I've been tinkering with building a security reporting tool based on
SCAP. I'm running into some real problems though and I'm hoping
somebody can point me in the right direction.
Namely, I can't seem to find any actually useful data in SCAP format.
Here's a specific example of what I'm talking about..If you pull the
XCCDF for the vista firewall from the National Vulnerability Database,
you'll find a ton of rules of the form, "The log file size limit for
the Windows Firewall should be configured correctly for the Domain
Profile." What does "configured correctly" mean? The XCCDF doesn't
tell you. The XCCDF does provide a CCE, but the CCE list doesn't say
anything actually useful either. It says, "The log file size limit
for the Windows Firewall should be configured correctly for the Domain
Profile.". You have to actually go digging through the web to find out
what "configured correctly" means - which makes this XCCDF and CCE
useless. If I'm going to have to dig through the web anyway to
understand a configuration issue (similar problems exist for CVEs as
well), then SCAP isn't really saving me a great deal of effort. The
value of SCAP is supposed to be in organizing and distributing
I don't know who decided it'd be a good idea to create a common
standard in which to put useless information. I can't quite see it as
I can only assume that I've been looking in the wrong places for SCAP
data and that there's actually something worthwhile out there
organized in a meaningful and computer friendly way. If so, I'd be
eternally grateful if somebody can point me to it.