I think there should be an option to track the score even if a rule is waived. The score is a representation of risk, waiving the rule doesn't mean the risk disappeared but simply accepted. The amount of risk being accepted should be made available to the authorizing official or system owner. Also, a field for how long the waiver is valid for will be beneficial since permanent waivers are frowned upon in general.
Regards, Wei
----------------------------------------------------------------------
----- Original Message -----
From: "Josh Kayse" Joshua.Kayse@gtri.gatech.edu To: "Martin Preisler" mpreisle@redhat.com Cc: "open-scap-list" open-scap-list@redhat.com, scap-workbench@lists.fedorahosted.org, "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, November 6, 2014 6:58:33 PM Subject: Re: [Open-scap] Waiver support in HTML report
On Nov 6, 2014, at 10:49 AM, Martin Preisler mpreisle@redhat.com wrote:
Hi, I wrote a short blog post about waivers in HTML report. These changes are coming in 1.2.0 so we would like to gather some feedback before the release.
Suggestions welcome!
http://martin.preisler.me/2014/11/waivers-in-openscap-html-report/
This is awesome. I’ll echo Shawn Wells question about generating waivers.
Replied about this to Shawn.
Additionally, does a waived rule still impact the score of the system?
It does not. For all intents and purposes it behaves like a rule of the result the waiver set it to. So if you waive a failed rule and make it "pass" you basically make it behave exactly like a passed rule.