Linux ns8.secondary29.go.th 2.6.32-754.28.1.el6.x86_64 #1 SMP Wed Mar 11 18:38:45 UTC 2020 x86_64
Apache/2.2.15 (CentOS)
: 122.154.134.11 | : 122.154.134.9
Cant Read [ /etc/named.conf ]
5.6.40
apache
www.github.com/MadExploits
Terminal
AUTO ROOT
Adminer
Backdoor Destroyer
Linux Exploit
Lock Shell
Lock File
Create User
CREATE RDP
PHP Mailer
BACKCONNECT
UNLOCK SHELL
HASH IDENTIFIER
CPANEL RESET
CREATE WP USER
README
+ Create Folder
+ Create File
/
usr /
share /
openscap /
schemas /
xccdf /
1.2 /
[ HOME SHELL ]
Name
Size
Permission
Action
XMLSchema.dtd
15.64
KB
-rw-r--r--
cpe-language_2.3.xsd
13.84
KB
-rw-r--r--
datatypes.dtd
6.21
KB
-rw-r--r--
xccdf_1.2-schematron.xsl
49.61
KB
-rw-r--r--
xccdf_1.2.xsd
225.06
KB
-rw-r--r--
Delete
Unzip
Zip
${this.title}
Close
Code Editor : xccdf_1.2.xsd
<?xml version="1.0" encoding="UTF-8"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cdf="http://checklists.nist.gov/xccdf/1.2" xmlns:cpe2="http://cpe.mitre.org/language/2.0" targetNamespace="http://checklists.nist.gov/xccdf/1.2" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.2.1"> <xsd:annotation> <xsd:documentation xml:lang="en"> This schema defines the Extensible Configuration Checklist Description Format (XCCDF), a data format for defining security benchmarks and checklists, and for recording the results of applying such benchmarks. For more information, consult the specification document, NIST Interagency Report 7275 Revision 4, "Specification for the Extensible Configuration Checklist Description Format Version 1.2". This schema was developed by Neal Ziring, with ideas and assistance from David Waltermire. The following helpful individuals also contributed ideas to the definition of this schema: David Proulx, Andrew Buttner, Ryan Wilson, Matthew Kerr, and Stephen Quinn. Ian Crawford found numerous discrepancies between this schema and the spec document. Peter Mell and his colleagues also made many suggestions. </xsd:documentation> <xsd:appinfo> <schema>XCCDF Language</schema> <author>Neal Ziring</author> <version>1.2</version> <date>2012-02-23</date> </xsd:appinfo> </xsd:annotation> <!-- Import base XML namespace --> <xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="../../common/xml.xsd"> <xsd:annotation> <xsd:documentation xml:lang="en"> Import the XML namespace because this schema uses the @xml:lang and @xml:base attributes. </xsd:documentation> </xsd:annotation> </xsd:import> <!-- Import CPE 2.3 Language namespace --> <xsd:import namespace="http://cpe.mitre.org/language/2.0" schemaLocation="cpe-language_2.3.xsd"> <xsd:annotation> <xsd:documentation xml:lang="en"> Import the Common Platform Enumeration language schema, which can be used for defining compound CPE tests for complex IT platforms in the <xccdf:Benchmark>. For more info see NIST IRs 7695-7698, the specification documents for CPE version 2.3. </xsd:documentation> </xsd:annotation> </xsd:import> <!-- ************************************************************** --> <!-- ***************** Benchmark Element ************************ --> <!-- ************************************************************** --> <xsd:element name="Benchmark"> <xsd:annotation> <xsd:documentation xml:lang="en"> This is the root element of the XCCDF document; it must appear exactly once. It encloses the entire benchmark, and contains both descriptive information and structural information. Note that the order of <xccdf:Group> and <xccdf:Rule> child elements may matter for the appearance of a generated document. <xccdf:Group> and <xccdf:Rule> children may be freely intermingled, but they must appear after any <xccdf:Value> children. All the other children must appear in the order shown.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:sequence> <xsd:element ref="cdf:status" minOccurs="1" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Status of the <xccdf:Benchmark> indicating its level of maturity or consensus. If more than one <xccdf:status> element appears, the element's @date attribute should be included.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="dc-status" minOccurs="0" maxOccurs="unbounded" type="cdf:dc-statusType"> <xsd:annotation> <xsd:documentation xml:lang="en">Holds additional status information using the Dublin Core format.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="title" type="cdf:textType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Title of the <xccdf:Benchmark>; an <xccdf:Benchmark> should have an <xccdf:title>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="description" type="cdf:htmlTextWithSubType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Text that describes the <xccdf:Benchmark>; an <xccdf:Benchmark> should have an <xccdf:description>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="notice" type="cdf:noticeType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Legal notices (licensing information, terms of use, etc.), copyright statements, warnings, and other advisory notices about this <xccdf:Benchmark> and its use.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="front-matter" type="cdf:htmlTextWithSubType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Introductory matter for the beginning of the <xccdf:Benchmark> document; intended for use during Document Generation.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="rear-matter" type="cdf:htmlTextWithSubType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Concluding material for the end of the <xccdf:Benchmark> document; intended for use during Document Generation.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="reference" type="cdf:referenceType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Supporting references for the <xccdf:Benchmark> document.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="plain-text" type="cdf:plainTextType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Definitions for reusable text blocks, each with a unique identifier.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cpe2:platform-specification" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A list of identifiers for complex platform definitions, written in CPE applicability language format. Authors may define complex platforms within this element, and then use their locally unique identifiers anywhere in the <xccdf:Benchmark> element in place of a CPE name.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="platform" type="cdf:CPE2idrefType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Applicable platforms for this <xccdf:Benchmark>. Authors should use the element to identify the systems or products to which the <xccdf:Benchmark> applies.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="version" type="cdf:versionType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Version number of the <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="metadata" type="cdf:metadataType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">XML metadata for the <xccdf:Benchmark>. Metadata allows many additional pieces of information, including authorship, publisher, support, and other similar details, to be embedded in an <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cdf:model" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">URIs of suggested scoring models to be used when computing a score for this <xccdf:Benchmark>. A suggested list of scoring models and their URIs is provided in the XCCDF specification.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cdf:Profile" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Profile> elements that reference and customize sets of items in the <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cdf:Value" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Parameter <xccdf:Value> elements that support <xccdf:Rule> elements and descriptions in the <xccdf:Benchmark>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element ref="cdf:Group"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Group> elements that comprise the <xccdf:Benchmark>; each may contain additional <xccdf:Value>, <xccdf:Rule>, and other <xccdf:Group> elements. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cdf:Rule"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Rule> elements that comprise the <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:element ref="cdf:TestResult" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Benchmark> test result records (one per <xccdf:Benchmark> run).</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="signature" type="cdf:signatureType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="id" type="cdf:benchmarkIdType" use="required"> <xsd:annotation> <xsd:documentation>Unique <xccdf:Benchmark> identifier.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="Id" type="xsd:ID" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier used for referencing elements included in an XML signature.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="resolved" type="xsd:boolean" default="false" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">True if <xccdf:Benchmark> has already undergone the resolution process.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="style" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Name of an <xccdf:Benchmark> authoring style or set of conventions or constraints to which this <xccdf:Benchmark> conforms (e.g., “SCAP 1.2”).</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="style-href" type="xsd:anyURI" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">URL of a supplementary stylesheet or schema extension that can be used to verify conformance to the named style.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute ref="xml:lang"/> </xsd:complexType> <xsd:unique name="noticeIdUnique"> <xsd:annotation> <xsd:documentation xml:lang="en"> Legal notices must have unique id values. </xsd:documentation> </xsd:annotation> <xsd:selector xpath="cdf:notice"/> <xsd:field xpath="@id"/> </xsd:unique> <xsd:key name="itemIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> Items must have unique id values, and also they must not collide. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Value|.//cdf:Group|.//cdf:Rule|./cdf:plain-text"/> <xsd:field xpath="@id"/> </xsd:key> <xsd:key name="modelSystemKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> Model system attributes must be unique. </xsd:documentation> </xsd:annotation> <xsd:selector xpath="./cdf:model"/> <xsd:field xpath="@system"/> </xsd:key> <xsd:key name="valueIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:Value> item ids are special keys, need this for the valueIdKeyRef and valueExtIdKeyRef keyrefs below. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Value"/> <xsd:field xpath="@id"/> </xsd:key> <xsd:key name="groupIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:Group> item ids are special keys, need this for the groupIdKeyRef keyref below. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Group"/> <xsd:field xpath="@id"/> </xsd:key> <xsd:key name="ruleIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:Rule> items have a unique key, we need this for the ruleIdKeyRef keyref below. (<xccdf:Rule> key refs are used by <xccdf:rule-result> elements.) </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Rule"/> <xsd:field xpath="@id"/> </xsd:key> <xsd:key name="selectableItemIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:Group> and <xccdf:Rule> item ids are special keys, we need this for the requiresIdKeyRef keyref below. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Group | .//cdf:Rule"/> <xsd:field xpath="@id"/> </xsd:key> <xsd:key name="plainTextValueIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:plain-text> objects and <xccdf:Value> objects each have an id, and they must be unique and not overlap. </xsd:documentation> </xsd:annotation> <xsd:selector xpath="./cdf:plain-text | .//cdf:Value"/> <xsd:field xpath="@id"/> </xsd:key> <xsd:key name="profileIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:Profile> objects have a unique id, it is used for extension, too. </xsd:documentation> </xsd:annotation> <xsd:selector xpath="./cdf:Profile"/> <xsd:field xpath="@id"/> </xsd:key> <xsd:keyref name="valueExtIdKeyRef" refer="cdf:valueIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> An @extends attribute on <xccdf:Value> object must reference an existing <xccdf:Value>. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Value"/> <xsd:field xpath="@extends"/> </xsd:keyref> <xsd:keyref name="groupExtIdKeyRef" refer="cdf:groupIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> An @extends attribute on <xccdf:Group> objects must reference an existing <xccdf:Group>. NOTE: <xccdf:Group> extension is now deprecated and should be avoided. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Group"/> <xsd:field xpath="@extends"/> </xsd:keyref> <xsd:keyref name="ruleExtIdKeyRef" refer="cdf:ruleIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> An @extends attribute on an <xccdf:Rule> object must reference an existing <xccdf:Rule>. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:Rule"/> <xsd:field xpath="@extends"/> </xsd:keyref> <xsd:keyref name="profileExtIdKeyRef" refer="cdf:profileIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> An @extends attribute on <xccdf:Profile> object must reference an existing <xccdf:Profile>. </xsd:documentation> </xsd:annotation> <xsd:selector xpath="./cdf:Profile"/> <xsd:field xpath="@extends"/> </xsd:keyref> <xsd:keyref name="valueIdKeyRef" refer="cdf:valueIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:check-export> elements must reference existing <xccdf:Value> elements. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:check/cdf:check-export"/> <xsd:field xpath="@value-id"/> </xsd:keyref> <xsd:keyref name="subValueKeyRef" refer="cdf:plainTextValueIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> <xccdf:sub> elements must reference existing <xccdf:Value> or <xccdf:plain-text> ids. </xsd:documentation> </xsd:annotation> <xsd:selector xpath=".//cdf:sub"/> <xsd:field xpath="@idref"/> </xsd:keyref> <xsd:keyref name="ruleIdKeyRef" refer="cdf:ruleIdKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> The <xccdf:rule-result> element @idref must refer to an existing <xccdf:Rule>. </xsd:documentation> </xsd:annotation> <xsd:selector xpath="./cdf:TestResult/cdf:rule-result"/> <xsd:field xpath="@idref"/> </xsd:keyref> </xsd:element> <xsd:complexType name="noticeType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en">Data type for an <xccdf:notice> element. <xccdf:notice> elements are used to include legal notices (licensing information, terms of use, etc.), copyright statements, warnings, and other advisory notices about this <xccdf:Benchmark> and its use. This information may be expressed using XHTML or may be a simply text expression. Each <xccdf:notice> element must have a unique identifier. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:any namespace="http://www.w3.org/1999/xhtml" minOccurs="0" maxOccurs="unbounded" processContents="skip"/> </xsd:sequence> <xsd:attribute name="id" type="xsd:NCName"> <xsd:annotation> <xsd:documentation xml:lang="en">The unique identifier for this <xccdf:notice>.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute ref="xml:base"/> <xsd:attribute ref="xml:lang"/> </xsd:complexType> <xsd:complexType name="dc-statusType"> <xsd:annotation> <xsd:documentation>Data type element for the <xccdf:dc-status> element, which holds status information about its parent element using the Dublin Core format, expressed as elements of the DCMI Simple DC Element specification. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:any namespace="http://purl.org/dc/elements/1.1/" minOccurs="1" processContents="lax" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="plainTextType"> <xsd:annotation> <xsd:documentation xml:lang="en">The data type for an <xccdf:plain-text> element, which is a reusable text block for reference by the <xccdf:sub> element. This allows text to be defined once and then reused multiple times. Each <xccdf:plain-text> element mush have a unique id.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="id" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The unique identifier for this <xccdf:plain-text> element.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="referenceType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> This element provides supplementary descriptive text for a XCCDF elements. When used, it has either a simple string value or a value consisting of simple Dublin Core elements. If a bare string appears, then it is taken to be the string content for a Dublin Core title element. Multiple <xccdf:reference> elements may appear; a document generation processing tool may concatenate them, or put them into a reference list, and may choose to number them. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:any namespace="http://purl.org/dc/elements/1.1/" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="href" type="xsd:anyURI"> <xsd:annotation> <xsd:documentation xml:lang="en">A URL pointing to the referenced resource.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="override" type="xsd:boolean"> <xsd:annotation> <xsd:documentation xml:lang="en">Used to manage inheritance processing.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="signatureType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The type of an <XMLDSig:signature> element, which holds an enveloped digital signature asserting authorship and allowing verification of the integrity of associated data (e.g., its parent element, other documents, portions of other documents). </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:any namespace="http://www.w3.org/2000/09/xmldsig#" processContents="skip" minOccurs="1" maxOccurs="1"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="metadataType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type that supports inclusion of metadata about a document or element. This is particularly useful for facilitating the discovery and retrieval of XCCDF checklists from public repositories. When used, the contents of the <xccdf:metadata> element are expressed in XML. The <xccdf:Benchmark> element's metadata should contain information formatted using the Dublin Core Metadata Initiative (DCMI) Simple DC Element specification, as described in [DCES] and [DCXML]. Benchmark consumers should be prepared to process Dublin Core metadata in the <xccdf:metadata> element. Other metadata schemes, including ad-hoc elements, are also allowed, both in the <xccdf:Benchmark> and in other elements.</xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:any minOccurs="1" maxOccurs="unbounded" processContents="lax" namespace="##other"/> </xsd:sequence> </xsd:complexType> <!-- ************************************************************** --> <!-- ************* Global elements and types ******************** --> <!-- ************************************************************** --> <xsd:element name="status"> <xsd:annotation> <xsd:documentation xml:lang="en"> The acceptance status of an element with an optional date attribute, which signifies the date of the status change. If an element does not have its own <xccdf:status> element, its status is that of its parent element. If there is more than one <xccdf:status> for a single element, then every instance of the <xccdf:status> element must have a @date attribute, and the <xccdf:status> element with the latest date is considered the current status. </xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="cdf:statusType"> <xsd:attribute name="date" type="xsd:date" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The date the parent element achieved the indicated status.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element name="model"> <xsd:annotation> <xsd:documentation xml:lang="en"> A suggested scoring model for an <xccdf:Benchmark>, also encapsulating any parameters needed by the model. Every model is designated with a URI, which appears here as the system attribute. See the XCCDF specification for a list of standard scoring models and their associated URIs. Vendors may define their own scoring models and provide additional URIs to designate them. Some models may need additional parameters; to support such a model, zero or more <xccdf:param> elements may appear as children of the <xccdf:model> element.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:sequence> <xsd:element name="param" type="cdf:paramType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Parameters provided as input to the designated scoring model.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="system" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">A URI designating a scoring model.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:key name="paramNameKey"> <xsd:annotation> <xsd:documentation xml:lang="en"> Parameter names must be unique. </xsd:documentation> </xsd:annotation> <xsd:selector xpath="./cdf:param"/> <xsd:field xpath="@name"/> </xsd:key> </xsd:element> <xsd:complexType name="paramType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for a parameter used in the <xccdf:model> element, which records scoring model information. The contents of this type represent a name-value pair, where the name is recorded in the @name attribute and the value appears in the element body. <xccdf:param> elements with equal values for the @name attribute may not appear as children of the same <xccdf:model> element. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="name" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The name associated with the contained value.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:simpleType name="statusType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The statusType represents the possible levels of maturity or consensus level for its parent element as recorded by an <xccdf:status> element. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="accepted"> <xsd:annotation> <xsd:documentation xml:lang="en">Released as final</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="deprecated"> <xsd:annotation> <xsd:documentation xml:lang="en">No longer needed</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="draft"> <xsd:annotation> <xsd:documentation xml:lang="en">Released in draft state</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="incomplete"> <xsd:annotation> <xsd:documentation xml:lang="en">Under initial development</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="interim"> <xsd:annotation> <xsd:documentation xml:lang="en">Revised and in the process of being finalized</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="versionType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for most <xccdf:version> elements. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="time" type="xsd:dateTime" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The time that this version of the associated element was completed. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="update" type="xsd:anyURI" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">A URI indicating a location where updates to the associated element may be obtained. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <!-- ************************************************************** --> <!-- ******************** Text Types **************************** --> <!-- ************************************************************** --> <xsd:complexType name="textType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for a simple text string with an @override attribute for controlling inheritance. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute ref="xml:lang"/> <xsd:attribute name="override" type="xsd:boolean" use="optional" default="0"> <xsd:annotation> <xsd:documentation xml:lang="en">Used to manage inheritance. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="htmlTextType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> The type for a string with optional XHTML elements and an @xml:lang attribute. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:any namespace="http://www.w3.org/1999/xhtml" minOccurs="0" maxOccurs="unbounded" processContents="skip"/> </xsd:sequence> <xsd:attribute ref="xml:lang"/> <xsd:attribute name="override" type="xsd:boolean" use="optional" default="0"> <xsd:annotation> <xsd:documentation xml:lang="en">Used to manage inheritance. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="htmlTextWithSubType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> The type for a string with optional XHTML elements, and an @xml:lang attribute. </xsd:documentation> </xsd:annotation> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="sub" type="cdf:subType"> <xsd:annotation> <xsd:documentation xml:lang="en">Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:any namespace="http://www.w3.org/1999/xhtml" processContents="skip"/> </xsd:choice> <xsd:attribute ref="xml:lang"/> <xsd:attribute name="override" type="xsd:boolean" use="optional" default="0"> <xsd:annotation> <xsd:documentation xml:lang="en">Used to manage inheritance. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="profileNoteType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for an <xccdf:profile-note> within an <xccdf:Rule>. This element contains text that describes special aspects of an <xccdf:Rule> relative to one or more <xccdf:Profile> elements. This allows an author to document things within <xccdf:Rule> elements that are specific to a given <xccdf:Profile>. This information might then be displayed to a reader based on the selection of a particular <xccdf:Profile>. The body text may include XHTML mark-up as well as <xccdf:sub> elements. </xsd:documentation> </xsd:annotation> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="sub" type="cdf:subType"> <xsd:annotation> <xsd:documentation xml:lang="en">Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:any namespace="http://www.w3.org/1999/xhtml" processContents="skip"/> </xsd:choice> <xsd:attribute ref="xml:lang"/> <xsd:attribute name="tag" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The identifier of this note. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="textWithSubType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for a string with embedded <xccdf:Value> substitutions and an @override attribute to help manage inheritance. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="sub" type="cdf:subType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute ref="xml:lang"/> <xsd:attribute name="override" type="xsd:boolean" use="optional" default="0"> <xsd:annotation> <xsd:documentation xml:lang="en">Used to manage inheritance. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="subType"> <xsd:annotation> <xsd:documentation xml:lang="en">The type used for <xccdf:sub> elements. The <xccdf:sub> element identifies replacement content that should appear in place of the <xccdf:sub> element during text substitution. The subType consists of a regular idrefType with an additional @use attribute to dictate the behavior of the <xccdf:sub> element under substitution. When the @idref is to an <xccdf:Value>, the @use attribute indicates whether the <xccdf:Value> element's title or value should replace the <xccdf:sub> element. The @use attribute is ignored when the @idref is to an <xccdf:plain-text> element; the body of the <xccdf:plain-text> element is always used to replace the <xccdf:sub> element.</xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:idrefType"> <xsd:attribute name="use" use="optional" default="value" type="cdf:subUseEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en">Dictates the nature of the content inserted under text substitution processing. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:simpleType name="benchmarkIdType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The format required for the @id property of <xccdf:Benchmark> elements. xccdf_N_benchmark_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:NCName"> <xsd:pattern value="xccdf_[^_]+_benchmark_.+"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="ruleIdType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The format required for the @id property of <xccdf:Rule> elements. xccdf_N_rule_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:NCName"> <xsd:pattern value="xccdf_[^_]+_rule_.+"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="groupIdType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The format required for the @id property of <xccdf:Group> elements. xccdf_N_group_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:NCName"> <xsd:pattern value="xccdf_[^_]+_group_.+"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="valueIdType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The format required for the @id property of <xccdf:Value> elements. xccdf_N_value_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:NCName"> <xsd:pattern value="xccdf_[^_]+_value_.+"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="profileIdType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The format required for the @id property of <xccdf:Profile> elements. xccdf_N_profile_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:NCName"> <xsd:pattern value="xccdf_[^_]+_profile_.+"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="testresultIdType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The format required for the @id property of <xccdf:TestResult> elements. xccdf_N_testresult_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:NCName"> <xsd:pattern value="xccdf_[^_]+_testresult_.+"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="tailoringIdType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The format required for the @id property of <xccdf:Tailoring> elements. xccdf_N_tailoring_S, where N is a reverse-DNS style namespace and S is an NCName-compatible string. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:NCName"> <xsd:pattern value="xccdf_[^_]+_tailoring_.+"/> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="idrefType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for elements that contain a reference to another XCCDF element </xsd:documentation> </xsd:annotation> <xsd:attribute name="idref" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The id value of another XCCDF element</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="idrefListType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for elements contain list of references to other XCCDF elements </xsd:documentation> </xsd:annotation> <xsd:attribute name="idref" type="xsd:NMTOKENS" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">A space-separated list of id values from other XCCDF elements</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="CPE2idrefType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for <xccdf:platform> elements that do not need @override attributes. (I.e., <xccdf:platform> elements that are in structures that cannot be extended, such as <xccdf:TestResult> and <xccdf:Benchmark> elements.) This is used to identify the applicable target platform for its respective parent elements. </xsd:documentation> </xsd:annotation> <xsd:attribute name="idref" type="xsd:string" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Should be a CPE 2.3 Applicability Language identifier using the Formatted String binding or the value of a <cpe:platform-specification> element's @id attribute, the latter acting as a reference to some expression defined using the CPE schema in the <xccdf:Benchmark> element's <cpe:platform-specification> element. The @idref may be a CPE Applicability Language identifier using the URI binding, although this is less preferred.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="overrideableCPE2idrefType"> <xsd:annotation> <xsd:documentation xml:lang="en">Data type for <xccdf:platform> elements that need @override attributes. (I.e., <xccdf:platform> elements that are in structures that can be extended, such as Items and <xccdf:Profile> elements.) This is used to identify the applicable target platform for its respective parent elements. </xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:CPE2idrefType"> <xsd:attribute name="override" type="xsd:boolean" use="optional" default="0"> <xsd:annotation> <xsd:documentation xml:lang="en">Used to manage inheritance. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <!-- ************************************************************** --> <!-- **************** Item Element (Base Class) ****************** --> <!-- ************************************************************** --> <xsd:element name="Item" type="cdf:itemType"> <xsd:annotation> <xsd:documentation xml:lang="en"> An item is a named constituent of an <xccdf:Benchmark>. There are three types of items: <xccdf:Group>, <xccdf:Rule> and <xccdf:Value>. The <xccdf:Item> element type imposes constraints shared by all <xccdf:Group>, <xccdf:Rule> and <xccdf:Value> elements. The itemType is abstract, so the element <xccdf:Item> can never appear in a valid XCCDF document.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:complexType name="itemType" abstract="1"> <xsd:annotation> <xsd:documentation xml:lang="en"> This abstract itemType represents the basic data shared by all <xccdf:Group>, <xccdf:Rule> and <xccdf:Value> elements. All elements in an itemType are optional, although each element that builds on the itemType may add its own elements, some of which will be required for that element. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element ref="cdf:status" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Status of the item and date at which it attained that status. <xccdf:Benchmark> authors may use this element to record the maturity or consensus level for elements in the <xccdf:Benchmark>. If an item does not have an explicit <xccdf:status> given, then its status is that of its parent.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="dc-status" minOccurs="0" maxOccurs="unbounded" type="cdf:dc-statusType"> <xsd:annotation> <xsd:documentation xml:lang="en">Holds additional status information using the Dublin Core format.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="version" type="cdf:versionType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Version information about this item. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="title" type="cdf:textWithSubType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Title of the item. Every item should have an <xccdf:title>, because this helps people understand the purpose of the item. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="description" type="cdf:htmlTextWithSubType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Text that describes the item. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="warning" type="cdf:warningType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A note or caveat about the item intended to convey important cautionary information for the <xccdf:Benchmark> user (e.g., “Complying with this rule will cause the system to reject all IP packets”). If multiple <xccdf:warning> elements appear, benchmark consumers should concatenate them for generating reports or documents. Benchmark consumers may present this information in a special manner in generated documents.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="question" type="cdf:textType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Interrogative text to present to the user during tailoring. It may also be included into a generated document. For <xccdf:Rule> and <xccdf:Group> elements, the <xccdf:question> text should be a simple binary (yes/no) question because it is supporting the selection aspect of tailoring. For <xccdf:Value> elements, the <xccdf:question> should solicit the user to provide a specific value. Tools may also display constraints on values and any defaults as specified by the other <xccdf:Value> properties.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="reference" type="cdf:referenceType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">References where the user can learn more about the subject of this item. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="metadata" type="cdf:metadataType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">XML metadata associated with this item, such as sources, special information, or other details. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="abstract" type="xsd:boolean" default="false" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">If true, then this item is abstract and exists only to be extended. The use of this attribute for <xccdf:Group> elements is deprecated and should be avoided. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="cluster-id" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier to be used as a means to identify (refer to) related items. It designates membership in a cluster of items, which are used for controlling items via <xccdf:Profile> elements. All the items with the same cluster identifier belong to the same cluster. A selector in an <xccdf:Profile> may refer to a cluster, thus making it easier for authors to create and maintain <xccdf:Profile> elements in a complex <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="extends" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The identifier of an item on which to base this item. If present, it must have a value equal to the @id attribute of another item. The use of this attribute for <xccdf:Group> elements is deprecated and should be avoided. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="hidden" type="xsd:boolean" default="false" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">If this item should be excluded from any generated documents although it may still be used during assessments. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="prohibitChanges" type="xsd:boolean" default="false" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">If benchmark producers should prohibit changes to this item during tailoring. An author should use this when they do not want to allow end users to change the item. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute ref="xml:lang"/> <xsd:attribute ref="xml:base"/> <xsd:attribute name="Id" type="xsd:ID" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier used for referencing elements included in an XML signature</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <!-- ************************************************************** --> <!-- ************ Selectable Item Type (Base Class) ************** --> <!-- ************************************************************** --> <xsd:complexType name="selectableItemType" abstract="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> This abstract item type represents the basic data shared by all <xccdf:Group> and <xccdf:Rule> elements. </xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:itemType"> <xsd:sequence> <xsd:element name="rationale" type="cdf:htmlTextWithSubType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Descriptive text giving rationale or motivations for abiding by this <xccdf:Group>/<xccdf:Rule> (i.e., why it is important to the security of the target platform).</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="platform" type="cdf:overrideableCPE2idrefType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Platforms to which this <xccdf:Group>/<xccdf:Rule> applies.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="requires" type="cdf:idrefListType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">The identifiers of other <xccdf:Group> or <xccdf:Rule> elements that must be selected for this <xccdf:Group>/<xccdf:Rule> to be evaluated and scored properly. Each <xccdf:requires> element specifies a list of one or more required items by their identifiers. If at least one of the specified <xccdf:Group> or <xccdf:Rule> elements is selected, the requirement is met. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="conflicts" type="cdf:idrefType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">The identifier of another <xccdf:Group> or <xccdf:Rule> that must be unselected for this <xccdf:Group>/<xccdf:Rule> to be evaluated and scored properly. Each <xccdf:conflicts> element specifies a single conflicting item using its idref attribute. If the specified <xccdf:Group> or <xccdf:Rule> element is not selected, the requirement is met.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="selected" type="xsd:boolean" default="true" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">If true, this <xccdf:Group>/<xccdf:Rule> is selected to be processed as part of the <xccdf:Benchmark> when it is applied to a target system. An unselected <xccdf:Group> does not get processed, and its contents are not processed either (i.e., all descendants of an unselected <xccdf:Group> are implicitly unselected). An unselected <xccdf:Rule> is not checked and does not contribute to scoring. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="weight" type="cdf:weightType" default="1.0" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The relative scoring weight of this <xccdf:Group>/<xccdf:Rule>, for computing a score, expressed as a non-negative real number. It denotes the importance of an <xccdf:Group>/<xccdf:Rule>. Under some scoring models, scoring is computed independently for each collection of sibling <xccdf:Group> and <xccdf:Rule> elements, then normalized as part of the overall scoring process.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <!-- ************************************************************** --> <!-- ********************** Group Element *********************** --> <!-- ************************************************************** --> <xsd:element name="Group" type="cdf:groupType"> <xsd:annotation> <xsd:documentation xml:lang="en">An item that can hold other items. It allows an author to collect related items into a common structure and provide descriptive text and references about them.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:complexType name="groupType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:Group> element. A <xccdf:Group> element contains descriptive information about a portion of an <xccdf:Benchmark>, as well as <xccdf:Rule>, <xccdf:Value>, and/or other <xccdf:Group> elements</xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:selectableItemType"> <xsd:sequence> <xsd:element ref="cdf:Value" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Value> elements that belong to this <xccdf:Group>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element ref="cdf:Group"> <xsd:annotation> <xsd:documentation xml:lang="en">Sub-<xccdf:Groups> under this <xccdf:Group>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cdf:Rule"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Rule> elements that belong to this <xccdf:Group>. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:element name="signature" type="cdf:signatureType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Group>. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="id" type="cdf:groupIdType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Unique element identifier; used by other elements to refer to this element. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <!-- ************************************************************** --> <!-- ******************** Rule Element ************************** --> <!-- ************************************************************** --> <xsd:element name="Rule" type="cdf:ruleType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The <xccdf:Rule> element contains the description for a single item of guidance or constraint. <xccdf:Rule> elements form the basis for testing a target platform for compliance with an <xccdf:Benchmark>, for scoring, and for conveying descriptive prose, identifiers, references, and remediation information. </xsd:documentation> </xsd:annotation> <xsd:unique name="ruleCheckSelectorKey"> <xsd:selector xpath="./cdf:check"/> <xsd:field xpath="@selector"/> <xsd:field xpath="@system"/> </xsd:unique> <xsd:unique name="ruleCheckIdKey"> <xsd:selector xpath=".//cdf:check"/> <xsd:field xpath="@id"/> </xsd:unique> </xsd:element> <xsd:complexType name="ruleType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:Rule> element that represents a specific <xccdf:Benchmark> test. </xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:selectableItemType"> <xsd:sequence> <xsd:element name="ident" type="cdf:identType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A globally meaningful identifier for this <xccdf:Rule>. This may be the name or identifier of a security configuration issue or vulnerability that the <xccdf:Rule> assesses.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="impact-metric" type="xsd:string" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">The potential impact of failure to conform to the <xccdf:Rule>, expressed as a CVSS 2.0 base vector. </xsd:documentation> <xsd:appinfo> <deprecated_info> <version>1.2</version> <reason>The <xccdf:impact-metric> property was found to be of little use in the anticipated XCCDF use-cases.</reason> <comment>While there is no direct replacement for this property, authors seeking to include equivalent information can use an <xccdf:Rule> element's <xccdf:metadata> property to hold this information.</comment> </deprecated_info> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="profile-note" minOccurs="0" type="cdf:profileNoteType" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Text that describes special aspects of the <xccdf:Rule> related to one or more <xccdf:Profile> elements. This allows an author to document things within <xccdf:Rule> elements that are specific to a given <xccdf:Profile>, and then select the appropriate text based on the selected <xccdf:Profile> and display it to the reader.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="fixtext" type="cdf:fixTextType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Data that describes how to bring a target system into compliance with this <xccdf:Rule>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="fix" type="cdf:fixType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A command string, script, or other system modification statement that, if executed on the target system, can bring it into full, or at least better, compliance with this <xccdf:Rule>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:choice> <xsd:element name="check" type="cdf:checkType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">The definition of, or a reference to, the target system check needed to test compliance with this <xccdf:Rule>. Sibling <xccdf:check> elements must have different values for the combination of their @selector and @system attributes, and must have different values for their @id attribute (if any).</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="complex-check" minOccurs="0" type="cdf:complexCheckType" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A boolean expression composed of operators (and, or, not) and individual checks.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:element name="signature" type="cdf:signatureType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Rule>.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="id" type="cdf:ruleIdType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Unique element identifier used by other elements to refer to this element.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="role" type="cdf:roleEnumType" use="optional" default="full"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Rule> element’s role in scoring and reporting.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="severity" type="cdf:severityEnumType" default="unknown" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Severity level code to be used for metrics and tracking.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="multiple" type="xsd:boolean" use="optional" default="false"> <xsd:annotation> <xsd:documentation xml:lang="en">Applicable in cases where there are multiple instances of a target. For example, an <xccdf:Rule> may provide a recommendation about the configuration of application user accounts, but an application may have many user accounts. Each account would be considered an instance of the broader assessment target of user accounts. If the @multiple attribute is set to true, each instance of the target to which the <xccdf:Rule> can apply should be tested separately and the results should be recorded separately. If @multiple is set to false, the test results of such instances should be combined. If the checking system does not combine these results automatically, the results of each instance should be ANDed together to produce a single result. If the benchmark consumer cannot perform multiple instantiation, or if multiple instantiation of the <xccdf:Rule> is not applicable for the target system, then the benchmark consumer may ignore this attribute.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <!-- ************************************************************** --> <!-- ***************** Rule-related Types ************************ --> <!-- ************************************************************** --> <xsd:complexType name="identType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:ident> element, a globally meaningful identifier for an <xccdf:Rule>. The body of <xccdf:ident> element is the name or identifier of a security configuration issue or vulnerability that the <xccdf:Rule> addresses. It has an associated URI that denotes the organization or naming scheme that assigned the name. By setting an <xccdf:ident> element on an <xccdf:Rule>, the <xccdf:Benchmark> author effectively declares that the <xccdf:Rule> instantiates, implements, or remediates the issue for which the name was assigned. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="system" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Denotes the organization or naming scheme that assigned the identifier. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:anyAttribute namespace="##other" processContents="lax"> <xsd:annotation> <xsd:documentation xml:lang="en">May also have other attributes from other namespaces in order to provide additional metadata for the given identifier. </xsd:documentation> </xsd:annotation> </xsd:anyAttribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="warningType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:warning> element under the <xccdf:Rule> element. This element holds a note or caveat about the item intended to convey important cautionary information for the <xccdf:Benchmark> user. </xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:htmlTextWithSubType"> <xsd:attribute name="category" type="cdf:warningCategoryEnumType" use="optional" default="general"> <xsd:annotation> <xsd:documentation xml:lang="en">A hint as to the nature of the warning.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:simpleType name="warningCategoryEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Allowed warning category keywords for the <xccdf:warning> element used in <xccdf:Rule> elements. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="general"> <xsd:annotation> <xsd:documentation xml:lang="en">Broad or general-purpose warning (default)</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="functionality"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about possible impacts to functionality or operational features</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="performance"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about changes to target system performance or throughput</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="hardware"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about hardware restrictions or possible impacts to hardware</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="legal"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about legal implications</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="regulatory"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about regulatory obligations or compliance implications</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="management"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about impacts to the management or administration of the target system</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="audit"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about impacts to audit or logging</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="dependency"> <xsd:annotation> <xsd:documentation xml:lang="en">Warning about dependencies between this element and other parts of the target system, or version dependencies</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="fixTextType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:fixtext> element, which contains data that describes how to bring a target system into compliance with an <xccdf:Rule>. Each <xccdf:fixtext> element may be associated with one or more <xccdf:fix> elements through the @fixref attribute. The body holds explanatory text about the fix procedures.</xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:htmlTextWithSubType"> <xsd:attribute name="fixref" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">A reference to the @id of an <xccdf:fix> element. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="reboot" type="xsd:boolean" use="optional" default="0"> <xsd:annotation> <xsd:documentation xml:lang="en">True if a reboot is known to be required and false otherwise. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="strategy" type="cdf:fixStrategyEnumType" use="optional" default="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">The method or approach for making the described fix. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="disruption" type="cdf:ratingEnumType" use="optional" default="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">An estimate of the potential for disruption or operational degradation that the application of this fix will impose on the target. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="complexity" type="cdf:ratingEnumType" use="optional" default="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">The estimated complexity or difficulty of applying the fix to the target. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="fixType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:fix> element. The body of this element contains a command string, script, or other system modification statement that, if executed on the target system, can bring it into full, or at least better, compliance with this <xccdf:Rule>. </xsd:documentation> </xsd:annotation> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="sub" type="cdf:subType"> <xsd:annotation> <xsd:documentation xml:lang="en">Specifies an <xccdf:Value> or <xccdf:plain-text> element to be used for text substitution </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="instance" type="cdf:instanceFixType"> <xsd:annotation> <xsd:documentation xml:lang="en">Designates a spot where the name of the instance should be substituted into the fix template to generate the final fix data. If the @context attribute is omitted, the value of the @context defaults to “undefined”.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:attribute name="id" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">A local identifier for the element. It is optional for the @id to be unique; multiple <xccdf:fix> elements may have the same @id but different values for their other attributes. It is used primarily to allow <xccdf:fixtext> elements to be associated with one or more <xccdf:fix> elements </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="reboot" type="xsd:boolean" use="optional" default="0"> <xsd:annotation> <xsd:documentation xml:lang="en">True if a reboot is known to be required and false otherwise. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="strategy" type="cdf:fixStrategyEnumType" use="optional" default="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">The method or approach for making the described fix. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="disruption" type="cdf:ratingEnumType" use="optional" default="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">An estimate of the potential for disruption or operational degradation that the application of this fix will impose on the target. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="complexity" type="cdf:ratingEnumType" use="optional" default="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">The estimated complexity or difficulty of applying the fix to the target. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="system" type="xsd:anyURI" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">A URI that identifies the scheme, language, engine, or process for which the fix contents are written. Table 17 in the XCCDF specification defines several general-purpose URNs that may be used for this, and tool vendors and system providers may define and use target-specific URNs.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="platform" type="xsd:anyURI" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">In case different fix scripts or procedures are required for different target platform types (e.g., different patches for Windows Vista and Windows 7), this attribute allows a CPE name or CPE applicability language expression to be associated with an <xccdf:fix> element. This should appear on an <xccdf:fix> when the content applies to only one platform out of several to which the <xccdf:Rule> could apply. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:simpleType name="fixStrategyEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Allowed @strategy keyword values for an <xccdf:Rule> element's <xccdf:fix> or <xccdf:fixtext> elements. The values indicate the method or approach for fixing non-compliance with a particular <xccdf:Rule>. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">Strategy not defined (default)</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="configure"> <xsd:annotation> <xsd:documentation xml:lang="en">Adjust target configuration/settings</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="combination"> <xsd:annotation> <xsd:documentation xml:lang="en">Combination of two or more approaches</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="disable"> <xsd:annotation> <xsd:documentation xml:lang="en">Turn off or uninstall a target component </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="enable"> <xsd:annotation> <xsd:documentation xml:lang="en">Turn on or install a target component</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="patch"> <xsd:annotation> <xsd:documentation xml:lang="en">Apply a patch, hotfix, update, etc.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="policy"> <xsd:annotation> <xsd:documentation xml:lang="en">Remediation requires out-of-band adjustments to policies or procedures</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="restrict"> <xsd:annotation> <xsd:documentation xml:lang="en">Adjust permissions, access rights, filters, or other access restrictions</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="update"> <xsd:annotation> <xsd:documentation xml:lang="en">Install, upgrade or update the system</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="ratingEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en"> This type enumerates allowed rating values the disruption and complexity properties of an <xccdf:Rule> element's <xccdf:fix> or <xccdf:fixtext> elements. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">Rating unknown or impossible to estimate (default)</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="low"> <xsd:annotation> <xsd:documentation xml:lang="en">Little or no potential for disruption, very modest complexity</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="medium"> <xsd:annotation> <xsd:documentation xml:lang="en">Some chance of minor disruption, substantial complexity</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="high"> <xsd:annotation> <xsd:documentation xml:lang="en">Likely to cause serious disruption, very complex</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="instanceFixType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for an <xccdf:instance> element which may appear in an <xccdf:fix> element. The <xccdf:instance> element inside an <xccdf:fix> element designates a spot where the name of the instance should be substituted into the fix template to generate the final fix data. </xsd:documentation> </xsd:annotation> <xsd:attribute name="context" type="xsd:string" default="undefined" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Describes the scope or significance of the instance content. The context attribute is intended to be informative and does not affect basic processing. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="complexCheckType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The type for an element that contains a boolean combination of <xccdf:checks>. This element can have only <xccdf:complex-check> and <xccdf:check> elements as children. Child elements may appear in any order but at least one child element must be present. It has two attributes, @operator and @negate, which dictate how <xccdf:check> or <xccdf:complex-check> child elements are to be combined. Truth tables for these operations appear below. </xsd:documentation> <xsd:appinfo> <evaluation_documentation>The two axes represent a pairwise combination of results. Order of evaluation will not matter. Possible results are abbreviated as follows: P = Pass, F = Fail, U = Unknown, E = Error, N = Not Applicable, K = Not Checked, S = Not Selected, I = Informational. </evaluation_documentation> <evaluation_chart xml:space="preserve"> AND || P | F | U | E | N | K | S | I || -------------------||-------------------------------|| Pass (P) || P | F | U | E | P | P | P | P || Fail (F) || F | F | F | F | F | F | F | F || Unknown (U) || U | F | U | U | U | U | U | U || Error (E) || E | F | U | E | E | E | E | E || Notapplicable (N) || P | F | U | E | N | N | N | N || Notchecked (K) || P | F | U | E | N | K | K | K || Notselected (S) || P | F | U | E | N | K | S | S || Informational (I) || P | F | U | E | N | K | S | I || ------------------------------------------------------ </evaluation_chart> <evaluation_chart xml:space="preserve"> OR || P | F | U | E | N | K | S | I || -------------------||-------------------------------|| Pass (P) || P | P | P | P | P | P | P | P || Fail (F) || P | F | U | E | F | F | F | F || Unknown (U) || P | U | U | U | U | U | U | U || Error (E) || P | E | U | E | E | E | E | E || Notapplicable (N) || P | F | U | E | N | N | N | N || Notchecked (K) || P | F | U | E | N | K | K | K || Notselected (S) || P | F | U | E | N | K | S | S || Informational (I) || P | F | U | E | N | K | S | I || ------------------------------------------------------ </evaluation_chart> <evaluation_chart xml:space="preserve"> NOT || P | F | U | E | N | K | S | I || ----||-------------------------------|| || F | P | U | E | N | K | S | I || ---------------------------------------</evaluation_chart> </xsd:appinfo> </xsd:annotation> <xsd:choice minOccurs="1" maxOccurs="unbounded"> <xsd:element name="check" type="cdf:checkType"> <xsd:annotation> <xsd:documentation xml:lang="en">Instructions for a single test.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="complex-check" type="cdf:complexCheckType"> <xsd:annotation> <xsd:documentation xml:lang="en">A child <xccdf:complex-check>, allowing another level of logic in combining component checks.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:attribute name="operator" type="cdf:ccOperatorEnumType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Indicates whether the child <xccdf:check> and/or <xccdf:complex-check> elements of this <xccdf:complex-check> should be combined using an AND or OR operation </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="negate" default="0" type="xsd:boolean" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">If true, negate the final result of this <xccdf:complex-check> after the child elements are combined using the identified operator.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:simpleType name="ccOperatorEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The type for the allowed @operator names for the <xccdf:complex-check> operator attribute. Only AND and OR operators are supported. (The <xccdf:complex-check> has a separate mechanism for negation.) </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="OR"> <xsd:annotation> <xsd:documentation xml:lang="en">The logical OR of the component terms </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="AND"> <xsd:annotation> <xsd:documentation xml:lang="en">The logical AND of the component terms</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="checkType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:check> element. The <xccdf:check> element identifies instructions for tests to determine compliance with the <xccdf:Rule> as well as parameters controlling the reporting of those test results. The <xccdf:check> element must have at least one child element. </xsd:documentation> <xsd:appinfo> <evaluation_documentation>The two axes represent a pairwise combination of results. Order of evaluation will not matter. Possible results are abbreviated as follows: P = Pass, F = Fail, U = Unknown, E = Error, N = Not Applicable, K = Not Checked, S = Not Selected, I = Informational. </evaluation_documentation> <evaluation_chart xml:space="preserve"> AND || P | F | U | E | N | K | S | I || -------------------||-------------------------------|| Pass (P) || P | F | U | E | P | P | P | P || Fail (F) || F | F | F | F | F | F | F | F || Unknown (U) || U | F | U | U | U | U | U | U || Error (E) || E | F | U | E | E | E | E | E || Notapplicable (N) || P | F | U | E | N | N | N | N || Notchecked (K) || P | F | U | E | N | K | K | K || Notselected (S) || P | F | U | E | N | K | S | S || Informational (I) || P | F | U | E | N | K | S | I || ------------------------------------------------------</evaluation_chart> <evaluation_chart xml:space="preserve"> NOT || P | F | U | E | N | K | S | I || ----||-------------------------------|| || F | P | U | E | N | K | S | I || ---------------------------------------</evaluation_chart> </xsd:appinfo> </xsd:annotation> <xsd:sequence> <xsd:element name="check-import" type="cdf:checkImportType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifies a value to be retrieved from the checking system during testing of a target system. This element's body must be empty within an <xccdf:check>. After the associated check results have been collected, the result structure returned by the checking engine is processed to collect the named information. This information is then recorded in the check-import element in the corresponding <xccdf:rule-result>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="check-export" type="cdf:checkExportType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A mapping from an <xccdf:Value> element to a checking system variable (i.e., external name or id for use by the checking system). This supports export of tailoring values from the XCCDF processing environment to the checking system.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="check-content-ref" minOccurs="0" maxOccurs="unbounded" type="cdf:checkContentRefType"> <xsd:annotation> <xsd:documentation xml:lang="en">Points to code for a detached check in another location that uses the language or system specified by the <xccdf:check> element’s @system attribute. If multiple <xccdf:check-content-ref> elements appear, they represent alternative locations from which a benchmark consumer may obtain the check content. Benchmark consumers should process the alternatives in the order in which they appear in the XML. The first <xccdf:check-content-ref> from which content can be successfully retrieved should be used.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="check-content" minOccurs="0" maxOccurs="1" type="cdf:checkContentType"> <xsd:annotation> <xsd:documentation xml:lang="en">Holds the actual code of a check, in the language or system specified by the <xccdf:check> element’s @system attribute. If both <xccdf:check-content-ref> and <xccdf:check-content> elements appear in a single <xccdf:check> element, benchmark consumers should use the <xccdf:check-content> element only if none of the references can be resolved to provide content.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="system" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The URI for a checking system. If the checking system uses XML namespaces, then the system attribute for the system should be its namespace. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="negate" type="xsd:boolean" use="optional" default="false"> <xsd:annotation> <xsd:documentation xml:lang="en">If set to true, the final result of the <xccdf:check> is negated according to the truth table given below. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="id" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Unique identifier for this element. Optional, but must be globally unique if present.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="selector" default="" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of the <xccdf:Rule>. If no selector values are specified for a given <xccdf:Rule> by <xccdf:Profile> elements or manual tailoring, all <xccdf:check> elements with non-empty @selector attributes are ignored. If an <xccdf:Rule> has multiple <xccdf:check> elements with the same @selector attribute, each must employ a different checking system, as identified by the @system attribute of the <xccdf:check> element.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="multi-check" type="xsd:boolean" use="optional" default="false"> <xsd:annotation> <xsd:documentation xml:lang="en">Applicable in cases where multiple checks are executed to determine compliance with a single <xccdf:Rule>. This situation can arise when an <xccdf:check> includes an <xccdf:check-content-ref> element that does not include a @name attribute. The default behavior of a nameless <xccdf:check-content-ref> is to execute all checks in the referenced check content location and AND their results together into a single <xccdf:rule-result> using the AND truth table below. This corresponds to a @multi-check attribute value of “false”. If, however, the @multi-check attribute is set to "true" and a nameless <xccdf:check-content-ref> is used, the <xccdf:Rule> produces a separate <xccdf:rule-result> for each check.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute ref="xml:base"/> </xsd:complexType> <xsd:complexType name="checkImportType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:check-import> element, which specifies a value that the <xccdf:Benchmark> author wishes to retrieve from the checking system during testing of a target system. The @import-name attribute identifies some structure in the checking system that is then retrieved. The mapping from the values of this attribute to specific checking system structures is beyond the scope of the XCCDF specification. When the <xccdf:check-import> element appears in the context of an <xccdf:Rule>, then it should be empty and any content must be ignored. When the <xccdf:check-import> element appears in the context of an <xccdf:rule-result>, then its body holds the imported value. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:any processContents="skip" minOccurs="0"/> </xsd:sequence> <xsd:attribute name="import-name" type="xsd:string" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier indicating some structure in the checking system to be collected. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="import-xpath" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">An XPath that is used to select specific values or structures from the imported structure. This allows further refinement of the collected data if the imported value takes the form of XML structures. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="checkExportType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:check-export> element, which specifies a mapping from an <xccdf:Value> element to a checking system variable (i.e., external name or id for use by the checking system). This supports export of tailoring <xccdf:Value> elements from the XCCDF processing environment to the checking system. The interface between the XCCDF benchmark consumer and the checking system should support, at a minimum, passing the <xccdf:value> property of the <xccdf:Value> element, but may also support passing the <xccdf:Value> element's @type and @operator properties.</xsd:documentation> </xsd:annotation> <xsd:attribute name="value-id" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The id of the <xccdf:Value> element to export. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="export-name" type="xsd:string" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier indicating some structure in the checking system into which the identified <xccdf:Value> element's properties will be mapped. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="checkContentRefType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:check-content-ref> element, which points to the code for a detached check in another file. This element has no body, just a couple of attributes: @href and @name. The @name is optional, if it does not appear then this reference is to the entire document. </xsd:documentation> </xsd:annotation> <xsd:attribute name="href" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifies the referenced document containing checking instructions. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="name" type="xsd:string"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifies a particular part or element of the referenced check document. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="checkContentType" mixed="true"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:check-content> element. The body of this element holds the actual code of a check, in the language or system specified by the <xccdf:check> element’s @system attribute. The body of this element may be any XML, but cannot contain any XCCDF elements. XCCDF tools do not process its content directly but instead pass the content directly to checking engines. </xsd:documentation> </xsd:annotation> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:any namespace="##other" processContents="skip"/> </xsd:choice> </xsd:complexType> <xsd:simpleType name="weightType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for an <xccdf:Rule> element's weight, a non-negative real number. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:decimal"> <xsd:minInclusive value="0.0"/> <xsd:totalDigits value="3"/> </xsd:restriction> </xsd:simpleType> <!-- ************************************************************** --> <!-- ******************* Value Element ************************** --> <!-- ************************************************************** --> <xsd:element name="Value" type="cdf:valueType"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Value> element is a named parameter that can be substituted into properties of other elements within the <xccdf:Benchmark>, including the interior of structured check specifications and fix scripts.</xsd:documentation> </xsd:annotation> <xsd:unique name="valueSelectorKey"> <xsd:selector xpath="./cdf:value|cdf:complex-value"/> <xsd:field xpath="@selector"/> </xsd:unique> <xsd:unique name="defaultSelectorKey"> <xsd:selector xpath="./cdf:default|cdf:complex-default"/> <xsd:field xpath="@selector"/> </xsd:unique> <xsd:unique name="matchSelectorKey"> <xsd:selector xpath="./cdf:match"/> <xsd:field xpath="@selector"/> </xsd:unique> <xsd:unique name="lower-boundSelectorKey"> <xsd:selector xpath="./cdf:lower-bound"/> <xsd:field xpath="@selector"/> </xsd:unique> <xsd:unique name="upper-boundSelectorKey"> <xsd:selector xpath="./cdf:upper-bound"/> <xsd:field xpath="@selector"/> </xsd:unique> <xsd:unique name="choicesSelectorKey"> <xsd:selector xpath="./cdf:choices"/> <xsd:field xpath="@selector"/> </xsd:unique> </xsd:element> <xsd:complexType name="valueType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:Value> element, which is a named parameter that can be substituted into properties of other elements within the <xccdf:Benchmark>, including the interior of structured check specifications and fix scripts. </xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:itemType"> <xsd:sequence> <xsd:choice minOccurs="1" maxOccurs="unbounded"> <xsd:element name="value" type="cdf:selStringType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A simple (number, string, or boolean) value associated with this <xccdf:Value>. At any time an <xccdf:Value> has one active (simple or complex) value. If a selector value has been provided under <xccdf:Profile> selection or tailoring then the active <xccdf:value>/<xccdf:complex-value> is the one with a matching @selector. If there is no provided selector or if the provided selector does not match the @selector attribute of any <xccdf:value> or <xccdf:complex-value>, the active <xccdf:value>/<xccdf:complex-value> is the one with an empty or absent @selector or, failing that, the first <xccdf:value> or <xccdf:complex-value> in the XML. When an <xccdf:Value> is exported or used in text substitution, it is the currently active <xccdf:value> or <xccdf:complex-value> that is actually used. If there are multiple <xccdf:value> and/or <xccdf:complex-value> elements, only one may omit a @selector attribute and no two may have the same @selector value.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="complex-value" type="cdf:selComplexValueType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A complex (list) value associated with this <xccdf:Value>. See the description of the <xccdf:value> property for <xccdf:Rule> elements regarding activation of an <xccdf:complex-value>. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="default" type="cdf:selStringType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">The default value displayed to the user as a suggestion by benchmark producers during tailoring of this <xccdf:Value> element. (This is not the default value of an <xccdf:Value>; it is just the default display.) If there are multiple <xccdf:default> and/or <xccdf:complex-default> elements, only one may omit a @selector attribute and no two may have the same @selector value. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="complex-default" type="cdf:selComplexValueType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">The default <xccdf:complex-value> displayed to the user as a suggestion by benchmark producers during tailoring of this <xccdf:Value> element. (This is not the default value of an <xccdf:Value>; it is just the default display.) If there are multiple <xccdf:default> and <xccdf:complex-default> elements, only one may omit a @selector attribute and no two may have the same @selector value. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:element name="match" type="cdf:selStringType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A Perl Compatible Regular Expression that a benchmark producer may apply during tailoring to validate a user’s input for the <xccdf:Value>. It uses implicit anchoring. It applies only when the @type property is “string” or “number” or a list of strings and/or numbers.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="lower-bound" type="cdf:selNumType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Minimum legal value for this <xccdf:Value>. It is used to constrain value input during tailoring, when the @type property is “number”. Values supplied by the user for tailoring the <xccdf:Benchmark> must be equal to or greater than this number. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="upper-bound" type="cdf:selNumType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Maximum legal value for this <xccdf:Value>. It is used to constrain value input during tailoring, when the @type is “number”. Values supplied by the user for tailoring the <xccdf:Benchmark> must be less than or equal to than this number. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="choices" type="cdf:selChoicesType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A list of legal or suggested choices (values) for an <xccdf:Value> element, to be used during tailoring and document generation. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="source" type="cdf:uriRefType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">URI indicating where the tool may acquire values, value bounds, or value choices for this <xccdf:Value> element. XCCDF does not attach any meaning to the URI; it may be an arbitrary community or tool-specific value, or a pointer directly to a resource. If several instances of the <xccdf:source> property appear, then they represent alternative means or locations for obtaining the value in descending order of preference (i.e., most preferred first). </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="signature" type="cdf:signatureType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Value>. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="id" type="cdf:valueIdType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The unique identifier for this element. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="type" type="cdf:valueTypeType" default="string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The data type of the <xccdf:Value>. A tool may choose any convenient form to store an <xccdf:Value> element’s <xccdf:value> element, but the @type attribute conveys how the <xccdf:Value> should be treated for user input validation purposes during tailoring processing. The @type attribute may also be used to give additional guidance to the user or to validate the user’s input. In the case of a list of values, the @type attribute, if present, applies to all elements of the list individually.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="operator" type="cdf:valueOperatorType" default="equals" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The operator to be used for comparing this <xccdf:Value> to some part of the test system’s configuration during <xccdf:Rule> checking. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="interactive" type="xsd:boolean" default="0" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Whether tailoring for this <xccdf:Value> should be performed during <xccdf:Benchmark> application. The benchmark consumer may ignore the attribute if asking the user is not feasible or not supported.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="interfaceHint" use="optional" type="cdf:interfaceHintType"> <xsd:annotation> <xsd:documentation xml:lang="en">A hint or recommendation to a benchmark consumer or producer about how the user might select or adjust the <xccdf:Value>. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <!-- ************************************************************** --> <!-- *************** Value-related Types ************************ --> <!-- ************************************************************** --> <xsd:complexType name="complexValueType"> <xsd:annotation> <xsd:documentation xml:lang="en">Data type that supports values that are lists of simple types. Each element in the list is represented by an instance of the <xccdf:item> child element. If there are no <xccdf:item> child elements then this represents an empty list. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="item" minOccurs="0" maxOccurs="unbounded" type="xsd:string"> <xsd:annotation> <xsd:documentation xml:lang="en">A single item in the list of values. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:complexType> <xsd:complexType name="selComplexValueType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type that supports values that are lists of simple types with an associated @selector attribute used in tailoring. </xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:complexValueType"> <xsd:attribute name="selector" default="" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of this property. If no selectors are specified for a given item by <xccdf:Profile> elements or manual tailoring, properties with empty or non-existent @selector attributes are activated. If a selector is applied that does not match the @selector attribute of any of a given type of property, then no <xccdf:choices> element is considered activated. The only exception is the <xccdf:value> and <xccdf:complex-value> properties of an <xccdf:Value> element - if there is no <xccdf:value> or <xccdf:complex-value> property with a matching @selector value then the <xccdf:value>/<xccdf:complex-value> property with an empty or absent @selector attribute becomes active. If there is no such <xccdf:value> or <xccdf:complex-value>, then the first <xccdf:value> or <xccdf:complex-value> listed becomes active. This reflects the fact that all <xccdf:Value> elements require an active value property at all times.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="selChoicesType"> <xsd:annotation> <xsd:documentation xml:lang="en"> The type of the <xccdf:choice> element, which specifies a list of legal or suggested choices for an <xccdf:Value> object. </xsd:documentation> </xsd:annotation> <xsd:choice minOccurs="1" maxOccurs="unbounded"> <xsd:element name="choice" type="xsd:string" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A single choice holding a simple type. (I.e., number, string, or boolean.) </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="complex-choice" type="cdf:complexValueType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A single choice holding a list of simple types.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:attribute name="mustMatch" type="xsd:boolean" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">True if the listed choices are the only permissible settings for the given <xccdf:Value>. False if choices not specified in this <xccdf:choices> element are acceptable settings for this <xccdf:Value>.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="selector" default="" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of the <xccdf:Rule>. If no selectors are specified for a given <xccdf:Value> by <xccdf:Profile> elements or manual tailoring, an <xccdf:choice> element with an empty or non-existent @selector attribute is activated. If a selector is applied that does not match the @selector attribute of any <xccdf:choices> element, then no <xccdf:choices> element is considered activated.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="selStringType"> <xsd:annotation> <xsd:documentation xml:lang="en"> This type is for an element that has string content and a @selector attribute for use in tailoring. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="selector" default="" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of this property. If no selectors are specified for a given property by <xccdf:Profile> elements or manual tailoring, properties with empty or non-existent @selector attributes are activated. If a selector is applied that does not match the @selector attribute of any of a given type of property, then no property of that type is considered activated. The only exception is the <xccdf:value> and <xccdf:complex-value> properties of an <xccdf:Value> element - if there is no <xccdf:value> or <xccdf:complex-value> property with a matching @selector value then the <xccdf:value>/<xccdf:complex-value> property with an empty or absent @selector attribute becomes active. If there is no such <xccdf:value> or <xccdf:complex-value>, then the first <xccdf:value> or <xccdf:complex-value> listed in the XML becomes active. This reflects the fact that all <xccdf:Value> elements require an active value property at all times.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="selNumType"> <xsd:annotation> <xsd:documentation xml:lang="en"> This type is for an element that has numeric content and a @selector attribute for use during tailoring. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:decimal"> <xsd:attribute name="selector" default="" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">This may be referenced from <xccdf:Profile> selection elements or used during manual tailoring to refine the application of this property. If no selectors are specified for a given property by <xccdf:Profile> elements or manual tailoring, properties with empty or non-existent @selector attributes are activated. If a selector is applied that does not match the @selector attribute of any of a given type of property, then no property of that type considered activated. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="uriRefType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for elements that have no content and a single @uri attribute. </xsd:documentation> </xsd:annotation> <xsd:attribute name="uri" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">A URI.