What about the case where rule waiving is done just because the rule
doesn't apply?
Also, is there the ability to modify the scoring system? For instance, the
NIST 800-53 (I think), specifies that risk levels can be decreased by
surrounding details. Extra Firewalls, ALS systems, increased monitoring,
etc...
Therefore, the risk for any externally facing items could be decreased from
High to Medium or Medium to Low, etc...
Sorry if I missed this, I'm still trying to find time to turn all the knobs
but, great work and thanks for the materials!
Trevor
On Thu, Nov 13, 2014 at 4:10 PM, Chen, Wei (Contractor)(CFPB) <
Wei.Chen(a)cfpb.gov> wrote:
I think there should be an option to track the score even if a rule
is
waived. The score is a representation of risk, waiving the rule doesn't
mean the risk disappeared but simply accepted. The amount of risk being
accepted should be made available to the authorizing official or system
owner. Also, a field for how long the waiver is valid for will be
beneficial since permanent waivers are frowned upon in general.
Regards,
Wei
----------------------------------------------------------------------
----- Original Message -----
> From: "Josh Kayse" <Joshua.Kayse(a)gtri.gatech.edu>
> To: "Martin Preisler" <mpreisle(a)redhat.com>
> Cc: "open-scap-list" <open-scap-list(a)redhat.com>,
scap-workbench(a)lists.fedorahosted.org, "SCAP Security Guide"
> <scap-security-guide(a)lists.fedorahosted.org>
> Sent: Thursday, November 6, 2014 6:58:33 PM
> Subject: Re: [Open-scap] Waiver support in HTML report
>
>
> > On Nov 6, 2014, at 10:49 AM, Martin Preisler <mpreisle(a)redhat.com>
wrote:
> >
> > Hi,
> > I wrote a short blog post about waivers in HTML report.
> > These changes are coming in 1.2.0 so we would like to gather
> > some feedback before the release.
> >
> > Suggestions welcome!
> >
> >
http://martin.preisler.me/2014/11/waivers-in-openscap-html-report/
>
> This is awesome. I’ll echo Shawn Wells question about generating waivers.
Replied about this to Shawn.
> Additionally, does a waived rule still impact the score of the system?
It does not. For all intents and purposes it behaves like a rule of the
result
the waiver set it to. So if you waive a failed rule and make it "pass" you
basically make it behave exactly like a passed rule.
--
Martin Preisler
------------------------------
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --