diff --git a/SCAP/.gitignore b/SCAP/.gitignore new file mode 100644 index 000000000..f6397cdb1 --- /dev/null +++ b/SCAP/.gitignore @@ -0,0 +1 @@ +*.xpr diff --git a/SCAP/Makefile b/SCAP/Makefile new file mode 100644 index 000000000..b40cdf534 --- /dev/null +++ b/SCAP/Makefile @@ -0,0 +1,65 @@ +XSLT = /usr/local/bin/saxon +TIDY = /usr/local/bin/tidy +VAL = java -Djava.protocol.handler.pkgs=sun.net.www.protocol -jar ~/Projects/scapval/scapval-1.3.5.jar + +DIR = ../build/All_rules + +all: inputs tidy XCCDF datastream report + +inputs: + # generate the HTML checklist document + ../scripts/generate_guidance.py -g ../baselines/all_rules.yaml 2>/dev/null + # generate the related OVAL content + ../scripts/yaml-to-oval.py ../baselines/all_rules.yaml + # outputs end up in ${DIR} + +tidy: + # de-louse the input HTML + # DO NOT use the treacherous -indent option + ${TIDY} --show-errors 0 \ + --output-xml true \ + --numeric-entities true \ + --output-encoding utf8 \ + --input-encoding utf8 \ + --logical-emphasis true \ + --drop-proprietary-attributes true \ + --coerce-endtags true \ + -output ${DIR}/all_rules.xhtml \ + ${DIR}/all_rules.html || echo untidy + +XCCDF: + # generate the XCCDF document from the input + $(XSLT) -s:${DIR}/all_rules.xhtml \ + -xsl:html-to-xccdf.xsl \ + -o:${DIR}/xccdf.xml \ + SCAP-version=1.3 \ + id-namespace=content.mscp.nist.gov \ + benchmark-id-suffix=macOS_11.0 \ + OVAL-URI=${DIR}/All_rules.xml \ + include-CPE=1 + # the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml' + # a gratuitous OCIL document is provided + cp ocil.xml ${DIR} + cp macos-cpe-dictionary.xml ${DIR} + cp macos-cpe-oval.xml ${DIR} + +datastream: + # generate the SCAP data stream collection document + $(XSLT) -s:${DIR}/xccdf.xml \ + -xsl:xccdf-to-ds.xsl \ + -o:${DIR}/datastream.xml \ + SCAP-version=1.3 \ + id-namespace=content.mscp.nist.gov \ + datastream-id-suffix=macOS_11.0 \ + include-CPE=1 + +report: + # generate an XCCDF report for quality assurance + $(XSLT) -s:${DIR}/xccdf.xml \ + -xsl:xccdf-to-html.xsl \ + -o:${DIR}/xccdf.html + +validate: + # validate the datastream using SCAP content validation tool + ( cd ${DIR}; ${VAL} -scapversion 1.3 -online -file datastream.xml >scapval-report.txt ) + # See ${DIR}/validation-report.html for results diff --git a/SCAP/README.md b/SCAP/README.md new file mode 100644 index 000000000..758fb9adf --- /dev/null +++ b/SCAP/README.md @@ -0,0 +1,46 @@ +# SCAP Content Generation + +Generation of SCAP content uses XSLT to create an XCCDF document with an accompanying OVAL document, bundled into an SCAP data stream collection document. + +Steps: + +- Generate the "all rules" variant of the checklist in HTML form. +- Generate the "all rules" variant of the checklist in OVAL form. +- Generate the XCCDF document using the "all rules" checklist and OVAL as inputs. +- Generate the SCAP data stream document using the XCCDF and OVAL documents. +- Generate a report from the XCCDF document to be used for quality checking. + +These steps are configured within the Makefile. + +## Dependencies + +The supplied Makefile relies on the following components: +- HTML Tidy — [Tidy](http://www.html-tidy.org/) is an HTML/XML syntax checker and reformatter. + +- Saxon 10 — [Saxon](https://www.saxonica.com/products/products.xml) is an [XSLT 3.0](https://www.w3.org/TR/xslt-30/) implementation. +The [HE](https://www.saxonica.com/products/PD10/HE.pdf) variant, which is open source, will suffice for the XSL transformations. + +### Optional components + +- SCAP Content Validation Tool (SCAPVal) — See +[SCAP Content Validation Tool](https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3) +under "Tools". +Version 1.3.5 or later is required. + +## SCAP References + +[Security Content Automation Protocol (SCAP) 1.3](https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3 "SCAP 1.3") + +That page has links to most of the SCAP-related normative documents. + +An SCAP data stream (typically) consists of several XML documents knit together in a containing XML document. +The component documents are +- An XCCDF document +- An OVAL document referenced by the XCCDF document +- An OCIL document referenced by the XCCDF document +- A CPE dictionary document referenced by the XCCDF document +- An OVAL document referenced by the CPE dictionary document + +[National Checklist Program for IT Products: Guidelines for Checklist Users and Developers](https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final "National Checklist Program (NCP)") + +[National Checklist Program Repository](https://nvd.nist.gov/ncp/repository) \ No newline at end of file diff --git a/SCAP/SCAP-1.3.sch b/SCAP/SCAP-1.3.sch new file mode 100644 index 000000000..dce930cc4 --- /dev/null +++ b/SCAP/SCAP-1.3.sch @@ -0,0 +1,78 @@ + + + This Schematron document asserts rules which are either mandatory or recommended by NIST SP 800-126 revision 3 as well as other normative documnents incorporated by + reference + + + + + + + + + + + + + SCAP data stream constraints + + <> must have @schematron-version set to "1.3" (since SCAP 1.3 conmtent must be validated using SCAP 1.3 schemata). + + + <> SHALL have @scap-version set to "1.3". See NIST SP 800-126 Revision 3 §3.1.1 Table 3. + + + + + + + <> missing a <cpe23-item>. See NISTIR 7275 Revision 4 §6.2.5 ¶3. + + + + + + XCCDF constraints + + Warning: < style=""> SHOULD have the value SCAP_1.3. See NIST SP + 800-126 Revision 3 §3.2.2 ¶1 item 4. + + + The element <> SHALL have an @xml:lang attribute. See NIST SP 800-126 Revision 3 §3.2.2 ¶1 item 3. + + + Warning: the @time attribute of the <> element SHOULD be used for a timestamp of when the benchmark was defined. See NIST SP + 800-126 Revision 3 §3.2.2 ¶1 item 1a. + + + Warning: the @update attribute of the <> element SHOULD be used for a URI that specifies where updates to the benchmark can be + obtained. See NIST SP 800-126 Revision 3 §3.2.2 ¶1 item 2. + + + < idref=""> is not a CPE 2.3 formatted string binding. See NISTIR 7275 Revision 4 §6.2.5 + ¶3. + + + + < idref=""> is not a CPE 2.3 formatted string binding. See NISTIR 7275 Revision 4 §6.2.5 + ¶3. + + + + OVAL constraints + + Warning: <></> should be 5.11.2. See NIST SP 800-126A §2.2. + + + diff --git a/SCAP/excise.xsl b/SCAP/excise.xsl new file mode 100644 index 000000000..91b120b05 --- /dev/null +++ b/SCAP/excise.xsl @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + + diff --git a/SCAP/html-to-xccdf.xsl b/SCAP/html-to-xccdf.xsl new file mode 100644 index 000000000..4b3020b19 --- /dev/null +++ b/SCAP/html-to-xccdf.xsl @@ -0,0 +1,658 @@ + + + + + Created on: Jun 8, 2020 + Author: gapinski + See https://csrc.nist.gov/publications/detail/sp/800-126/rev-3/final 6.2.3§ + + + + + + + "namespace" for identifiers + See NISTIR 7275r4 §6.2.3 for an explanation of this value + + + + + + "namespace" reversed + See NISTIR 7275r4 §6.2.3 for an explanation of this value + + + + + + + Element Identifier suffix ("name") + See NISTIR 7275r4 §6.2.3 for an explanation of this value + + + + + + Created on: Jun 8, 2020 + Author: gapinski + + + + + + + target SCAP version + + + + + + + include CPE stuff + + + + + + + manufacture "all-rule" profile + + + + + + + Gratuitous references to SCAP standards may be included + + + + + + + Indent output document + + + + + + Origin of related OVAL definitions + + + + + + + UTC offset + + + + + + UTC date + + + + + + UTC dateTime + + + + + + Strip numeric prefix from titles + + + + + + + + + + + Created on: Jun 8, 2020 + Author: gapinski + Transform HTML-ized benchmark to XCCDF + + + + + + + + + + + + + New line character + + + + + + Default output mode + + + + + + Create the XCCDF document + + + + + + + + + + + + + + This is an SCAP {$SCAP-version} XCCDF document + + Created {$UTC-datetime} + + using {static-base-uri()} + + with {resolve-uri(base-uri())} as input + + and {resolve-uri($OVAL-URI)} as OVAL input + + The SCAP identifier "namespace" chosen for this XCCDF document is «{$xccdf-namespace}» («{$id-namespace}» reversed) + + + See https://www.w3.org/TR/xml-model/ for an explanation of the following processing instructions + + + + href="https://csrc.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd" + + schematypens="http://www.w3.org/2001/XMLSchema" + + title="XCCDF XML schema" + + + + + href="https://csrc.nist.gov/schema/xccdf/1.2/xccdf_1.2.sch" + + schematypens="http://purl.oclc.org/dsdl/schematron" phase="Benchmark" + + title="XCCDF Schematron schema" + + + + + + + xccdf_{$xccdf-namespace}_benchmark_{$benchmark-id-suffix} + SCAP_{$SCAP-version} + + + + + + draft + + + + + + + + + + + + + + + + + + + + + + <front-matter> + Foreword + + + + + + <rear-matter> + Authors + Please refer to Dublin Core metadata. + Acronyms and Definitions + + + + + + + + + + + Applicable Documents + Please refer to XCCDF Benchmark references (i.e., ones which are children of the <Benchmark> + element). + + + + + https://csrc.nist.gov/publications/detail/nistir/7275/rev-4/final + + Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 + + + National Institute of Standards and Technology + + + + + + + https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3 + + Security Content Automation Protocol + + + National Institute of Standards and Technology + + + + + + https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-2 + + Security Content Automation Protocol + + + National Institute of Standards and Technology + + + + + + + macos-cpe-dictionary.xml + platform-cpe-dictionary + + + macos-cpe-oval.xml + platform-cpe-oval + + + + + cpe:2.3:o:apple:macos:11.0:*:*:*:*:*:*:* + + + + + + + + + {regex-group(2)}T00:00:00Z + + + + + + Cannot make sense of document version {regex-group(0)} + + + + + National Institute of Standards and Technology + + + National Institute of Standards and Technology + + + https://github.com/usnistgov/macos_security/releases/latest + + + {td[1]/p} — {td[2]/p} + + + + + + + + + + + xccdf_{$xccdf-namespace}_profile_{.} + {.} + + This profile selects all rules tagged as {.}. + + + + + xccdf_{$xccdf-namespace}_rule_{$id} + + + + + + + + + + + + xccdf_{$xccdf-namespace}_profile_all + + All + + + This profile includes all checklist rules. + + + + + xccdf_{$xccdf-namespace}_rule_{$id} + + + + + + + + xccdf_{$xccdf-namespace}_group{child::h2/@id} + + + + + + + + + + + + + + + + + + + + + + + xccdf_{$xccdf-namespace}_rule_{$id} + + + + + + + + + + + + + + + + unchecked + + + full + + + unchecked + + + + + + + + + + + + + + + + + + + + +
