matching @selector value then the <xccdf:value>/<xccdf:complex-value> property with an empty or absent @selector attribute becomes active. If there is no such <xccdf:value> or <xccdf:complex-value>, then the first <xccdf:value> or <xccdf:complex-value> listed becomes active. This reflects the fact that all <xccdf:Value> elements require an active value property at all times.
Return to top.
== selectableItemType ==
This abstract item type represents the basic data shared by all <xccdf:Group> and <xccdf:Rule> elements.
Extends: itemType
Attributes Type Comments selected xsd:boolean (optional -- default='true') If true, this <xccdf:Group>/<xccdf:Rule> is selected to be processed as part of the <xccdf:Benchmark> when it is applied to a target system. An unselected <xccdf:Group> does not get processed, and its contents are not processed either (i.e., all descendants of an unselected <xccdf:Group> are implicitly unselected). An unselected <xccdf:Rule> is not checked and does not contribute to scoring.
weight weightType (optional -- default='1.0') The relative scoring weight of this <xccdf:Group>/<xccdf:Rule>, for computing a score, expressed as a non-negative real number. It denotes the importance of an <xccdf:Group>/<xccdf:Rule>. Under some scoring models, scoring is computed independently for each collection of sibling <xccdf:Group> and <xccdf:Rule> elements, then normalized as part of the overall scoring process.
Child Elements Type MinOccurs MaxOccurs rationale htmlTextWithSubType 0 unbounded Descriptive text giving rationale or motivations for abiding by this <xccdf:Group>/<xccdf:Rule> (i.e., why it is important to the security of the target platform).
platform overrideableCPE2idrefType 0 unbounded Platforms to which this <xccdf:Group>/<xccdf:Rule> applies.
requires idrefListType 0 unbounded The identifiers of other <xccdf:Group> or <xccdf:Rule> elements that must be selected for this <xccdf:Group>/<xccdf:Rule> to be evaluated and scored properly. Each <xccdf:requires> element specifies a list of one or more required items by their identifiers. If at least one of the specified <xccdf:Group> or <xccdf:Rule> elements is selected, the requirement is met.
conflicts idrefType 0 unbounded The identifier of another <xccdf:Group> or <xccdf:Rule> that must be unselected for this <xccdf:Group>/<xccdf:Rule> to be evaluated and scored properly. Each <xccdf:conflicts> element specifies a single conflicting item using its idref attribute. If the specified <xccdf:Group> or <xccdf:Rule> element is not selected, the requirement is met.
Return to top.
== selNumType ==
This type is for an element that has numeric content and a @selector attribute for use during tailoring.
Attributes Type Comments selector xsd:string (optional -- default='') This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of this property. If no selectors are specified for a given property by <xccdf:Profile> elements or manual tailoring, properties with empty or non-existent @selector attributes are activated. If a selector is applied that does not match the @selector attribute of any of a given type of property, then no property of that type considered activated.
Simple Content xsd:decimal
Return to top.
== selStringType ==
This type is for an element that has string content and a @selector attribute for use in tailoring.
Attributes Type Comments selector xsd:string (optional -- default='') This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of this property. If no selectors are specified for a given property by <xccdf:Profile> elements or manual tailoring, properties with empty or non-existent @selector attributes are activated. If a selector is applied that does not match the @selector attribute of any of a given type of property, then no property of that type is considered activated. The only exception is the <xccdf:value> and <xccdf:complex-value> properties of an <xccdf:Value> element - if there is no <xccdf:value> or <xccdf:complex-value> property with a matching @selector value then the <xccdf:value>/<xccdf:complex-value> property with an empty or absent @selector attribute becomes active. If there is no such <xccdf:value> or <xccdf:complex-value>, then the first <xccdf:value> or <xccdf:complex-value> listed in the XML becomes active. This reflects the fact that all <xccdf:Value> elements require an active value property at all times.
