![[x]](../../../icons/eks.png)
Center for Internet Security. CIS Red Hat
Enterprise Linux 7 Benchmark v2.1.0
(2016). https://benchmarks.cisecurity.org [Prose documentation, XCCDF, and OVAL available to CIS
members]
![[x]](../../../icons/eks.png)
T. Hedberg, J. Lubell, L. Fischer, L. Maggiano, and A. Barnard
Feeney. Testing the Digital Thread in Support of Model-Based Manufacturing and
Inspection.
Journal of Computing and Information Science in Engineering.
16 (2) (2016). doi:https://doi.org/10.1115/1.4032697
![[x]](../../../icons/eks.png)
V.C. Hu, D.R. Kuhn, T. Xie, and J. Hwang. Model Checking for
Verification of Mandatory Access Control Models and Properties.
International Journal of Software Engineering and Knowledge
Engineering. 21 (1). pp. 103–27 (2011). doi:https://doi.org/10.1142/S021819401100513X.
![[x]](../../../icons/eks.png)
S. Krima and J. Lubell. Flat Versus Hierarchical Information
Models in PLM Standardization Frameworks.
In Product Lifecycle
Management for Digital Transformation of Industries: 13th IFIP WG 5.1 International
Conference, PLM 2016, Columbia, SC, USA, July 11-13, 2016, Revised Selected
Papers. R. Harik, L. Rivest, A. Bernard, B. Eynard, and A. Bouras, Eds. Cham:
Springer International Publishing. pp. 121–133 (2016). doi:https://doi.org/10.1007/978-3-319-54660-5_12
![[x]](../../../icons/eks.png)
J. Lubell and T. Zimmerman. The Challenge of Automating
Security Configuration Checklists in Manufacturing Environments.
In Critical Infrastructure Protection XI. M. Rice and S. Shenoi, Eds.
Springer Berlin Heidelberg (2017). [To appear]
![[x]](../../../icons/eks.png)
Organization for the Advancement of Structured
Information Standards. DITA XML.org.
http://dita.xml.org
![[x]](../../../icons/eks.png)
M. Priestley and D. A. Schell. Specialization in DITA:
Technology, Process, & Policy.
In Proceedings of the 20th
Annual International Conference on Computer Documentation. pp. 164–176 (2002).
doi:https://doi.org/10.1145/584955.584980
![[x]](../../../icons/eks.png)
D. Waltermire, C. Schmidt, K. Scarfone, and N. Ziring.
Specification for the Extensible Configuration Checklist Description Format (XCCDF)
Version 1.2.
NIST Interagency Report 7275 Revision 4 (2012). https://scap.nist.gov/specifications/xccdf
![[x]](../../../icons/eks.png)
World Wide Web Consortium. Cascading Style Sheets Level 2
Revision 1 (CSS 2.1).
W3C Recommendation (2011). https://www.w3.org/TR/CSS2
![[x]](../../../icons/eks.png)
World Wide Web Consortium. Extensible Markup Language (XML)
1.0 (Fifth Edition).
W3C Recommendation (2008). https://www.w3.org/TR/xml
Using DITA to Create Security Configuration Checklists
A Case Study
Joshua Lubell
Computer Scientist
National Institute of Standards and Technology
Abstract
Many software tools use security configuration checklists expressed in the Extensible
Configuration Checklist Description Format (XCCDF) to monitor computers and other
information technology products for compliance with security policies. But XCCDF syntax
is
checklist author-unfriendly. And complex relationships and dependencies between and
among
checklist rules, checking instructions, and software platforms make it difficult to
reuse or
repurpose existing XCCDF content in new checklists. The Darwin Information Typing
Architecture (DITA) can tame XCCDF syntax and facilitate content management and reuse.
A
case study comparing the use of specialization and other DITA features with a
currently-deployed ad hoc XCCDF authoring system demonstrates the advantages of the
DITA
approach.
Using DITA to Create Security Configuration Checklists
A Case Study
Balisage: The Markup Conference 2017
August 1 - 4, 2017
The materials listed below were provided by the speaker as supplements to a
presentation at Balisage. These materials may include the slides or visuals used in
the
presentation; supplementary material, such as code samples or a demonstration application;
and/or the paper accompanying the presentation (if it has not been provided in XML).
These
materials have been zipped for easy download and are identified by a brief description
of
the contents. The materials themselves are untouched
, that is, they
have not been tested or edited by Balisage: The Markup Conference or by Mulberry
Technologies, Inc. As such, they are included on this website AS IS
,
i.e., as provided by the speaker, with no warranties, express or otherwise, made by
Balisage
or Mulberry.
Slides and Materials
Author's keywords for this paper: Security Content Automation Protocol; SCAP; Darwin Information Typing Architecture; DITA; SCAP Security Guide; specialization; reuse; XCCDF; platform fragmentation