When you download policies, you will often find that you see the terms Open Vulnerability and Assessment Language (OVAL) and eXtensible Configuration Checklist Description Format (XCCDF). Some security policies you will come across are only available in OVAL format. Hence, we must take a moment to consider these different file types.
First of all, it is important to state that they are not interchangeable—instead, they should be thought of as hierarchical in nature. At the lower level in the hierarchy is the OVAL file, which in essence describes all of the system-level checks that the OpenSCAP scanning engine should perform. This might, for example, consist of checking whether a given package is newer than a given version as a known vulnerability might exist in the older one. Or it might be a check to ensure that an important system file such as /etc/passwd is owned by root.
These checks are all incredibly valuable when it comes to auditing a system's compliance against your security policy, but they might not be very readable for managers or security teams. They would be more interested in a high-level security policy, such as Verify Permissions on Important Files and Directories. Indeed, this check would almost certainly encompass the check on the ownership of /etc/passwd, along with a whole set of other vital system files such as /etc/group and /etc/shadow.
This is where the XCCDF format becomes relevant—this can be thought of as the next level in the hierarchy as it provides a set of human-readable security policies (along with valuable documentation and references) that would be useful to an audience such as a manager or information security team. These describe the state of a system in reference to the checks performed by the OVAL definition. The XCCDF files do not contain any check definitions for the scanning engine (for example, oscap)—instead, they reference the checks that have been written in the OVAL file and hence can be thought of as sitting on top of the OVAL files in the hierarchy.
Therefore, an OVAL file can be used for auditing purposes in isolation, but an XCCDF file cannot be used unless its corresponding OVAL file is present.
XCCDF files also contain a selection of scanning profiles that tell the scanning engine what your policy looks like, and hence what it should scan for. This will almost certainly mean only scanning for a subset of the checks that are present in the OVAL file.
The profiles available can easily be listed using the graphical SCAP Workbench tool or on the command line by using the oscap info command. An example of this command run against SSG for CentOS 7 is shown in the following screenshot:
Although the output has been truncated in the interests of space, you can clearly see the wide array of security profiles available for CentOS 7. You will notice in the screenshot that (for example) there are different profiles for CentOS 7 servers that run graphical user interfaces and for those that don't. This is because additional security measures are required on a graphical system to ensure that the X Windows subsystem is properly secured. There is a profile suitable for Payment Card Industry (PCI) environments and at the top, the most basic profile, which should be the minimum viable security policy suitable for just about any CentOS 7 server.
Once you know which profile you wish to use from your XCCDF policy file, you will specify it when you run the scan, and we shall explore this in greater detail in a later section, entitled Scanning the enterprise with OpenSCAP.
Before we conclude this section, it is important to state that OVAL files do not have profiles, and if you run an OVAL scan, you will automatically run all tests defined in the OVAL file on your system regardless of its purpose. This may be problematic because, taking the CentOS 7 SSG OVAL file as an example, this contains tests for the security of the X Windows graphical subsystem. These tests will fail on a system that does not have a GUI installed, and so might present false positives in your scan results.
Now that we understand more about the file formats of the various security policies you might download, let's take a look at some of the other security profiles you may wish to download.