----- Original Message -----
From: "Gabe Alford" redhatrises@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Friday, August 29, 2014 3:28:20 PM Subject: Re: New report and guide in openscap 1.1.0
On Fri, Aug 29, 2014 at 3:37 AM, Martin Preisler mpreisle@redhat.com wrote:
[snip]
I would maybe add or modify the message here to be something along the lines:
- "The system is not compliant! Please review rule results, site/network
security requirements, and consider applying remediation."
--- or ---
- "The system may not be compliant! Please review rule results,
site/network security requirements, and consider applying remediation."
The thing is, you should have reviewed your security requirements before you chose the benchmark and profile and decided to run the scan :-) The only thing openscap knows is that the machine is not compliant with regards to the benchmark and profile combination you evaluated.
We have to be more generic than site/network security requirements. And I think saying that you are not compliant with regards to the selected benchmark and profile is redundant. That should be apparent from the report already.