Simple Content xsd:string
Return to top.
-- severityEnumType --
Allowed severity values for the @severity attribute of an <xccdf:Rule>. The value of this attribute provides an indication of the importance of the <xccdf:Rule> element's recommendation. This information is informative only and does not affect scoring.
Value Description unknown
Severity not defined (default).
info
<xccdf:Rule> is informational and failure does not represent a problem.
low
Not a serious problem.
medium
Fairly serious problem.
high
A grave or critical problem.
Return to top.
== signatureType ==
The type of an <XMLDSig:signature> element, which holds an enveloped digital signature asserting authorship and allowing verification of the integrity of associated data (e.g., its parent element, other documents, portions of other documents).
Child Elements Type MinOccurs MaxOccurs xsd:any http://www.w3.org/2000/09/xmldsig# -- skip 1 1
Return to top.
-- statusType --
The statusType represents the possible levels of maturity or consensus level for its parent element as recorded by an <xccdf:status> element.
Value Description accepted
Released as final
deprecated
No longer needed
draft
Released in draft state
incomplete
Under initial development
interim
Revised and in the process of being finalized
Return to top.
== subType ==
The type used for <xccdf:sub> elements. The <xccdf:sub> element identifies replacement content that should appear in place of the <xccdf:sub> element during text substitution. The subType consists of a regular idrefType with an additional @use attribute to dictate the behavior of the <xccdf:sub> element under substitution. When the @idref is to an <xccdf:Value>, the @use attribute indicates whether the <xccdf:Value> element's title or value should replace the <xccdf:sub> element. The @use attribute is ignored when the @idref is to an <xccdf:plain-text> element; the body of the <xccdf:plain-text> element is always used to replace the <xccdf:sub> element.
Extends: idrefType
Attributes Type Comments use subUseEnumType (optional -- default='value') Dictates the nature of the content inserted under text substitution processing.
Return to top.
-- subUseEnumType --
This holds the possible values of the @use attribute within an <xccdf:sub> element. The @use attribute is only applicable with the subType's @idref attribute holds the value of the @id of an <xccdf:Value> element.
Value Description value
Replace with the selected <xccdf:value> or <xccdf:complex-value> of an <xccdf:Value>.
title
Replace with the <xccdf:title> of the <xccdf:Value>.
legacy
Use the context-dependent processing of <xccdf:sub> elements outlined in XCCDF 1.1.4.
Return to top.
== tailoringBenchmarkReferenceType ==
Identifies the <xccdf:Benchmark> to which an <xccdf:Tailoring> element applies.
Extends: benchmarkReferenceType
Attributes Type Comments version xsd:string (optional) Identifies the version of the referenced <xccdf:Benchmark>.
Return to top.
-- tailoringIdType --
The format required for the @id property of <xccdf:Tailoring> elements. xccdf_N_tailoring_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string.
xccdf_[^_]+_tailoring_.+
Return to top.
== tailoringReferenceType ==
Type for the <xccdf:tailoring> element within an <xccdf:TestResult>. This element is used to indicate the identity and location of an <xccdf:Tailoring> file that was used to create the assessment results.
Attributes Type Comments href xsd:anyURI (required) The URI of the <xccdf:Tailoring> file's location.
id xsd:NCName (required) The <xccdf:Tailoring> element's @id value.
time xsd:dateTime (required) The value of the @time attribute in the <xccdf:Tailoring> element's <xccdf:version> property.
version xsd:string (required) The value of the <xccdf:Tailoring> element's <xccdf:version> property.
Return to top.
== tailoringType ==
Data type for the <xccdf:Tailoring> element. The <xccdf:Tailoring> element allows named tailorings (i.e., <xccdf:Profile> elements) of an <xccdf:Benchmark> to be defined separately from the <xccdf:Benchmark> itself. The <xccdf:Profile> elements in an <xccdf:Tailoring> element can be used in two ways: First, an organization might wish to pre-define a set of tailoring actions to be applied on top of or instead of the tailoring performed by an <xccdf:Benchmark> element's <xccdf:Profile> elements. Second, an <xccdf:Tailoring> element can be used to record manual tailoring actions performed during the course of an assessment.
