Ah -- didn't recall that from the spec.
The purpose of the table (and scripts which generate it) is to allow an
organization to see at a glance whether/how a particular profile's Rules
enabled compliance with a particular set of NIST (or whoever's)
requirements. The basic idea was for XCCDF authors to embed each
reference to a formal policy doc (using the reference tag, or a vastly
simplified macro for it) with each Rule, and then folks could transform
as needed. So far, refs have only been added for 800-53, but it could
be done for others.
I'm totally with you on the optional-ness of this, and also being able
to select/transform any other part of the content. After all, the
project will only be able to "stay upstream" by providing anybody the
tools they'd want, in order to customize/transform the content.
The new transforms (with only a little adjustment) should allow easy
insertion of any profile that's defined in the profiles directory (or
even for folks who want to make their own "private" ones and insert/test
it easily privately).
On 10/26/2011 07:50 PM, Gary Gapinski wrote:
On 10/26/2011 07:42 PM, Jeffrey Blank wrote:
> This should be fixed now. At one point, I had decided not to output
> profiles (in order to ensure oscap's prose guide generation would show
> all rules). But, the table transform was still expecting a particular
> profile (which is logical).
However,<Profile>s in XCCDF are optional (as is IMO appropriate and
acknowledged by NIST SP 800-126 section 3.2.3).