Understanding the purpose of XCCDF and OVAL policies

When you download policies, you will often find that you see the terms Open Vulnerability and Assessment Language (OVAL) and eXtensible Configuration Checklist Description Format (XCCDF). Some security policies you will come across are only available in OVAL format. Hence, we must take a moment to consider these different file types.

First of all, it is important to state that they are not interchangeable—instead, they should be thought of as hierarchical in nature. At the lower level in the hierarchy is the OVAL file, which in essence describes all of the system-level checks that the OpenSCAP scanning engine should perform. This might, for example, consist of checking whether a given package ...

Get Hands-On Enterprise Automation on Linux now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.