Attributes Type Comments id tailoringIdType (required) Unique identifier for this element.
Id xsd:ID (optional) An identifier used for referencing elements included in an XML signature.
Child Elements Type MinOccurs MaxOccurs benchmark tailoringBenchmarkReferenceType 0 1 Identifies the <xccdf:Benchmark> to which this tailoring applies. A <xccdf:Tailoring> document is only applicable to a single <xccdf:Benchmark>. Note, however, that this is a purely informative field.
status n/a 0 unbounded Status of the tailoring and date at which it attained that status. Authors may use this element to record the maturity or consensus level of an <xccdf:Tailoring> element.
dc-status dc-statusType 0 unbounded Holds additional status information using the Dublin Core format.
version tailoringVersionType 1 1 The version of this <xccdf:Tailoring> element, with a required @time attribute that records when the <xccdf:Tailoring> element was created. This timestamp is necessary because, under some circumstances, a copy of an <xccdf:Tailoring> document might be automatically generated. Without the version and timestamp, tracking of these automatically created <xccdf:Tailoring> documents could become problematic.
metadata metadataType 0 unbounded XML metadata for the <xccdf:Tailoring> element.
Profile n/a 1 unbounded <xccdf:Profile> elements that reference and customize sets of items in an <xccdf:Benchmark>.
signature signatureType 0 1 A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Tailoring>.
Return to top.
== tailoringVersionType ==
Type for version information about an <xccdf:Tailoring> element.
Attributes Type Comments time xsd:dateTime (required) The time when this version of the <xccdf:Tailoring> document was completed.
Simple Content xsd:string
Return to top.
== targetFactsType ==
Data type for the <xccdf:target-facts> elements in <xccdf:TestResult> elements. A <xccdf:target-facts> element holds a list of named facts about the target system or platform. Each fact is an element of type factType. Each <xccdf:fact> must have a name, but duplicate names are allowed. (For example, if you had a fact about MAC addresses, and the target system had three NICs, then you'd need three instances of the "urn:xccdf:fact:ethernet:MAC" fact.)
Child Elements Type MinOccurs MaxOccurs fact factType 0 unbounded A named fact about the target system or platform.
Return to top.
== targetIdRefType ==
Type for an <xccdf:target-id-ref> element in an <xccdf:TestResult> element. This element contains references to external structures with identifying information about the target of an assessment.
Attributes Type Comments href xsd:string (required) Points to the external resource (e.g., a file) that contains the identifying information.
name xsd:string (optional) Identifies a specific structure within the referenced file. If the @name attribute is absent, the reference is to the entire resource indicated in the @href attribute.
system xsd:anyURI (required) Indicates the language in which this identifying information is expressed. If the identifying language uses XML namespaces, then the @system attribute for the language should be its namespace.
Return to top.
-- testresultIdType --
The format required for the @id property of <xccdf:TestResult> elements. xccdf_N_testresult_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string.
xccdf_[^_]+_testresult_.+
Return to top.
== testResultType ==
Data type for the <xccdf:TestResult> element, which holds the results of one application of the <xccdf:Benchmark>. The <xccdf:TestResult> element normally appears as the child of the <xccdf:Benchmark> element, although it may also appear as the top-level element of an XCCDF results document. XCCDF is not intended to be a database format for detailed results; the <xccdf:TestResult> element offers a way to store the results of individual tests in modest detail, with the ability to reference lower-level testing data. Although several of the child elements of this type technically support the @override attribute, the <xccdf:TestResult> element cannot be extended. Therefore, @override has no meaning within an <xccdf:TestResult> element and its children, and should not be used for them.
Attributes Type Comments end-time xsd:dateTime (required) Time when testing was completed and the results recorded.
id testresultIdType (required) Unique identifier for this element.
Id xsd:ID (optional) An identifier used for referencing elements included in an XML signature.
start-time xsd:dateTime (optional) Time when testing began.
test-system xsd:string (optional) Name of the benchmark consumer program that generated this <xccdf:TestResult> element; should be either a CPE name or a CPE applicability language expression.
version xsd:string (optional) The version number string copied from the <xccdf:Benchmark> used to direct this assessment.
Child Elements Type MinOccurs MaxOccurs benchmark benchmarkReferenceType 0 1 Reference to the <xccdf:Benchmark> for which the <xccdf:TestResult> records results. This property is required if this <xccdf:TestResult> element is the top-level element and optional otherwise.
tailoring-file tailoringReferenceType 0 1 The tailoring file element contains attributes used to identify an <xccdf:Tailoring> element used to guide the assessment reported on in this <xccdf:TestResult>. The tailoring element is required in an <xccdf:TestResult> if and only if an <xccdf:Tailoring> element guided the assessment recorded in the <xccdf:TestResult> or if the <xccdf:Tailoring> element records manual tailoring actions applied to this assessment.
title textType 0 unbounded Title of the test.
remark textType 0 unbounded A remark about the test, possibly supplied by the person administering the <xccdf:Benchmark> assessment
organization xsd:string 0 unbounded The name of the organization or other entity responsible for applying this <xccdf:Benchmark> and generating this result. When multiple <xccdf:organization> elements are used to indicate multiple organization names in a hierarchical organization, the highest-level organization should appear first.
identity identityType 0 1 Information about the system identity or user employed during application of the <xccdf:Benchmark>. If used, specifies the name of the authenticated identity.
profile idrefType 0 1 The <xccdf:profile> element holds the value of the @id attribute value of the <xccdf:Profile> selected to be used in the assessment reported on by this <xccdf:TestResult>. This <xccdf:Profile> might be from the <xccdf:Benchmark> or from an <xccdf:Tailoring> file, if used. This element should appear if and only if an <xccdf:Profile> was selected to guide the assessment.
target xsd:string 1 unbounded Name or description of the target system whose test results are recorded in the <xccdf:TestResult> element (the system to which an <xccdf:Benchmark> test was applied). Each appearance of the element supplies a name by which the target host or device was identified at the time the test was run. The name may be any string, but applications should include the fully qualified DNS name whenever possible.
target-address xsd:string 0 unbounded Network address of the target system to which an <xccdf:Benchmark> test was applied. Typical forms for the address include IP version 4 (IPv4), IP version 6 (IPv6), and Ethernet media access control (MAC).
target-facts targetFactsType 0 1 A list of named facts about the target system or platform.
target-id-ref targetIdRefType 0 see schema References to external structures with identifying information about the target of this assessment.
xsd:any ##other -- lax 0 see schema Identifying information expressed in other XML formats can be included here.
platform CPE2idrefType 0 unbounded A platform on the target system. There should be one instance of this property for every platform that the target system was found to meet.
set-value profileSetValueType 0 see schema Specific setting for a single <xccdf:Value> element used during the test.
set-complex-value profileSetComplexValueType 0 see schema Specific setting for a single <xccdf:Value> element used during the test when the given value is set to a complex type, such as a list.
rule-result ruleResultType 0 unbounded The result of a single instance of an <xccdf:Rule> application against the target. The <xccdf:TestResult> must include at least one <xccdf:rule-result> record for each <xccdf:Rule> that was selected in the resolved <xccdf:Benchmark>.
score scoreType 1 unbounded An overall score for this <xccdf:Benchmark> test.
metadata metadataType 0 unbounded XML metadata associated with this <xccdf:TestResult>.
signature signatureType 0 1 A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:TestResult>.
Return to top.
