It uses the XCCDF scoring model. tl;dr: it is a weighted average, rules that are more severe contribute more to the result. You can also use the flat scoring model to get a non weighted percentage.
Check out page 63 of http://csrc.nist.gov/publications/nistir/ir7275-rev4/nistir-7275r4_updated-march-2012_clean.pdf for more details about this. On Mon, Jul 17, 2017 at 3:36 PM, Greg Silverman (CS) <[email protected]> wrote: > The numbers in the Compliance and Scoring section of the html file do not > add up. > > > > Details: > > Using the STIG for Red Hat Enterprise Linux 7 Server (227) profile. > Using RHEL 7.3. > Rule Results: 112 passed, 103 failed, 10 other > Score 64.56% passed. > > > > So, 112 passed + 103 failed = 225 evaluated. But, 112/225 = 50% passed. Why > does the scanner give a score of 64.56%? Is it a weighted average? What is > the formula? > > > > Thanks, > > > > Greg Silverman > > Veritas Technologies > > Mountain View, CA > > > > > > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list -- Martin Preisler _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