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:simpleType name="valueTypeType"> <xsd:annotation> <xsd:documentation xml:lang="en">Allowed data types for <xccdf:Value> elements, string, numeric, and boolean. A tool may choose any convenient form to store an <xccdf:Value> element’s <xccdf:value> element, but the @type conveys how the value should be treated for user input validation purposes during tailoring processing. The @type may also be used to give additional guidance to the user or to validate the user’s input. For example, if an <xccdf:value> element’s @type attribute is “number”, then a tool might choose to reject user tailoring input that is not composed of digits. In the case of a list of values, the @type applies to all elements of the list individually. Note that checking systems may have their own understanding of data types that may not be identical to the typing indicated in XCCDF </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="number"> <xsd:annotation> <xsd:documentation xml:lang="en">A numeric value. This may be decimal or integer.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="string"> <xsd:annotation> <xsd:documentation xml:lang="en">Any character data</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="boolean"> <xsd:annotation> <xsd:documentation xml:lang="en">True/false</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="valueOperatorType"> <xsd:annotation> <xsd:documentation xml:lang="en"> This type enumerates allowed values of the @operator property of <xccdf:Value> elements. The specific interpretation of these operators depends on the checking system used. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="equals"/> <xsd:enumeration value="not equal"/> <xsd:enumeration value="greater than"/> <xsd:enumeration value="less than"/> <xsd:enumeration value="greater than or equal"/> <xsd:enumeration value="less than or equal"/> <xsd:enumeration value="pattern match"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="interfaceHintType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Allowed interface hint values. <xccdf:Value> elements may contain a hint or recommendation to a benchmark consumer or producer about how the user might select or adjust the <xccdf:Value>. This type enumerates the possible values of this hint.</xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="choice"> <xsd:annotation> <xsd:documentation xml:lang="en">Multiple choice</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="textline"> <xsd:annotation> <xsd:documentation xml:lang="en">Multiple lines of text</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="text"> <xsd:annotation> <xsd:documentation xml:lang="en">Single line of text</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="date"> <xsd:annotation> <xsd:documentation xml:lang="en">Date</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="datetime"> <xsd:annotation> <xsd:documentation xml:lang="en">Date and time</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <!-- ************************************************************** --> <!-- ******************* Profile Element ************************ --> <!-- ************************************************************** --> <xsd:element name="Profile" type="cdf:profileType"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Profile> element is a named tailoring for an <xccdf:Benchmark>. While an <xccdf:Benchmark> can be tailored in place by setting properties of various elements, <xccdf:Profile> elements allow one <xccdf:Benchmark> document to hold several independent tailorings.</xsd:documentation> </xsd:annotation> <!-- selector key constraints --> <xsd:unique name="itemSelectKey"> <xsd:selector xpath="./cdf:select"/> <xsd:field xpath="@idref"/> </xsd:unique> <xsd:unique name="refineRuleKey"> <xsd:selector xpath="./cdf:refine-rule"/> <xsd:field xpath="@idref"/> </xsd:unique> <xsd:unique name="refineValueKey"> <xsd:selector xpath="./cdf:refine-value"/> <xsd:field xpath="@idref"/> </xsd:unique> <xsd:unique name="setValueKey"> <xsd:selector xpath="./cdf:set-value"/> <xsd:field xpath="@idref"/> </xsd:unique> </xsd:element> <xsd:complexType name="profileType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:Profile> element, which holds a specific tailoring of the <xccdf:Benchmark>. The main part of an <xccdf:Profile> is the selectors: <xccdf:select>, <xccdf:set-value>, <xccdf:set-complex-value>, <xccdf:refine-rule>, and <xccdf:refine-value>. An <xccdf:Profile> may also be signed with an XML-Signature. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element ref="cdf:status" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Status of the <xccdf:Profile> and date at which it attained that status. Authors may use this element to record the maturity or consensus level of an <xccdf:Profile>. If the <xccdf:status> is not given explicitly, then the <xccdf:Profile> is taken to have the same status as its parent <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="dc-status" minOccurs="0" maxOccurs="unbounded" type="cdf:dc-statusType"> <xsd:annotation> <xsd:documentation xml:lang="en">Holds additional status information using the Dublin Core format.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="version" type="cdf:versionType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Version information about this <xccdf:Profile>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="title" type="cdf:textWithSubType" minOccurs="1" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Title of the <xccdf:Profile>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="description" type="cdf:htmlTextWithSubType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Text that describes the <xccdf:Profile>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="reference" type="cdf:referenceType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A reference where the user can learn more about the subject of this <xccdf:Profile>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="platform" type="cdf:overrideableCPE2idrefType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A target platform for this <xccdf:Profile>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="select" minOccurs="0" type="cdf:profileSelectType"> <xsd:annotation> <xsd:documentation xml:lang="en">Select or deselect <xccdf:Group> and <xccdf:Rule> elements. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="set-complex-value" minOccurs="0" type="cdf:profileSetComplexValueType"> <xsd:annotation> <xsd:documentation xml:lang="en">Set the value of an <xccdf:Value> to a list.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="set-value" minOccurs="0" type="cdf:profileSetValueType"> <xsd:annotation> <xsd:documentation xml:lang="en">Set the value of an <xccdf:Value> to a simple data value.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="refine-value" minOccurs="0" type="cdf:profileRefineValueType"> <xsd:annotation> <xsd:documentation xml:lang="en">Customize the properties of an <xccdf:Value>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="refine-rule" minOccurs="0" type="cdf:profileRefineRuleType"> <xsd:annotation> <xsd:documentation xml:lang="en">Customize the properties of an <xccdf:Rule> or <xccdf:Group>.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:element name="metadata" type="cdf:metadataType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Metadata associated with this <xccdf:Profile>.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="signature" type="cdf:signatureType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Profile>.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="id" type="cdf:profileIdType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Unique identifier for this <xccdf:Profile>.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="prohibitChanges" type="xsd:boolean" default="false" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Whether or not products should prohibit changes to this <xccdf:Profile>.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="abstract" type="xsd:boolean" default="false" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">If true, then this <xccdf:Profile> exists solely to be extended by other <xccdf:Profile> elements. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="note-tag" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Tag identifier to specify which <xccdf:profile-note> element from an <xccdf:Rule> should be associated with this <xccdf:Profile>.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="extends" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The id of an <xccdf:Profile> on which to base this <xccdf:Profile>.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute ref="xml:base"/> <xsd:attribute name="Id" type="xsd:ID" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier used for referencing elements included in an XML signature.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <!-- ************************************************************** --> <!-- *************** Profile-related Types *********************** --> <!-- ************************************************************** --> <xsd:complexType name="profileSelectType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for the <xccdf:select> element in an <xccdf:Profile>. This element designates an <xccdf:Rule>, <xccdf:Group>, or cluster of <xccdf:Rule> and <xccdf:Group> elements and overrides the @selected attribute on the designated items, providing a means for including or excluding <xccdf:Rule> elements from an assessment.</xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="remark" type="cdf:textType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Explanatory material or other prose.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="idref" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The @id value of an <xccdf:Rule> or <xccdf:Group>, or the @cluster-id value of one or more <xccdf:Rule> or <xccdf:Group> elements. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="selected" type="xsd:boolean" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The new value for the indicated item's @selected property. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="profileSetValueType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for the <xccdf:set-value> element in an <xccdf:Profile>. This element upports the direct specification of simple value types such as numbers, strings, and boolean values. This overrides the <xccdf:value> and <xccdf:complex-value> element(s) of an <xccdf:Value> element.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="idref" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The @id value of an <xccdf:Value> or the @cluster-id value of one or more <xccdf:Value> elements </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="profileSetComplexValueType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for the <xccdf:set-complex-value> element in an <xccdf:Profile>. This element supports the direct specification of complex value types such as lists. Zero or more <xccdf:item> elements may appear as children of this element; if no child elements are present, this element represents an empty list. This overrides the <xccdf:value> and <xccdf:complex-value> element(s) of an <xccdf:Value> element.</xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:complexValueType"> <xsd:attribute name="idref" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The @id value of an <xccdf:Value> or the @cluster-id value of one or more <xccdf:Value> elements </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="profileRefineValueType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for the <xccdf:refine-value> element in an <xccdf:Profile>. This element designates the <xccdf:Value> constraints to be applied during tailoring for an <xccdf:Value> element or the <xccdf:Value> members of a cluster. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="remark" type="cdf:textType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Explanatory material or other prose.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="idref" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The @id value of an <xccdf:Value> or the @cluster-id value of one or more <xccdf:Value> elements </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="selector" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Holds a selector value corresponding to the value of a @selector property in an <xccdf:Value> element's child properties. Properties with a matching @selector are considered active and all other properties are inactive. This may mean that, after selector application, some classes of <xccdf:Value> properties will be completely inactive because none of those properties had a matching @selector. The only exception is the <xccdf:value> and <xccdf:complex-value> properties of an <xccdf:Value> element - if there is no <xccdf:value> or <xccdf:complex-value> property with a matching @selector value then the <xccdf:value>/<xccdf:complex-value> property with an empty or absent @selector attribute becomes active. If there is no such <xccdf:value> or <xccdf:complex-value>, then the first <xccdf:value> or <xccdf:complex-value> listed in the XML becomes active. This reflects the fact that all <xccdf:Value> elements require an active value property at all times. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="operator" type="cdf:valueOperatorType" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The new value for the identified <xccdf:Value> element's @operator property. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="profileRefineRuleType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for the <xccdf:refine-rule> element in an <xccdf:Profile>. A <xccdf:refine-rule> element allows the author to select <xccdf:check> statements and override the @weight, @severity, and @role of an <xccdf:Rule>, <xccdf:Group>, or cluster of <xccdf:Rule> and <xccdf:Group> elements. Despite the name, this selector does apply for <xccdf:Group> elements and for clusters that include <xccdf:Group> elements, but it only affects their @weight attribute. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="remark" type="cdf:textType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Explanatory material or other prose.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="idref" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The @id value of an <xccdf:Rule> or <xccdf:Group>, or the @cluster-id value of one or more <xccdf:Rule> or <xccdf:Group> elements. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="weight" type="cdf:weightType" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The new value for the identified element's @weight property. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="selector" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Holds a selector value corresponding to the value of a @selector property in an <xccdf:Rule> element's <xccdf:check> element. If the selector specified does not match any of the @selector attributes specified on any of the <xccdf:check> children of an <xccdf:Rule>, then the <xccdf:check> child element without a @selector attribute is used. If there is no child without a @selector attribute, then that Rule would have no effective <xccdf:check> element.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="severity" type="cdf:severityEnumType" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The new value for the identified <xccdf:Rule> element's @severity property. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="role" type="cdf:roleEnumType" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The new value for the identified <xccdf:Rule> element's @role property. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <!-- ************************************************************** --> <!-- ******************* TestResult Element ********************* --> <!-- ************************************************************** --> <xsd:element name="TestResult" type="cdf:testResultType"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:TestResult> element encapsulates the results of a single application of an <xccdf:Benchmark> to a single target platform. The <xccdf:TestResult> element normally appears as the child of the <xccdf:Benchmark> element, although it may also appear as the top-level element of an XCCDF results document. XCCDF is not intended to be a database format for detailed results; the <xccdf:TestResult> element offers a way to store the results of individual tests in modest detail, with the ability to reference lower-level testing data.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:complexType name="testResultType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:TestResult> element, which holds the results of one application of the <xccdf:Benchmark>. The <xccdf:TestResult> element normally appears as the child of the <xccdf:Benchmark> element, although it may also appear as the top-level element of an XCCDF results document. XCCDF is not intended to be a database format for detailed results; the <xccdf:TestResult> element offers a way to store the results of individual tests in modest detail, with the ability to reference lower-level testing data. Although several of the child elements of this type technically support the @override attribute, the <xccdf:TestResult> element cannot be extended. Therefore, @override has no meaning within an <xccdf:TestResult> element and its children, and should not be used for them.</xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="benchmark" minOccurs="0" maxOccurs="1" type="cdf:benchmarkReferenceType"> <xsd:annotation> <xsd:documentation xml:lang="en">Reference to the <xccdf:Benchmark> for which the <xccdf:TestResult> records results. This property is required if this <xccdf:TestResult> element is the top-level element and optional otherwise.