+ This rule lacks a CCE designation (required for SCAP compliance). + +
+
+
+
+ + + + + + + + + + + + + https://nvd.nist.gov/800-53/Rev4/control/ + + + + + + + + + + + + + NIST SP 800-53r4 + + + + + + + + + + + + + + + + + + + + + + + + + + + + (no OVAL check(s) + + + + + + + + + + + + + + + + + + + AND + + + + + + + + + + + + +
+
+
+
+
+
+ + + Created on: Jun 8, 2020 + Author: gapinski + Transform non-namespaced HTML to namespaced HTML + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Created on: Jun 8, 2020 + Author: gapinski + Transform non-namespaced HTML to namespaced HTML + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Created on: Jun 8, 2020 + Author: gapinski + Transform non-namespaced HTML to namespaced HTML + + + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/SCAP/macos-cpe-dictionary.xml b/SCAP/macos-cpe-dictionary.xml new file mode 100644 index 000000000..4133ceae4 --- /dev/null +++ b/SCAP/macos-cpe-dictionary.xml @@ -0,0 +1,22 @@ + + + + + + + + + + macOS Security Compliance Project + 2.3 + 2020-10-15T15:35:10Z + + + Apple macOS 11.0 + + This CPE Name represents macOS 11.0 + + oval:gov.nist.mscp.content.cpe.oval:def:1 + + + diff --git a/SCAP/macos-cpe-oval.xml b/SCAP/macos-cpe-oval.xml new file mode 100644 index 000000000..ed2813467 --- /dev/null +++ b/SCAP/macos-cpe-oval.xml @@ -0,0 +1,54 @@ + + + + macOS Security Compliance Project + 5.11.2 + 2020-10-15T15:35:10Z + + + + + Apple macOS 11.0 is installed + + macOS + + + The operating system installed on the system is Apple macOS Big Sur (11.0). + + + + + + + + + + + + + + + + + + + + + ProductVersion + /System/Library/CoreServices/SystemVersion.plist + 1 + + + + + macos + + + 11.0 + + + diff --git a/SCAP/ocil.xml b/SCAP/ocil.xml new file mode 100644 index 000000000..0ee073fe9 --- /dev/null +++ b/SCAP/ocil.xml @@ -0,0 +1,33 @@ + + + + Manual Labor + 1 + 2.0 + 2020-06-18T17:00:00Z + + + + Obtain a pass or a fail + + ocil:gov.nist.mscp.content:testaction:1 + + + + + + + PASS + + + FAIL + + + + + + Do you wish this checklist item to be considered to have passed? + + + diff --git a/SCAP/xccdf-to-ds.xsl b/SCAP/xccdf-to-ds.xsl new file mode 100644 index 000000000..275cdb112 --- /dev/null +++ b/SCAP/xccdf-to-ds.xsl @@ -0,0 +1,365 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + This is an SCAP {$SCAP-version} datastream collection document + + Created {$T} + + using {static-base-uri()} + + with {resolve-uri(base-uri())} as input + + The SCAP identifier "namespace" chosen for this data stream collection is «{$dsc-namespace}» («{$id-namespace}» reversed) + + + + See https://www.w3.org/TR/xml-model/ for an explanation of the following processing instruction + + + href="https://csrc.nist.gov/schema/scap/1.3/scap-source-data-stream_1.3.xsd" + + schematypens="http://www.w3.org/2001/XMLSchema" + + title="SCAP XML schema" + + + + + + See https://www.w3.org/TR/xml-stylesheet/ for an explanation of the following processing instruction + + + type="text/xsl" + + href="" + + title="" + + + + + + + + scap_{$dsc-namespace}_collection_{$datastream-id-suffix} + + + + + + + + + + + + + + + + + + + + + + + scap_{$dsc-namespace}_datastream_{$datastream-id-suffix} + + CONFIGURATION + + + + + + + + + scap_{$dsc-namespace}_cref_{$datastream-id-suffix}_{@href} + + + + # + + + + + + + + + + + + + + #scap_{$dsc-namespace}_cref_{$datastream-id-suffix}_{.} + + + + + + + + + + + + + + + + scap_{$dsc-namespace}_cref_{$datastream-id-suffix}_{tokenize(base-uri(), '/')[last()]} + + + # + + + + + + + + + + + + + # + + + + + + + + + + + + # + + + + + Original intra-XCCDF reference was «{.}» + + + Original intra-XCCDF reference was «{.}» relative to the XCCDF + document + + + + + + + + + + + + + + + + + + # + + + + + + + + + + + + + + + + + + # + + + + + + + + + + + + + This is the content from «{base-uri()}» + + + + + + + + + This is the content from «{resolve-uri(., $base)}» + + + + + + + + + + This is the content from «{resolve-uri(@href, $base)}» + + + + + + + This is the content from «{resolve-uri(., $base)}» + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/SCAP/xccdf-to-html.xsl b/SCAP/xccdf-to-html.xsl new file mode 100644 index 000000000..9f32296c1 --- /dev/null +++ b/SCAP/xccdf-to-html.xsl @@ -0,0 +1,432 @@ + + + + + + + + + + + <!DOCTYPE html> + + + + + <xsl:value-of select="title"/> + + + + + + +

