Howdy,
I just posted the latest entry in my Visible IT blog, titled: “SCAP, XCCDF, and Compliance Orchestration.” In this entry I point out some of the limitations of the XCCDF spec that are relevant to compliance orchestration.
Here’s the teaser:
So there’s this open question about how to know where a particular XCCDF file applies. The XCCDF specification simply says in the abstract:
This document specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of security configuration rules for some set of target systems.
As far as I can tell, and I’d welcome being corrected on this front, XCCDF can’t express where it’s configuration rules should be applied other than the relevant operating system “platform”.
As always, I welcome your comments either here or at the original entry at the Visible IT Blog.