Ah -- didn't recall that from the spec.
The purpose of the table (and scripts which generate it) is to allow an organization to see at a glance whether/how a particular profile's Rules enabled compliance with a particular set of NIST (or whoever's) requirements. The basic idea was for XCCDF authors to embed each reference to a formal policy doc (using the reference tag, or a vastly simplified macro for it) with each Rule, and then folks could transform as needed. So far, refs have only been added for 800-53, but it could be done for others.
I'm totally with you on the optional-ness of this, and also being able to select/transform any other part of the content. After all, the project will only be able to "stay upstream" by providing anybody the tools they'd want, in order to customize/transform the content.
The new transforms (with only a little adjustment) should allow easy insertion of any profile that's defined in the profiles directory (or even for folks who want to make their own "private" ones and insert/test it easily privately).
On 10/26/2011 07:50 PM, Gary Gapinski wrote:
On 10/26/2011 07:42 PM, Jeffrey Blank wrote:
This should be fixed now. At one point, I had decided not to output profiles (in order to ensure oscap's prose guide generation would show all rules). But, the table transform was still expecting a particular profile (which is logical).
However,<Profile>s in XCCDF are optional (as is IMO appropriate and acknowledged by NIST SP 800-126 section 3.2.3).