On 8/29/14, 5:37 AM, Martin Preisler wrote: > ----- Original Message ----- >> From: "Andrew Gilmore" <agilmo...@gmail.com> >> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org> >> Sent: Thursday, August 28, 2014 8:29:48 PM >> Subject: Re: New report and guide in openscap 1.1.0 >> >> I like the new look and functionality. >> >> Two first blush comments: >> 1) On the report document, I can imagine my security officials freaking out >> over the in-your-face "*The system is not compliant!*" text. What is the >> recommended course to ensure this text does not appear if you're running >> the scan on a webserver, for example? Is it as simple as creating a custom >> profile derived from the STIG profile? Does anyone directly use the STIG >> profile, have a completely compliant system, and have a server that >> actually does anything useful?
Feel free to start a dedicated thread on which rules cause you the most problems. Feedback would be great. >> Up to now, I've left tests in that I have waivers for, and then pointed at >> the waivers to justify the test failures. Perhaps I will need to change >> that practice. > Isn't that a good thing? They should freak out, their system is not compliant! > The recommended course is to tailor the profile, leaving out rules that make > no sense on your system. Then you fix the remaining rules using remediation. > In the end the machine will be compliant. > > The job of openscap is to check your machines for compliance over and over. > When the machines are suddenly not compliant you really want to know that! As Martin pointed out, such a finding should be alarming! Culturally though, IV&V/SCA staff may over react when they see "The system is not compliant!" Perhaps just a combination, including Rodney's suggestion, will soften the message. e.g: " The system is not compliant! System needs to remediate X controls to reach compliance." >> 2) On the guide document, the text beginning "Providing system >> administrators" occurs twice. > Looks like an issue with SSG but I will look more into it. I believe it's something within the stylesheet. $ grep -rin "Providing system administrators with such guidanc" * guide.xml:14:Providing system administrators with such guidance informs them how to securely Full code @ https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/guide.xml#L14 -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
