On 8/29/14, 5:37 AM, Martin Preisler wrote:
----- Original Message -----
From: "Andrew Gilmore" agilmore2@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 28, 2014 8:29:48 PM Subject: Re: New report and guide in openscap 1.1.0
I like the new look and functionality.
Two first blush comments:
- On the report document, I can imagine my security officials freaking out
over the in-your-face "*The system is not compliant!*" text. What is the recommended course to ensure this text does not appear if you're running the scan on a webserver, for example? Is it as simple as creating a custom profile derived from the STIG profile? Does anyone directly use the STIG profile, have a completely compliant system, and have a server that actually does anything useful?
Feel free to start a dedicated thread on which rules cause you the most problems. Feedback would be great.
Up to now, I've left tests in that I have waivers for, and then pointed at the waivers to justify the test failures. Perhaps I will need to change that practice.
Isn't that a good thing? They should freak out, their system is not compliant! The recommended course is to tailor the profile, leaving out rules that make no sense on your system. Then you fix the remaining rules using remediation. In the end the machine will be compliant.
The job of openscap is to check your machines for compliance over and over. When the machines are suddenly not compliant you really want to know that!
As Martin pointed out, such a finding should be alarming! Culturally though, IV&V/SCA staff may over react when they see "The system is not compliant!"
Perhaps just a combination, including Rodney's suggestion, will soften the message. e.g: " The system is not compliant! System needs to remediate X controls to reach compliance."
- On the guide document, the text beginning "Providing system
administrators" occurs twice.
Looks like an issue with SSG but I will look more into it.
I believe it's something within the stylesheet.
$ grep -rin "Providing system administrators with such guidanc" * guide.xml:14:Providing system administrators with such guidance informs them how to securely
Full code @ https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/gui...