I guess the real question here is if we should ignore the fact that it isn't in a SCAP standard and push the Puppet-based remediation content into SSG. I would really prefer this approach but I completely understand if the SSG community doesn't want to start cramming non-SCAP content in SSG's git repo.
Yes. It remains possible for us to add non-SCAP stuff (as shorthand/macros we invent, and then transform out of the "final" SCAP-only content), but this is really not preferable.
I would like our outputs to be either: 1) in SCAP formats (with intended usage of the elements), if machine-consumable 2) in human-readable formats
To me, this means that the <fix> tags should only contain simple bash commands. Hopefully linkage to things like Puppet modules can be achieved in a manner that is
To that end, it is my intention to (at M.1 perhaps) declare Rule IDs frozen, so that any external tools which process results can have confidence that the world won't be shifting underneath them. I've renamed the subject line to match this thread.
I also haven't read the CRE draft (Dec 2011) published by NIST/Mitre yet. It may not relate to our short-term efforts, but we may want to keep it in mind.
___________________________ Jeffrey Blank 410-854-8675 Global Mitigations NSA Information Assurance