What is the difference between a profile and a control?

[SLSAKrit]

I'm unable to understand the difference between a profile and a control? Both seem to be a collection of rules. Why do we need controls when we have profiles? What am I missing?

Thanks

[jan-cerny]

Profiles are simple collection of rules. Controls are also collections of rules but they provide additional information. In general, control files contain information about why certain rules have been selected. Profiles can be created by selecting controls from control files.

The main value of using control files is that they provide a mapping from policy requirements to rules. For example, the anssi.yml control file contains a mapping of requirements from the ANSSI Configuration Recommendations of a GNU/Linux System guide to specific rules. The requirements are usually generic text but the rules are specific configuration items.

Once having a control file, the rules can be added to profiles by selecting specific control or a group of controls or all controls from a control file.

Another benefit is that using controls remove code duplication and creates a single source of truth in situations when there are multiple profiles build based on a single guidance. For example, for the ANSSI guidance there are 4 profiles: ANSSI elementary, ANSSI intermediate, ANSSI enhanced and ANSSI high. They differ by selection of requirements but at the same time a lot of requirements are shared by some of these profiles. This can be easily implemented by defining a hardening level on the controls in control files and then selecting controls of a given hardening level in the profile.

[SLSAKrit]

Thank you for the detailed explanation. Very helpful.