Description

Add an option in OpenSCAP that allow to evaluate rules based on their references. For example:

RHEL STIG id in rules is put as a reference such as:

<xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">RHEL-08-020290</xccdf-1.2:reference>

This new option would allow something like this to be executed:

oscap xccdf eval --profile stig --reference RHEL-08-020290 ssg-rhel8-ds.xml

And the scanner would evaluate all rules selected in the profile that contain this reference.

Rationale

Even though rules from ComplianceAsCode/content try to be generic, sometimes it is difficult to find the rule that is associated to a particular policy reference.

Possible problems

1. If there are equal reference values among different policies, what it should do? Add a new parameter to specify the target policy, for example: --policy stig, and this would only try to match references from the one that has href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux". This way would require to store the policy->href value in OpenSCAP itself
2. It can't use the --profile option to determine which policy it targets as there are references that are not tied to any profile and there is also tailored/new profiles that can be created by users in their environments.