== textType ==
Type for a simple text string with an @override attribute for controlling inheritance.
Attributes Type Comments override xsd:boolean (optional -- default='0') Used to manage inheritance.
xml:lang n/a (optional)
Simple Content xsd:string
Return to top.
== textWithSubType ==
Type for a string with embedded <xccdf:Value> substitutions and an @override attribute to help manage inheritance.
Attributes Type Comments override xsd:boolean (optional -- default='0') Used to manage inheritance.
xml:lang n/a (optional)
Child Elements Type MinOccurs MaxOccurs sub subType 0 unbounded Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution.
Return to top.
== uriRefType ==
Data type for elements that have no content and a single @uri attribute.
Attributes Type Comments uri xsd:anyURI (required) A URI.
Return to top.
-- valueIdType --
The format required for the @id property of <xccdf:Value> elements. xccdf_N_value_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string.
xccdf_[^_]+_value_.+
Return to top.
-- valueOperatorType --
This type enumerates allowed values of the @operator property of <xccdf:Value> elements. The specific interpretation of these operators depends on the checking system used.
Value Description equals
not equal
greater than
less than
greater than or equal
less than or equal
pattern match
Return to top.
== valueType ==
Data type for the <xccdf:Value> element, which is a named parameter that can be substituted into properties of other elements within the <xccdf:Benchmark>, including the interior of structured check specifications and fix scripts.
Extends: itemType
Attributes Type Comments id valueIdType (required) The unique identifier for this element.
interactive xsd:boolean (optional -- default='0') Whether tailoring for this <xccdf:Value> should be performed during <xccdf:Benchmark> application. The benchmark consumer may ignore the attribute if asking the user is not feasible or not supported.
interfaceHint interfaceHintType (optional) A hint or recommendation to a benchmark consumer or producer about how the user might select or adjust the <xccdf:Value>.
operator valueOperatorType (optional -- default='equals') The operator to be used for comparing this <xccdf:Value> to some part of the test system’s configuration during <xccdf:Rule> checking.
type valueTypeType (optional -- default='string') The data type of the <xccdf:Value>. A tool may choose any convenient form to store an <xccdf:Value> element’s <xccdf:value> element, but the @type attribute conveys how the <xccdf:Value> should be treated for user input validation purposes during tailoring processing. The @type attribute may also be used to give additional guidance to the user or to validate the user’s input. In the case of a list of values, the @type attribute, if present, applies to all elements of the list individually.
Child Elements Type MinOccurs MaxOccurs value selStringType 1 see schema A simple (number, string, or boolean) value associated with this <xccdf:Value>. At any time an <xccdf:Value> has one active (simple or complex) value. If a selector value has been provided under <xccdf:Profile> selection or tailoring then the active <xccdf:value>/<xccdf:complex-value> is the one with a matching @selector. If there is no provided selector or if the provided selector does not match the @selector attribute of any <xccdf:value> or <xccdf:complex-value>, the active <xccdf:value>/<xccdf:complex-value> is the one with an empty or absent @selector or, failing that, the first <xccdf:value> or <xccdf:complex-value> in the XML. When an <xccdf:Value> is exported or used in text substitution, it is the currently active <xccdf:value> or <xccdf:complex-value> that is actually used. If there are multiple <xccdf:value> and/or <xccdf:complex-value> elements, only one may omit a @selector attribute and no two may have the same @selector value.
complex-value selComplexValueType 1 see schema A complex (list) value associated with this <xccdf:Value>. See the description of the <xccdf:value> property for <xccdf:Rule> elements regarding activation of an <xccdf:complex-value>.
default selStringType 0 see schema The default value displayed to the user as a suggestion by benchmark producers during tailoring of this <xccdf:Value> element. (This is not the default value of an <xccdf:Value>; it is just the default display.) If there are multiple <xccdf:default> and/or <xccdf:complex-default> elements, only one may omit a @selector attribute and no two may have the same @selector value.
complex-default selComplexValueType 0 see schema The default <xccdf:complex-value> displayed to the user as a suggestion by benchmark producers during tailoring of this <xccdf:Value> element. (This is not the default value of an <xccdf:Value>; it is just the default display.) If there are multiple <xccdf:default> and <xccdf:complex-default> elements, only one may omit a @selector attribute and no two may have the same @selector value.
match selStringType 0 unbounded A Perl Compatible Regular Expression that a benchmark producer may apply during tailoring to validate a user’s input for the <xccdf:Value>. It uses implicit anchoring. It applies only when the @type property is “string” or “number” or a list of strings and/or numbers.
lower-bound selNumType 0 unbounded Minimum legal value for this <xccdf:Value>. It is used to constrain value input during tailoring, when the @type property is “number”. Values supplied by the user for tailoring the <xccdf:Benchmark> must be equal to or greater than this number.
upper-bound selNumType 0 unbounded Maximum legal value for this <xccdf:Value>. It is used to constrain value input during tailoring, when the @type is “number”. Values supplied by the user for tailoring the <xccdf:Benchmark> must be less than or equal to than this number.
choices selChoicesType 0 unbounded A list of legal or suggested choices (values) for an <xccdf:Value> element, to be used during tailoring and document generation.
source uriRefType 0 unbounded URI indicating where the tool may acquire values, value bounds, or value choices for this <xccdf:Value> element. XCCDF does not attach any meaning to the URI; it may be an arbitrary community or tool-specific value, or a pointer directly to a resource. If several instances of the <xccdf:source> property appear, then they represent alternative means or locations for obtaining the value in descending order of preference (i.e., most preferred first).
signature signatureType 0 1 A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Value>.
Return to top.
-- valueTypeType --
Allowed data types for <xccdf:Value> elements, string, numeric, and boolean. A tool may choose any convenient form to store an <xccdf:Value> element’s <xccdf:value> element, but the @type conveys how the value should be treated for user input validation purposes during tailoring processing. The @type may also be used to give additional guidance to the user or to validate the user’s input. For example, if an <xccdf:value> element’s @type attribute is “number”, then a tool might choose to reject user tailoring input that is not composed of digits. In the case of a list of values, the @type applies to all elements of the list individually. Note that checking systems may have their own understanding of data types that may not be identical to the typing indicated in XCCDF
Value Description number
A numeric value. This may be decimal or integer.
string
Any character data
boolean
True/false
Return to top.
== versionType ==
Type for most <xccdf:version> elements.
Attributes Type Comments time xsd:dateTime (optional) The time that this version of the associated element was completed.
update xsd:anyURI (optional) A URI indicating a location where updates to the associated element may be obtained.
Simple Content xsd:string
Return to top.
-- warningCategoryEnumType --
Allowed warning category keywords for the <xccdf:warning> element used in <xccdf:Rule> elements.
Value Description general
Broad or general-purpose warning (default)
functionality
Warning about possible impacts to functionality or operational features
performance
Warning about changes to target system performance or throughput
hardware
Warning about hardware restrictions or possible impacts to hardware
legal
Warning about legal implications
regulatory
Warning about regulatory obligations or compliance implications
management
Warning about impacts to the management or administration of the target system
audit
Warning about impacts to audit or logging
dependency
Warning about dependencies between this element and other parts of the target system, or version dependencies
Return to top.
== warningType ==
Data type for the <xccdf:warning> element under the <xccdf:Rule> element. This element holds a note or caveat about the item intended to convey important cautionary information for the <xccdf:Benchmark> user.
Extends: htmlTextWithSubType
Attributes Type Comments category warningCategoryEnumType (optional -- default='general') A hint as to the nature of the warning.
Return to top.
-- weightType --
Data type for an <xccdf:Rule> element's weight, a non-negative real number.
Return to top.