+ +

+

+ This report prepared {$UTC-datetime}. +

+
ID: + + +
+

+ Version: {version}, {version/@time} + + + , updates are available from + + + + + + , updates are available from + + + +

+

+ Status: + + + + ({status/@date}) +

+

+ Description: + +

+

+ There are {count(//Rule)} rules. {count(//Rule[not(descendant::check[@system='http://oval.mitre.org/XMLSchema/oval-definitions-5'])])} lack an OVAL definition. +

+

There are profiles:

+
    + +
  • + + + + + + ({count(select[@selected cast as xs:boolean])} rules) +
    + Title: + + + +
    +
    + +
    + +
    + Extends + + . +
    +
    +
  • +
    +
+

Groups, Rules

+

+ + + Some rules are selected by default (are active unless specifically deselected by a Profile). + + + No rules are selected by default (must be selected in a Profile to be active). + + +

+ + + + + + + + + + + + + + + + + +
GroupProfiles
A indicates the rule is selected in the profile
RuleOVAL
+ +
+

Rule Details

+ + + +
+ + + + + + + + + + + + + ✓ + + + ⬦ + + + + + +
+ +
+ + + +
+ This rule is not scored! +
+
+
+ + + + +
+ This rule is not checked! +
+
+ +
+ + + + + + + + + +
+
+ +
+ +
+
+ +
+ (Lacks OVAL) +
+
+
+ + +
+ +

+ + + + +

+
+ + + +
+ + +

+ + + +

+
+ +

+ Lacks CCE. +

+
+
+

+ + Not selected by default. + + + + + Selected by profile {string-join($p,', ')}. + + + Not selected in any profile. + + +

+ + +

+ This rule is not checked! +

+
+ +

+ This rule is not scored! +

+
+
+

+ +

+ +
Warning:
+
+
+ +
+ +
+ Reference: + + + + + + + + + + + + +
+
+ +
+ +
+
+ +
+ +
+
+ +
+ Command + + (requires reboot ➜) + + : + + + +
+
+ + + +