Good point -- this will be resolved in a better way, since those
particular CCIs should actually be references. I'll post an update for
the transforms, and then sync with Shawn on changing the CCIs to refs.
This was my fault: originally I thought that we should use ident for
CCIs, in our Rules. But the XCCDF spec says that an ident is really for
a unique _identifier_ for _that_ Rule. As our purpose is really to
demonstrate satisfaction of a CCI (and this may require several Rules to
satisfy), these should really be <references>.
We will also try to expand out each CCI id to a separate reference, to
allow for easier querying.
On 04/26/2012 07:06 AM, Simon Lukasik wrote:
On 04/24/2012 11:43 PM, Shawn Wells wrote:
> @@ -74,6 +75,7 @@ default):
> <ident cce="4292-9" />
> <oval id="service_auditd_enabled" />
> <ref nist="CM-6, CM-7" />
> +<ident cci="CCI-000016, CCI-000166" />
> </Rule>
Please don't use comma separated list in the cci attribute. In the
generated XCCDF it will end-up like:
<ident
system="http://iase.disa.mil/cci/index.html">
CCI-000016, CCI-000166</ident>
I believe it makes a machine parsing a bit harder. Which was actually
the proble the XML was trying to solve.
Thanks for considering,
--
Simon Lukasik
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide