Balisage Paper: Using DITA to Create Security Configuration Checklists

A Case Study

Balisage: The Markup Conference 2017
August 1 - 4, 2017

The materials listed below were provided by the speaker as supplements to a presentation at Balisage. These materials may include the slides or visuals used in the presentation; supplementary material, such as code samples or a demonstration application; and/or the paper accompanying the presentation (if it has not been provided in XML). These materials have been zipped for easy download and are identified by a brief description of the contents. The materials themselves are untouched, that is, they have not been tested or edited by Balisage: The Markup Conference or by Mulberry Technologies, Inc. As such, they are included on this website AS IS, i.e., as provided by the speaker, with no warranties, express or otherwise, made by Balisage or Mulberry.

Slides and Materials

Bal2017lube0408-slides.zip: Presentation slides in Adobe PDF

Center for Internet Security. CIS Red Hat Enterprise Linux 7 Benchmark v2.1.0 (2016). https://benchmarks.cisecurity.org [Prose documentation, XCCDF, and OVAL available to CIS members]

DITA Open Toolkit. http://www.dita-ot.org

T. Hedberg, J. Lubell, L. Fischer, L. Maggiano, and A. Barnard Feeney. Testing the Digital Thread in Support of Model-Based Manufacturing and Inspection. Journal of Computing and Information Science in Engineering. 16 (2) (2016). doi:https://doi.org/10.1115/1.4032697

V.C. Hu, D.R. Kuhn, T. Xie, and J. Hwang. Model Checking for Verification of Mandatory Access Control Models and Properties. International Journal of Software Engineering and Knowledge Engineering. 21 (1). pp. 103–27 (2011). doi:https://doi.org/10.1142/S021819401100513X.

E. Kimber. DITA for Practitioners Volume 1: Architecture and Technology. XMLPress (2012). [Configuration and Specialization tutorials online at http://www.xiruss.org/tutorials/dita-specialization]

S. Krima and J. Lubell. Flat Versus Hierarchical Information Models in PLM Standardization Frameworks. In Product Lifecycle Management for Digital Transformation of Industries: 13th IFIP WG 5.1 International Conference, PLM 2016, Columbia, SC, USA, July 11-13, 2016, Revised Selected Papers. R. Harik, L. Rivest, A. Bernard, B. Eynard, and A. Bouras, Eds. Cham: Springer International Publishing. pp. 121–133 (2016). doi:https://doi.org/10.1007/978-3-319-54660-5_12

J. Lubell. Extending the Cybersecurity Digital Thread with XForms. In Proceedings of Balisage: The Markup Conference 2015. Balisage Series on Markup Technologies, vol. 15 (2015). doi:https://doi.org/10.4242/BalisageVol15.Lubell01

J. Lubell and T. Zimmerman. The Challenge of Automating Security Configuration Checklists in Manufacturing Environments. In Critical Infrastructure Protection XI. M. Rice and S. Shenoi, Eds. Springer Berlin Heidelberg (2017). [To appear]

Organization for the Advancement of Structured Information Standards. Darwin Information Typing Architecture (DITA) Version 1.3 Part 2: Technical Content Edition. OASIS Standard (2016). http://docs.oasis-open.org/dita/dita/v1.3/dita-v1.3-part2-tech-content.html

Organization for the Advancement of Structured Information Standards. DITA XML.org. http://dita.xml.org

OpenSCAP Portal. SCAP Security Guide. http://www.open-scap.org/security-policies/scap-security-guide

OpenSCAP Portal. SCAP Workbench. https://www.open-scap.org/tools/scap-workbench

OVAL Documentation. http://ovalproject.github.io

Oxygen XML Editor Blog. DITA Reuse Strategies (Short Tutorial describing all DITA Reuse possibilities). http://blog.oxygenxml.com/2015/11/dita-reuse-strategies-short-tutorial.html

M. Priestley and D. A. Schell. Specialization in DITA: Technology, Process, & Policy. In Proceedings of the 20th Annual International Conference on Computer Documentation. pp. 164–176 (2002). doi:https://doi.org/10.1145/584955.584980

M. Preisler. Contributing to SCAP Security Guide — Part 1. https://martin.preisler.me/2016/10/contributing-to-scap-security-guide-part-1

Raspbian. https://www.raspbian.org

P. St. Pierre. Securing Linux with Mandatory Access Controls. Linux.com (2005). https://www.linux.com/news/securing-linux-mandatory-access-controls

S. Quinn, K. Scarfone, and D. Waltermire. Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2 (Draft). NIST Special Publication 800-117. Revision 1 (2012). http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-117-Rev.%201

S. Radack and R. Kuhn. Managing Security: The Security Content Automation Protocol. IT Professional. vol. 13(1). pp. 9–11 (2011). doi:https://doi.org/10.1109/MITP.2011.11

K. Schengili-Roberts. Don Day and Michael Priestley on the Beginnings of DITA: Part 1. http://www.ditawriter.com/don-day-and-michael-priestley-on-the-beginnings-of-dita-part-1

D. Vecchiato, M. Vieira, and E. Martins. The Perils of Android Security Configuration. Computer. vol. 49(6). pp. 15-21 (2016). doi:https://doi.org/10.1109/MC.2016.184

D. Waltermire, C. Schmidt, K. Scarfone, and N. Ziring. Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. NIST Interagency Report 7275 Revision 4 (2012). https://scap.nist.gov/specifications/xccdf

World Wide Web Consortium. Cascading Style Sheets Level 2 Revision 1 (CSS 2.1). W3C Recommendation (2011). https://www.w3.org/TR/CSS2

World Wide Web Consortium. Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C Recommendation (2008). https://www.w3.org/TR/xml

World Wide Web Consortium. XSL Transformations (XSLT) Version 2.0. W3C Recommendation (2007). https://www.w3.org/TR/xslt20

XCCDF — The Extensible Configuration Checklist Description Format. https://scap.nist.gov/specifications/xccdf

Author's keywords for this paper:

Security Content Automation Protocol; SCAP; Darwin Information Typing Architecture; DITA; SCAP Security Guide; specialization; reuse; XCCDF; platform fragmentation