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="tailoring-file" minOccurs="0" maxOccurs="1" type="cdf:tailoringReferenceType"> <xsd:annotation> <xsd:documentation xml:lang="en">The tailoring file element contains attributes used to identify an <xccdf:Tailoring> element used to guide the assessment reported on in this <xccdf:TestResult>. The tailoring element is required in an <xccdf:TestResult> if and only if an <xccdf:Tailoring> element guided the assessment recorded in the <xccdf:TestResult> or if the <xccdf:Tailoring> element records manual tailoring actions applied to this assessment. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="title" type="cdf:textType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Title of the test.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="remark" type="cdf:textType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A remark about the test, possibly supplied by the person administering the <xccdf:Benchmark> assessment</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="organization" type="xsd:string" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">The name of the organization or other entity responsible for applying this <xccdf:Benchmark> and generating this result. When multiple <xccdf:organization> elements are used to indicate multiple organization names in a hierarchical organization, the highest-level organization should appear first. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="identity" type="cdf:identityType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Information about the system identity or user employed during application of the <xccdf:Benchmark>. If used, specifies the name of the authenticated identity.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="profile" type="cdf:idrefType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:profile> element holds the value of the @id attribute value of the <xccdf:Profile> selected to be used in the assessment reported on by this <xccdf:TestResult>. This <xccdf:Profile> might be from the <xccdf:Benchmark> or from an <xccdf:Tailoring> file, if used. This element should appear if and only if an <xccdf:Profile> was selected to guide the assessment.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="target" type="xsd:string" minOccurs="1" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Name or description of the target system whose test results are recorded in the <xccdf:TestResult> element (the system to which an <xccdf:Benchmark> test was applied). Each appearance of the element supplies a name by which the target host or device was identified at the time the test was run. The name may be any string, but applications should include the fully qualified DNS name whenever possible. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="target-address" type="xsd:string" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Network address of the target system to which an <xccdf:Benchmark> test was applied. Typical forms for the address include IP version 4 (IPv4), IP version 6 (IPv6), and Ethernet media access control (MAC).</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="target-facts" type="cdf:targetFactsType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A list of named facts about the target system or platform. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="target-id-ref" type="cdf:targetIdRefType"> <xsd:annotation> <xsd:documentation xml:lang="en">References to external structures with identifying information about the target of this assessment.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:any namespace="##other" processContents="lax"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifying information expressed in other XML formats can be included here. </xsd:documentation> </xsd:annotation> </xsd:any> </xsd:choice> <xsd:element name="platform" type="cdf:CPE2idrefType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A platform on the target system. There should be one instance of this property for every platform that the target system was found to meet. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:choice minOccurs="0" maxOccurs="unbounded"> <xsd:element name="set-value" type="cdf:profileSetValueType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Specific setting for a single <xccdf:Value> element used during the test.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="set-complex-value" type="cdf:profileSetComplexValueType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Specific setting for a single <xccdf:Value> element used during the test when the given value is set to a complex type, such as a list.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> <xsd:element name="rule-result" type="cdf:ruleResultType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">The result of a single instance of an <xccdf:Rule> application against the target. The <xccdf:TestResult> must include at least one <xccdf:rule-result> record for each <xccdf:Rule> that was selected in the resolved <xccdf:Benchmark>.</xsd:documentation> </xsd:annotation> <!-- Each context name in an instance must be unique. --> <xsd:key name="instanceContextKey"> <xsd:selector xpath="cdf:instance"/> <xsd:field xpath="@context"/> </xsd:key> <!-- parentContext must refer to valid sibling context --> <xsd:keyref name="parentKeyRef" refer="cdf:instanceContextKey"> <xsd:selector xpath="./cdf:instance"/> <xsd:field xpath="@parentContext"/> </xsd:keyref> </xsd:element> <xsd:element name="score" type="cdf:scoreType" minOccurs="1" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">An overall score for this <xccdf:Benchmark> test. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="metadata" type="cdf:metadataType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">XML metadata associated with this <xccdf:TestResult>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="signature" type="cdf:signatureType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:TestResult>. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="id" type="cdf:testresultIdType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Unique identifier for this element.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="start-time" type="xsd:dateTime" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Time when testing began.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="end-time" type="xsd:dateTime" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Time when testing was completed and the results recorded. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="test-system" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Name of the benchmark consumer program that generated this <xccdf:TestResult> element; should be either a CPE name or a CPE applicability language expression.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="version" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The version number string copied from the <xccdf:Benchmark> used to direct this assessment. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="Id" type="xsd:ID" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier used for referencing elements included in an XML signature.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="benchmarkReferenceType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for a reference to the <xccdf:Benchmark> document. </xsd:documentation> </xsd:annotation> <xsd:attribute name="href" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The URI of the <xccdf:Benchmark> document. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="id" type="xsd:NCName" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of that <xccdf:Benchmark> element's @id attribute. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="scoreType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for a score value in an <xccdf:TestResult>. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:decimal"> <xsd:attribute name="system" type="xsd:anyURI" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">A URI indicating the scoring model used to create this score. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="maximum" type="xsd:decimal" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The maximum possible score value that could have been achieved under the named scoring system. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="targetFactsType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for the <xccdf:target-facts> elements in <xccdf:TestResult> elements. A <xccdf:target-facts> element holds a list of named facts about the target system or platform. Each fact is an element of type factType. Each <xccdf:fact> must have a name, but duplicate names are allowed. (For example, if you had a fact about MAC addresses, and the target system had three NICs, then you'd need three instances of the "urn:xccdf:fact:ethernet:MAC" fact.) </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="fact" type="cdf:factType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A named fact about the target system or platform.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:complexType> <xsd:complexType name="targetIdRefType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for an <xccdf:target-id-ref> element in an <xccdf:TestResult> element. This element contains references to external structures with identifying information about the target of an assessment.</xsd:documentation> </xsd:annotation> <xsd:attribute name="system" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Indicates the language in which this identifying information is expressed. If the identifying language uses XML namespaces, then the @system attribute for the language should be its namespace.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="href" type="xsd:string" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Points to the external resource (e.g., a file) that contains the identifying information.</xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="name" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifies a specific structure within the referenced file. If the @name attribute is absent, the reference is to the entire resource indicated in the @href attribute.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="identityType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for an <xccdf:identity> element in an <xccdf:TestResult>. It contains information about the system identity or user employed during application of the <xccdf:Benchmark>. If used, shall specify the name of the authenticated identity. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="authenticated" type="xsd:boolean" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Whether the identity was authenticated with the target system during the application of the <xccdf:Benchmark>. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="privileged" type="xsd:boolean" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Whether the identity was granted administrative or other special privileges beyond those of a normal user. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="factType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Data type for an <xccdf:fact> element, which holds information about a target system: a name-value pair with a type. The content of the element is the value, and the @name attribute indicates the name. The @name is in the form of a URI that indicates the nature of the fact. A table of defined fact URIs appears in section 6.6.3 of the XCCDF specification. Additional URIs may be defined by authors to indicate additional kinds of facts. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="name" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">A URI that indicates the name of the fact. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="type" type="cdf:valueTypeType" default="boolean" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The data type of the fact value. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="tailoringReferenceType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for the <xccdf:tailoring> element within an <xccdf:TestResult>. This element is used to indicate the identity and location of an <xccdf:Tailoring> file that was used to create the assessment results. </xsd:documentation> </xsd:annotation> <xsd:attribute name="href" type="xsd:anyURI" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The URI of the <xccdf:Tailoring> file's location. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="id" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Tailoring> element's @id value. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="version" type="xsd:string" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of the <xccdf:Tailoring> element's <xccdf:version> property. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="time" type="xsd:dateTime" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of the @time attribute in the <xccdf:Tailoring> element's <xccdf:version> property.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="ruleResultType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for the <xccdf:rule-result> element within an <xccdf:TestResult>. An <xccdf:rule-result> holds the result of applying an <xccdf:Rule> from the <xccdf:Benchmark> to a target system or component of a target system. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="result" type="cdf:resultEnumType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Result of applying the referenced <xccdf:Rule> to a target or target component. (E.g., Pass, Fail, etc.) </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="override" type="cdf:overrideType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">An XML block explaining how and why an auditor chose to override the result. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="ident" type="cdf:identType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">A long-term globally meaningful identifier for the issue, vulnerability, platform, etc. copied from the referenced <xccdf:Rule>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="metadata" type="cdf:metadataType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">XML metadata associated with this <xccdf:rule-result>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="message" type="cdf:messageType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Diagnostic messages from the checking engine. These elements do not affect scoring; they are present merely to convey diagnostic information from the checking engine. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="instance" type="cdf:instanceResultType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Name of the target subsystem or component to which this result applies, for a multiply instantiated <xccdf:Rule>. The element is important for an <xccdf:Rule> that applies to components of the target system, especially when a target might have several such components, and where the @multiple attribute of the <xccdf:Rule> is set to true.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="fix" type="cdf:fixType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Fix script for this target platform, if available (would normally appear only for result values of “fail”). It is assumed to have been ‘instantiated’ by the testing tool and any substitutions or platform selections already made.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:choice> <xsd:element name="check" type="cdf:checkType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Encapsulated or referenced results to detailed testing output from the checking engine (if any).</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="complex-check" minOccurs="0" type="cdf:complexCheckType" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A copy of the <xccdf:Rule> element’s <xccdf:complex-check> element where each component <xccdf:check> element of the <xccdf:complex-check> element is an encapsulated or referenced results to detailed testing output from the checking engine (if any) as described in the <xccdf:rule-result> <xccdf:check> property.</xsd:documentation> </xsd:annotation> </xsd:element> </xsd:choice> </xsd:sequence> <xsd:attribute name="idref" type="xsd:NCName" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of the @id property of an <xccdf:Rule>. This <xccdf:rule-result> reflects the result of applying this <xccdf:Rule> to a target or target component. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="role" type="cdf:roleEnumType" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of the @role property of the referenced <xccdf:Rule>. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="severity" type="cdf:severityEnumType" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of the @severity property of the referenced <xccdf:Rule>. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="time" type="xsd:dateTime" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Time when application of this instance of the referenced <xccdf:Rule> was completed. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="version" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of the @version property of the referenced <xccdf:Rule>. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="weight" type="cdf:weightType" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">The value of the @weight property of the referenced <xccdf:Rule>. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="instanceResultType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for an <xccdf:instance> element in an <xccdf:rule-result>. The content is a string, but the element may also have two attributes: @context and @parentContext. Both attributes are intended to provide hints as to the nature of the substituted content. This body of this type records the details of the target system instance for multiply instantiated <xccdf:Rule> elements. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="context" default="undefined" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Describes the scope or significance of the instance content. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="parentContext" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Used to express nested structure in instance context structures. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="overrideType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for an <xccdf:override> element in an <xccdf:rule-result>. This element is used to record manual modification or annotation of a particular <xccdf:rule-result>. All attributes and child elements are required. It will not always be the case that the <xccdf:new-result> value will differ from the <xccdf:old-result> value. They might match if an authority wished to make a remark on the result without changing it. If <xccdf:new-result> and <xccdf:old-result> differ, the <xccdf:result> element of the enclosing <xccdf:rule-result> must match the <xccdf:new-result> value.</xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="old-result" type="cdf:resultEnumType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:rule-result> status before this override. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="new-result" type="cdf:resultEnumType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">The new, override <xccdf:rule-result> status. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="remark" type="cdf:textType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">Rationale or explanation text for why or how the override was applied. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="time" type="xsd:dateTime" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">When the override was applied. </xsd:documentation> </xsd:annotation> </xsd:attribute> <xsd:attribute name="authority" type="xsd:string" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Name or other identification for the human principal authorizing the override. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="messageType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Type for a message generated by the checking engine or XCCDF tool during <xccdf:Benchmark> testing. The message is contained in string format in the body of the element. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="severity" type="cdf:msgSevEnumType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Denotes the seriousness of the message.</xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> <xsd:simpleType name="msgSevEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en"> Allowed values to indicate the severity of messages from the checking engine. These values don't affect scoring themselves but are present merely to convey diagnostic information from the checking engine. Benchmark consumers may choose to log these messages or display them to the user. </xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="error"> <xsd:annotation> <xsd:documentation xml:lang="en">Denotes a serious problem identified; test did not run. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="warning"> <xsd:annotation> <xsd:documentation xml:lang="en">Denotes a possible issue; test may not have run. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="info"> <xsd:annotation> <xsd:documentation xml:lang="en">Denotes important information about the tests. </xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="resultEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en">Allowed result indicators for a test.</xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="pass"> <xsd:annotation> <xsd:documentation xml:lang="en">The target system or system component satisfied all the conditions of the <xccdf:Rule>. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="fail"> <xsd:annotation> <xsd:documentation xml:lang="en">The target system or system component did not satisfy all the conditions of the <xccdf:Rule>. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="error"> <xsd:annotation> <xsd:documentation xml:lang="en">The checking engine could not complete the evaluation; therefore the status of the target’s compliance with the <xccdf:Rule> is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">The testing tool encountered some problem and the result is unknown. For example, a result of ‘unknown’ might be given if the testing tool was unable to interpret the output of the checking engine (the output has no meaning to the testing tool). </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="notapplicable"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Rule> was not applicable to the target of the test. For example, the <xccdf:Rule> might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="notchecked"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Rule> was not evaluated by the checking engine. This status is designed for <xccdf:Rule> elements that have no check. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="notselected"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Rule> was not selected in the <xccdf:Benchmark>. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="informational"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Rule> was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for <xccdf:Rule> elements whose main purpose is to extract information from the target rather than test the target. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="fixed"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Rule> had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor). </xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="severityEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en">Allowed severity values for the @severity attribute of an <xccdf:Rule>. The value of this attribute provides an indication of the importance of the <xccdf:Rule> element's recommendation. This information is informative only and does not affect scoring.</xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="unknown"> <xsd:annotation> <xsd:documentation xml:lang="en">Severity not defined (default). </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="info"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Rule> is informational and failure does not represent a problem. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="low"> <xsd:annotation> <xsd:documentation xml:lang="en">Not a serious problem. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="medium"> <xsd:annotation> <xsd:documentation xml:lang="en">Fairly serious problem. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="high"> <xsd:annotation> <xsd:documentation xml:lang="en">A grave or critical problem. </xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="roleEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en">Allowed checking and scoring roles for an <xccdf:Rule>.</xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="full"> <xsd:annotation> <xsd:documentation xml:lang="en">If the <xccdf:Rule> is selected, then check it and let the result contribute to the score and appear in reports (default). </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="unscored"> <xsd:annotation> <xsd:documentation xml:lang="en">If the <xccdf:Rule> is selected, then check it and include it in the test report, but give the result a status of informational and do not use the result in score computations. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="unchecked"> <xsd:annotation> <xsd:documentation xml:lang="en">Do not check the <xccdf:Rule>; just force the result status to notchecked. </xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="subUseEnumType"> <xsd:annotation> <xsd:documentation xml:lang="en">This holds the possible values of the @use attribute within an <xccdf:sub> element. The @use attribute is only applicable with the subType's @idref attribute holds the value of the @id of an <xccdf:Value> element.</xsd:documentation> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="value"> <xsd:annotation> <xsd:documentation xml:lang="en">Replace with the selected <xccdf:value> or <xccdf:complex-value> of an <xccdf:Value>. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="title"> <xsd:annotation> <xsd:documentation xml:lang="en">Replace with the <xccdf:title> of the <xccdf:Value>. </xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="legacy"> <xsd:annotation> <xsd:documentation xml:lang="en">Use the context-dependent processing of <xccdf:sub> elements outlined in XCCDF 1.1.4. </xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:element name="Tailoring" type="cdf:tailoringType"> <xsd:annotation> <xsd:documentation xml:lang="en">The <xccdf:Tailoring> element holds one or more <xccdf:Profile> elements. These <xccdf:Profile> elements record additional tailoring activities that apply to a given <xccdf:Benchmark>. <xccdf:Tailoring> elements are separate from <xccdf:Benchmark> documents, but each <xccdf:Tailoring> element is associated with a specific <xccdf:Benchmark> document. By defining these tailoring actions separately from the <xccdf:Benchmark> document to which they apply, these actions can be recorded without affecting the integrity of the source itself.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:complexType name="tailoringType"> <xsd:annotation> <xsd:documentation xml:lang="en">Data type for the <xccdf:Tailoring> element. The <xccdf:Tailoring> element allows named tailorings (i.e., <xccdf:Profile> elements) of an <xccdf:Benchmark> to be defined separately from the <xccdf:Benchmark> itself. The <xccdf:Profile> elements in an <xccdf:Tailoring> element can be used in two ways: First, an organization might wish to pre-define a set of tailoring actions to be applied on top of or instead of the tailoring performed by an <xccdf:Benchmark> element's <xccdf:Profile> elements. Second, an <xccdf:Tailoring> element can be used to record manual tailoring actions performed during the course of an assessment. </xsd:documentation> </xsd:annotation> <xsd:sequence> <xsd:element name="benchmark" minOccurs="0" maxOccurs="1" type="cdf:tailoringBenchmarkReferenceType"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifies the <xccdf:Benchmark> to which this tailoring applies. A <xccdf:Tailoring> document is only applicable to a single <xccdf:Benchmark>. Note, however, that this is a purely informative field. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cdf:status" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">Status of the tailoring and date at which it attained that status. Authors may use this element to record the maturity or consensus level of an <xccdf:Tailoring> element.</xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="dc-status" minOccurs="0" maxOccurs="unbounded" type="cdf:dc-statusType"> <xsd:annotation> <xsd:documentation xml:lang="en">Holds additional status information using the Dublin Core format. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="version" minOccurs="1" maxOccurs="1" type="cdf:tailoringVersionType"> <xsd:annotation> <xsd:documentation xml:lang="en">The version of this <xccdf:Tailoring> element, with a required @time attribute that records when the <xccdf:Tailoring> element was created. This timestamp is necessary because, under some circumstances, a copy of an <xccdf:Tailoring> document might be automatically generated. Without the version and timestamp, tracking of these automatically created <xccdf:Tailoring> documents could become problematic. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="metadata" type="cdf:metadataType" minOccurs="0" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en">XML metadata for the <xccdf:Tailoring> element. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element ref="cdf:Profile" minOccurs="1" maxOccurs="unbounded"> <xsd:annotation> <xsd:documentation xml:lang="en"><xccdf:Profile> elements that reference and customize sets of items in an <xccdf:Benchmark>. </xsd:documentation> </xsd:annotation> </xsd:element> <xsd:element name="signature" type="cdf:signatureType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation xml:lang="en">A digital signature asserting authorship and allowing verification of the integrity of the <xccdf:Tailoring>. </xsd:documentation> </xsd:annotation> </xsd:element> </xsd:sequence> <xsd:attribute name="id" type="cdf:tailoringIdType" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">Unique identifier for this element.</xsd:documentation> </xsd:annotation> </xsd:attribute> <!-- the 'Id' attribute is needed for XML-Signature --> <xsd:attribute name="Id" type="xsd:ID" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">An identifier used for referencing elements included in an XML signature. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="tailoringBenchmarkReferenceType"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifies the <xccdf:Benchmark> to which an <xccdf:Tailoring> element applies. </xsd:documentation> </xsd:annotation> <xsd:complexContent> <xsd:extension base="cdf:benchmarkReferenceType"> <xsd:attribute name="version" type="xsd:string" use="optional"> <xsd:annotation> <xsd:documentation xml:lang="en">Identifies the version of the referenced <xccdf:Benchmark>. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="tailoringVersionType"> <xsd:annotation> <xsd:documentation xml:lang="en">Type for version information about an <xccdf:Tailoring> element. </xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="time" type="xsd:dateTime" use="required"> <xsd:annotation> <xsd:documentation xml:lang="en">The time when this version of the <xccdf:Tailoring> document was completed. </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:schema> <!-- CHANGELOG date change remarks 6/20/05 added cdf:ident long-term identifiers for Rule and rule-result. 6/21/05 enhanced version added version attr to TestResult and rule-result, too added notapplicable added new rule result value added severity enum and attributes 6/22/05 added signatures for need for standalone Rules & such Rule,Group,Value, Profile,TestResult 6/22/05 added rule roles at Dave's request 6/23/05 added rule result at DISA request overrides 6/26/05 added fixtext and enums for attributes fix enhancements 6/29/05 added interactive run-time tailoring for Values attr on Value object 6/29/05 added multiple scoring was this a Dave request? model support 7/1/05 added support for to support text re-use named plain text blocks 7/7/05 added target-facts DISA suggestion 7/13/05 added complex-checks workshop suggestion, allow boolean combinations of checks. 7/29/05 added more rule some suggested by CIS result types 8/4/05 added override attrs suggested by Dave W. for managing inheritance 8/20/05 added fix strategies 8/20/05 revamped complex-check see OVAL schema to more closely match OVAL boolean operators 9/4/05 fixed some typos 9/8/05 Added fix/fixtext suggested by Dave W. complexity and warning categories. 9/18/05 Allow for XCCDF-P as see XCCDF-P document a platform type. (later deprecated) 9/21/05 Added profile-note suggested by Dave W. support. 11/10/05 Added additional features also from Dave W. for Values. 11/27/05 Added instance context to meet CIS req'ts support 11/27/05 Added multiple hint on to meet CIS req'ts Rule object 11/27/05 fixed role attr on old bug Rule object 12/5/05 fixed 1.0-incompatible reported by Nancy W order glitch in Profile 4/16/06 beginning work toward reports from Ian C 1.1bis; fixed several small mistakes/glitches. 4/23/06 tweaked formatting various e-mails fixed some comments version # to 1.1.2.1 4/30/06 fixed plain-text id report from Dave W. key and sub key ref 5/5/06 fixed extends keyrefs report from Dave W. 5/21/06 added id attribute to request from CIS check element 8/27/06 changed TestResult to bug discovered myself allow target to appear multiple times 11/20/06 Fixed weightType report from Gary Gapinski 12/13/06 Changed platform support for CPE references to URIs 12/13/06 Changed requires element request from NIST to a token list 12/28/06 Changed check element to backfit to NIST allow multiple change by Linda Devlin check-content-ref 8/21/07 Added check-import better reporting, req. element by NIST & MITRE 8/26/07 Added remark element allow authors to add to Profile selectors rationale to Profiles 8/26/07 Added weight to rule record weight used in result element a benchmark run 8/30/07 Added impact-metric mechanism to include a element to Rule CVSS score in a Rule 8/30/07 Changed CPE support Match SCAP 1.0 to CPE 2.0 9/10/07 Made CPE 1.0 deprecated Match SCAP 1.0 10/8/07 Allow Profile selectors Part of clarifying Profile in any order semantics for 1.1.4 10/8/07 Added Benchmark style For NIST SCAP and style-href attrs 10/8/07 Added organization and For NIST SCAP identity elements for TestResult 6/1/10 Made platform element Fix to match spec Profile overridable 6/1/10 Added metadata fields Community request for to TestResults, Profiles more flexible metadata and Items. Also opened metadata fields to all content. 6/1/10 Updated to use CPE 2.3 Bring into line with SCAP Also changed CPE fields from URIs to strings. 6/1/10 Added negate field to Support inverting of SCAP check element. result mappings 6/1/10 Added dc-status field Allow Dublin-Core status info 6/1/10 Added multi-check to Allows creation of rule-results Rules for each check used 6/1/10 Expanded selector Enforce requirements from spec uniqueness constraints within Values 6/1/10 Expanded Value to Bring XCCDF more in line with allow lists and externally capabilities of checking languages defined types. Updated Profile selectors and TestResults to handle the new constructs 6/1/10 Added import-xpath to Expand import capabilities check-import. Also updated check-import to allow XML-structured findings 6/1/10 Fixed path of Benchmark's Bug fix. profileIdKeyRef restriction 6/1/10 Added an id field to Better reference to the XCCDF source TestResult/benchmark 5/27/11 Added reference to Asset More standards based target identification Identification structures in TestResults. 5/27/11 Added ComplexChecks in Better tracking of result structures during complex checks rule-results -->
Close
