Hmmm, do we have a transform that creates a table in line with what's called for in NIST SP 800-70 Appendix E, for proper submission, sans perhaps the "Impact" column (which lacks a corresponding XCCDF element).
I created one to show what would go into the rather vague form specified by SP 800-70rev2 §E.1.3. As previously noted, there are no impacts currently defined. I am unsure what "category" is. It may have something to do with venue.
In any case, the RHEL5 USGCB submission did not conform to SP800-70.
Draft documents:
-
http://xml.garygapinski.com/scap-security-guide/SP800-70-E.xslt
is the transform (probably best viewed using Chrome, as not all
browsers handle HTML5 details elements well)
- http://xml.garygapinski.com/scap-security-guide/SP800-70-E.xhtml is the output document
This was not driven by the USGCB Profile. I'll do that next
(soon, as I must adapt, undoubtedly augment, the RHEL6 USGCB
profile and field a draft variant by Monday, and it will likely
address all Rules found in scap-security-guide, including ones
that will be deemed optional). Note that not all Rules have CCEs.
Perhaps some should.
It will be rather easy to adapt for submission in the SP800-70
format. Reference is made to a "spreadsheet", which I think is a
primitive type of document from a past age. The document name must
end in ".xls" or ".xlsx", but no normative specification for
document content is provided, so just about anything goes, as was
obviously the case with the RHEL5 USGCB content.
The names, format, etc. can be changed. I'll push this into
version control once it is acceptable.
BTW: SP
800-53 rev 4 is just out in draft.
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
