I'm going to start a new thread regarding language of compliance and baseline threads.
On Sun, Aug 31, 2014 at 2:30 AM, Shawn Wells shawn@redhat.com wrote:
On 8/29/14, 9:28 AM, Gabe Alford wrote:
On Fri, Aug 29, 2014 at 3:37 AM, Martin Preisler mpreisle@redhat.com wrote:
----- Original Message -----
From: "Andrew Gilmore" agilmore2@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 28, 2014 8:29:48 PM Subject: Re: New report and guide in openscap 1.1.0
I like the new look and functionality.
Two first blush comments:
- On the report document, I can imagine my security officials freaking
out
over the in-your-face "*The system is not compliant!*" text. What is
the
recommended course to ensure this text does not appear if you're running the scan on a webserver, for example? Is it as simple as creating a
custom
profile derived from the STIG profile? Does anyone directly use the STIG profile, have a completely compliant system, and have a server that actually does anything useful? Up to now, I've left tests in that I have waivers for, and then pointed
at
the waivers to justify the test failures. Perhaps I will need to change that practice.
Isn't that a good thing? They should freak out, their system is not compliant! The recommended course is to tailor the profile, leaving out rules that make no sense on your system. Then you fix the remaining rules using remediation. In the end the machine will be compliant.
I would maybe add or modify the message here to be something along the lines:
- "The system is not compliant! Please review rule results, site/network
security requirements, and consider applying remediation."
--- or ---
- "The system may not be compliant! Please review rule results,
site/network security requirements, and consider applying remediation."
I personally would prefer the last one as it says, "Hey. Check your system as well as check your security requirements to see if what you are seeing from the scan matches with those security requirements."
Systems are scanned against a specific profile (STIG, USGCB....) which represent defined requirements. It's fair to say "The system *is not* compliant" vs "may not."
Recognizing deployments may have exceptions, the override/tailoring file can be user (e.g. "my site uses 5 char passwords, not 12, so don't fail me").
The job of openscap is to check your machines for compliance over and
over. When the machines are suddenly not compliant you really want to know that!
- On the guide document, the text beginning "Providing system
administrators" occurs twice.
Looks like an issue with SSG but I will look more into it.
-- Martin Preisler -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Shawn Wells Director, Innovation Programsshawn@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/