On Fri, Aug 29, 2014 at 3:37 AM, Martin Preisler mpreisle@redhat.com wrote:
----- Original Message -----
From: "Andrew Gilmore" agilmore2@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 28, 2014 8:29:48 PM Subject: Re: New report and guide in openscap 1.1.0
I like the new look and functionality.
Two first blush comments:
- On the report document, I can imagine my security officials freaking
out
over the in-your-face "*The system is not compliant!*" text. What is the recommended course to ensure this text does not appear if you're running the scan on a webserver, for example? Is it as simple as creating a
custom
profile derived from the STIG profile? Does anyone directly use the STIG profile, have a completely compliant system, and have a server that actually does anything useful? Up to now, I've left tests in that I have waivers for, and then pointed
at
the waivers to justify the test failures. Perhaps I will need to change that practice.
Isn't that a good thing? They should freak out, their system is not compliant! The recommended course is to tailor the profile, leaving out rules that make no sense on your system. Then you fix the remaining rules using remediation. In the end the machine will be compliant.
I would maybe add or modify the message here to be something along the lines:
- "The system is not compliant! Please review rule results, site/network security requirements, and consider applying remediation."
--- or ---
- "The system may not be compliant! Please review rule results, site/network security requirements, and consider applying remediation."
I personally would prefer the last one as it says, "Hey. Check your system as well as check your security requirements to see if what you are seeing from the scan matches with those security requirements."
The job of openscap is to check your machines for compliance over and over.
When the machines are suddenly not compliant you really want to know that!
- On the guide document, the text beginning "Providing system
administrators" occurs twice.
Looks like an issue with SSG but I will look more into it.
-- Martin Preisler -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/