[Verse 1]
In the world of compliance checking today
There's a stack that shows us the STIG way
XCCDF Benchmark sits up on top
Defining the rules that make systems stop
XML structure holds it all in place
Benchmarks and profiles set the pace
Groups contain rules with severity high
Each one numbered with an ID
[Chorus]
STIG stack climbing from bottom to top
OVAL defines where the checking won't stop
XCCDF Benchmark sets the standard clear
Results flow back when the tests appear
Format stack, format stack
SCAP components working back to back
Benchmark, rules, and OVAL too
STIG compliance coming through
[Verse 2]
Profile selects which rules to run
MAC-One Classified when security's done
Rule ID shows the specific test
SV numbers put controls to rest
Title tells you what must be true
RHEL Eight crypto FIPS won't do
Description explains the reasoning why
Check content makes the system comply
[Chorus]
STIG stack climbing from bottom to top
OVAL defines where the checking won't stop
XCCDF Benchmark sets the standard clear
Results flow back when the tests appear
Format stack, format stack
SCAP components working back to back
Benchmark, rules, and OVAL too
STIG compliance coming through
[Bridge]
Check system points to OVAL down below
Content reference tells us where to go
When the test runs results come back
Pass or fail upon this track
Fix element shows the remedy
CCI ident links to NIST taxonomy
Test result captures what was found
STIG format keeps systems sound
[Chorus]
STIG stack climbing from bottom to top
OVAL defines where the checking won't stop
XCCDF Benchmark sets the standard clear
Results flow back when the tests appear
Format stack, format stack
SCAP components working back to back
Benchmark, rules, and OVAL too
STIG compliance coming through
[Outro]
From benchmark down to OVAL's core
STIG format gives us so much more
Structured compliance in XML
The SCAP stack serves security well