On 3/17/13 1:41 PM, Jeffrey Blank wrote:
A question for the list:
Who uses CCE identifiers (and for what)?
I find them (informally) useful since they provide a unique identifier for a particular knob. Of course, internal to the project, the XCCDF Rule id fulfills a similar role, though we'll have both.
(I also have some reservations about CCE implementation and format, but those are not related to this inquiry, nor am I soliciting for those!)
I'm simply curious about uses of CCE in RHEL security guidance, particularly that which would be derived from the project.
Personally I never use them, or even talk about them. When going through compliance processes I've found C&A stakeholders want to know about /their/ requirement, e.g. OS SRG or NIST 800-53 reference.