Howdy,
I just posted the latest entry in my Visible IT blog, titled: "SCAP, XCCDF, and Compliance Orchestration." In this entry I point out some of the limitations of the XCCDF spec that are relevant to compliance orchestration.
Here's the teaser:
So there's this open question about how to know where a particular XCCDF file applies. The XCCDF specification simply says in the abstract:
As far as I can tell, and I'd welcome being corrected on this front, XCCDF can't express where it's configuration rules should be applied other than the relevant operating system "platform".This document specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of security configuration rules for some set of target systems.
As always, I welcome your comments either here or at the original entry at the Visible IT Blog.
