Add XCCDF 'target' element to instruct SCAP applications when to create results based on more than just the 'host'

[vanderpol]

In order to separate out results at a more granular level, for certain technologies such as database instances, databases, webservers, websites, containers, I am proposing that XCCDF be updated to contain a 'target' element.

Propose XCCDF 1.3 spec updates to allow for benchmarks to define the scope for scanning, and result creation.

<xsd:element name="target" type="cdf:targetType" minOccurs="0" maxOccurs="1" default="host">
     <xsd:annotation>
          <xsd:documentation xml:lang="en">For content targeting technology other than the entire operating system, content authors can specify the target type.  This selection may cause the SCAP processing application to create more than one set of results, one per target instance.</xsd:documentation>
     </xsd:annotation>
</xsd:element>

<xsd:simpleType name="targetType">
    <xsd:annotation>
        <xsd:documentation xml:lang="en"> The targetType represents the technology of the target that is in scope for being scanned, and can be a basis for creating separate instances of XCCDF results per target type.
        </xsd:documentation>
    </xsd:annotation>
    <xsd:restriction base="xsd:string">
        <xsd:enumeration value="host">
            <xsd:annotation>
                <xsd:documentation xml:lang="en">Target is the entire operating system and all applications of the host being scanned.  One set of results per host should be created.</xsd:documentation>
            </xsd:annotation>
        </xsd:enumeration>
        <xsd:enumeration value="dbmsinstance">
            <xsd:annotation>
                <xsd:documentation xml:lang="en">Target is a single DMBS instance on the host being scanned.  One set of results per DBMS Instance should be created.</xsd:documentation>
            </xsd:annotation>
        </xsd:enumeration>
        <xsd:enumeration value="database">
            <xsd:annotation>
                 <xsd:documentation xml:lang="en">Target is a single database of a single DBMS instance.  One set of results per DBMS Instances and database should be created.</xsd:documentation>
            </xsd:annotation>
        </xsd:enumeration>
        <xsd:enumeration value="webserver">
            <xsd:annotation>
                <xsd:documentation xml:lang="en">Target is a single webserver instance on the host being scanned.  One set of results per webserver instance should be created.</xsd:documentation>
            </xsd:annotation>
        </xsd:enumeration>
        <xsd:enumeration value="website">
            <xsd:annotation>
                 <xsd:documentation xml:lang="en">Target is a single website on the host being scanned.  One set of results per website should be created.</xsd:documentation>
            </xsd:annotation>
        </xsd:enumeration>
        <xsd:enumeration value="container">
            <xsd:annotation>
                 <xsd:documentation xml:lang="en">Target is a single virtualization container on the host being scanned.  One set of results per container should be created.</xsd:documentation>
            </xsd:annotation>
        </xsd:enumeration>
    </xsd:restriction>
</xsd:simpleType>

It would be implemented like the following (for our SQL DB benchmark)

<xccdf:plain-text id="release-info">Release: 3.1.3, Benchmark Date: 22 July 2024. Based on DISA STIG Manual V3R1</xccdf:plain-text>
<xccdf:platform idref="cpe:/a:microsoft:sqlserver:2016"/>
<xccdf:target>database</target>
<xccdf:version update="http://iase.disa.mil/stigs">3.1.3</xccdf:version>

And it would be optional, with a default value of "host", so 90+% of benchmarks wouldn't need any changes at all, it would be transparent.

This update is required in order for a new SQL test in OVAL 5.12 to function correctly.
https://github.com/OVAL-Community/OVAL/issues/153

[vanderpol]

@solind just tagging you here to start some discussions on this. As it's related to our proposal to update the SQL test in OVAL 5.12, I'm wanting to make sure we get this updated (and done correctly) in XCCDF 1.3/SCAP 3.0 https://github.com/OVAL-Community/OVAL/issues/153

[solind]

Do you have any examples that would use webserver, website and container? (I assume website is a single site for a multi-homed or multi-site server, but what OVAL tests would come into play for this concept?)

With VMWare, I know there's the ability to scan a Virtual Center with multiple hosts, and a somewhat different ability to scan a single host. @maxullman should comment on whether it makes sense to call those out as target types!

[vanderpol]

@solind for IIS, the windows appcmd and appcmdlistconfig tests would be what we would envision using for Windows/IIS servers, based on the logic in the DISA STIG, which splits out requirements in separate STIGS's for the WebServer vs the Website. OVAL processors would need to be updated to be more aware of these concepts before tests are run, which is how we are doing it with SQL in our SCC application. Our SCC application has functionality to find and iterate on SQL Instances and SQL instances, and then uses the new sql512 test to perform the tests.

For Apache, tool vendors may need to add some intelligence to find all running apache webservers, and tests could then be performed on a per web server/website basis, but I'm not 100% sure as to which OVAL tests would be used, maybe just the new command test, but will take some additional thought and prototyping to provide a more comprehensive response.

[solind]

Apache? Do people still use that? The (deprecated) OVAL Apache test was supposed to magically find running instances of Apache and tell you the version number. I wouldn't create a target type just for that.

The IIS thing certainly makes sense, though.

[vanderpol]

Yeah the deprecated Apache test seemed a bit magical for sure, if we find some breathing room in the next year, we may revisit how to best audit apache again. And yes, (not sure if you were joking or serious, but Apache is the 2nd most used webserver on the internet) https://w3techs.com/technologies/overview/web_server