I think there should be an option to track the score even if a rule is waived. The score is a representation of risk, waiving the rule doesn't mean the risk disappeared but simply accepted. The amount of risk being accepted should be made available to the authorizing official or system owner. Also, a field for how long the waiver is valid for will be beneficial since permanent waivers are frowned upon in general.
Regards, Wei
----------------------------------------------------------------------
----- Original Message -----
From: "Josh Kayse" Joshua.Kayse@gtri.gatech.edu To: "Martin Preisler" mpreisle@redhat.com Cc: "open-scap-list" open-scap-list@redhat.com, scap-workbench@lists.fedorahosted.org, "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, November 6, 2014 6:58:33 PM Subject: Re: [Open-scap] Waiver support in HTML report
On Nov 6, 2014, at 10:49 AM, Martin Preisler mpreisle@redhat.com wrote:
Hi, I wrote a short blog post about waivers in HTML report. These changes are coming in 1.2.0 so we would like to gather some feedback before the release.
Suggestions welcome!
http://martin.preisler.me/2014/11/waivers-in-openscap-html-report/
This is awesome. I’ll echo Shawn Wells question about generating waivers.
Replied about this to Shawn.
Additionally, does a waived rule still impact the score of the system?
It does not. For all intents and purposes it behaves like a rule of the result the waiver set it to. So if you waive a failed rule and make it "pass" you basically make it behave exactly like a passed rule.
What about the case where rule waiving is done just because the rule doesn't apply?
Also, is there the ability to modify the scoring system? For instance, the NIST 800-53 (I think), specifies that risk levels can be decreased by surrounding details. Extra Firewalls, ALS systems, increased monitoring, etc...
Therefore, the risk for any externally facing items could be decreased from High to Medium or Medium to Low, etc...
Sorry if I missed this, I'm still trying to find time to turn all the knobs but, great work and thanks for the materials!
Trevor
On Thu, Nov 13, 2014 at 4:10 PM, Chen, Wei (Contractor)(CFPB) < Wei.Chen@cfpb.gov> wrote:
I think there should be an option to track the score even if a rule is waived. The score is a representation of risk, waiving the rule doesn't mean the risk disappeared but simply accepted. The amount of risk being accepted should be made available to the authorizing official or system owner. Also, a field for how long the waiver is valid for will be beneficial since permanent waivers are frowned upon in general.
Regards, Wei
----- Original Message -----
From: "Josh Kayse" Joshua.Kayse@gtri.gatech.edu To: "Martin Preisler" mpreisle@redhat.com Cc: "open-scap-list" open-scap-list@redhat.com,
scap-workbench@lists.fedorahosted.org, "SCAP Security Guide"
scap-security-guide@lists.fedorahosted.org Sent: Thursday, November 6, 2014 6:58:33 PM Subject: Re: [Open-scap] Waiver support in HTML report
On Nov 6, 2014, at 10:49 AM, Martin Preisler mpreisle@redhat.com
wrote:
Hi, I wrote a short blog post about waivers in HTML report. These changes are coming in 1.2.0 so we would like to gather some feedback before the release.
Suggestions welcome!
http://martin.preisler.me/2014/11/waivers-in-openscap-html-report/
This is awesome. I’ll echo Shawn Wells question about generating waivers.
Replied about this to Shawn.
Additionally, does a waived rule still impact the score of the system?
It does not. For all intents and purposes it behaves like a rule of the result the waiver set it to. So if you waive a failed rule and make it "pass" you basically make it behave exactly like a passed rule.
-- Martin Preisler
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org