Description of problem: "Originally, I had tried adding "selected=false" to the toplevel Groups, but oscap did not make the Group/Rule children inherit this when it builds its internal "policy" for each profile. (Page 18 of the XCCDF 1.1.4 spec, and Page 20 of the XCCDF 1.2 spec, which describe the behavior of "selected," suggests this should work. But no big deal. It's simpler to just set the rules directly anyway.)" see: https://fedorahosted.org/pipermail/scap-security-guide/2011-December/000017.html
I think this is a misunderstanding of the XCCDF specification. The spec says: "An <xccdf:Group> holds other items. An <xccdf:Group> collects related <xccdf:Rule> and <xccdf:Value> elements into a common structure and can provide descriptive text and references about them. An <xccdf:Group> allows benchmark users to select and deselect related <xccdf:Rule> elements together; since a deselected <xccdf:Group> is not processed, none of its contained items are processed either. Selection of an <xccdf:Group> allows its children to be processed normally based on their individual selection states." The most important part being the last sentence. Rules do NOT inherit the selected attribute of their parent Group. They do NOT get processed if the parent group is unselected, the fact that the Profile selects these rules doesn't have any effect on that. I tested and couldn't reproduce any Group selection behavior that is not compliant with the spec. Feel free to reopen this bug if you find any.