I would like to announce the initial public release of SCC, a project intended to make
creating OVAL security content easier. SCC is a compiler for SC, a small domain specific
language (DSL). The SC language is designed to provide a more "human readable"
syntax than the XML of OVAL, with the intent of making security content authorship and
maintenance a much more manageable process. The SC design & language specification is
released on the SCC project wiki for questions, comments, and criticism; SCC is released
as open source software.
The main features of the SC language are:
* Compact, readable syntax: The XML-based syntax of OVAL is verbose and filled with line
noise, making it hard to write and hard to read. SC has a syntax that is easier on the
fingers and the eyes.
* Sane ID and reference handling: OVAL requires the creation of barely human-readable IDs
for each element (e.g., oval:tresys:obj:2007) and the widespread use of these IDs to
reference elements. SC will allow the use of human-readable names within the source and
allow the omission of names altogether when they are not necessary. SCC will provide a
stable translation of the SC named objects and nameless, in-line objects into XML objects
with OVAL compliant IDs.
* Locality of definition: OVAL requires that related elements, such as objects, states,
and tests, be widely spaced and referenced using OVAL IDs. SC allows elements that are
only used once to be defined in-line and relaxes the rules on element grouping. By giving
the content author greater control over organization SC allows them to develop a more
maintainable body of content.
* Simple OVAL mapping: SC provides a simpler syntax while maintaining a clear mapping to
the actual OVAL language. A content author can clearly understand how the SC language will
be rendered into OVAL. This also makes it simple for the content author to translate the
OVAL documentation into corresponding SC syntax.
The SCC compiler also provides features which can help simplify security content
authorship and maintenance:
* Numerous small SC content files can be compiled in to one OVAL content file, allowing a
more modular content base to be maintained.
* Additionally, numerous SC content files can be compiled into corresponding separate OVAL
files in one step.
* OVAL mapping details such as ID prefixes and numbers are stored in a simple
configuration file ; simply edit one line and re-compile your content to change ID details
across your entire OVAL content base.
With growing community realization of the benefits of security automation, we are faced
with two initiatives: improve the tools which automate security scanning and remediation,
and improve the process by which content for these tools is created and maintained. With
these goals in mind, the SCC security content project currently shares mailing list
discussion space with the Secstate security tool project.
Additional information, design specification, and installation instructions are available
on the Tresys Open Source Software (OSS) site for SCC:
http://oss.tresys.com/projects/scc
The current mailing list used for SCC and Secstate user discussions is:
https://fedorahosted.org/mailman/listinfo/secstate
And the current mailing list used for SCC and Secstate development discussion is:
https://fedorahosted.org/mailman/listinfo/secstate-devel