Good point -- this will be resolved in a better way, since those particular CCIs should actually be references. I'll post an update for the transforms, and then sync with Shawn on changing the CCIs to refs.

This was my fault: originally I thought that we should use ident for CCIs, in our Rules. But the XCCDF spec says that an ident is really for a unique _identifier_ for _that_ Rule. As our purpose is really to demonstrate satisfaction of a CCI (and this may require several Rules to satisfy), these should really be <references>.

We will also try to expand out each CCI id to a separate reference, to allow for easier querying.

On 04/26/2012 07:06 AM, Simon Lukasik wrote:

On 04/24/2012 11:43 PM, Shawn Wells wrote:

...

@@ -74,6 +75,7 @@ default):

<ident cce="4292-9" /> <oval id="service_auditd_enabled" /> <ref nist="CM-6, CM-7" /> +<ident cci="CCI-000016, CCI-000166" /> </Rule>

Please don't use comma separated list in the cci attribute. In the generated XCCDF it will end-up like:

<ident system="http://iase.disa.mil/cci/index.html"> CCI-000016, CCI-000166</ident>

I believe it makes a machine parsing a bit harder. Which was actually the proble the XML was trying to solve.

Thanks for considering,

-- Simon Lukasik _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide