Part of Digital Bond’s Bandolier project involves converting the Nessus security audit files into XCCDF and OVAL for use in other security tools. I had the opportunity this week to attend a class put on by MITRE that covers the standards and applications available for developing security benchmarks. It was very informative for helping distill the alphabet soup of acronyms and understanding how the different efforts relate. I left with a bunch of ideas for control system security. Some highlights for now…
XCCDF is an XML language for writing security checklist and benchmarks. It does not have the ability to check configuration, it only defines the policy. It does, however, have the ability to link to lower-level standards (such as OVAL) to perform the compliance checks. XCCDF is also designed to be able to output human-readable documentation.
The Recommendation Tracker is an open source application that can generate XCCDF documents. Don’t be fooled by its innocuous name, it is a powerful collaborative tool. If you are tasked with managing security policy or security content of any kind, you should consider it even if you don’t intend to link to automated compliance checks. It has the ability to track rules, rationale, how-to information, and cross-references among other things.
OVAL is the lower level automated checking language that actually has the intelligence to know how and where to access the security configuration data. It can be linked with XCCDF rules but it’s not the only checking language that can. Working on Bandolier, we’ve discovered that not all checks can be automated. There are some other emerging standards that address these cases where automation is not possible. OCIL is a framework for presenting questions to a user and interpreting responses. OCRL is a language that simply gathers information and presents it in a standard format. It could, for example, report a list of all the running services or all the user accounts in a particular security group. The user could then make a determination about the information in the report. Both OCIL and OCRL can be linked to XCCDF definitions and have XML structure and syntax similar to OVAL.
The Benchmark Editor is a tool for creating and editing OVAL and XCCDF documents. It organizes all the elements in a tree structure that makes it easy to reuse code and manage complex relationships. Haven’t had the chance to deep dive into this one yet but I’m guessing we will be using it a lot to help with the Bandolier audit file conversions.
We’re just scratching the surface for now — there’s SCAP, CVE, CPE, CCE, WIT, and XCAT that play into this mix of security standards and tools in some form or fashion. We’ll get to all that. There are two primary angles I hope to cover in future related posts: 1.) How does all this relate to Bandolier? 2.) Outside of Bandolier, how can we leverage these standards to help with other control system security efforts?