On 8/29/14, 9:28 AM, Gabe Alford wrote: > On Fri, Aug 29, 2014 at 3:37 AM, Martin Preisler <mprei...@redhat.com > <mailto:mprei...@redhat.com>> wrote: > > ----- Original Message ----- > > From: "Andrew Gilmore" <agilmo...@gmail.com > <mailto:agilmo...@gmail.com>> > > To: "SCAP Security Guide" > <scap-security-guide@lists.fedorahosted.org > <mailto:scap-security-guide@lists.fedorahosted.org>> > > Sent: Thursday, August 28, 2014 8:29:48 PM > > Subject: Re: New report and guide in openscap 1.1.0 > > > > I like the new look and functionality. > > > > Two first blush comments: > > 1) On the report document, I can imagine my security officials > freaking out > > over the in-your-face "*The system is not compliant!*" text. > What is the > > recommended course to ensure this text does not appear if you're > running > > the scan on a webserver, for example? Is it as simple as > creating a custom > > profile derived from the STIG profile? Does anyone directly use > the STIG > > profile, have a completely compliant system, and have a server that > > actually does anything useful? > > Up to now, I've left tests in that I have waivers for, and then > pointed at > > the waivers to justify the test failures. Perhaps I will need to > change > > that practice. > > Isn't that a good thing? They should freak out, their system is > not compliant! > The recommended course is to tailor the profile, leaving out rules > that make > no sense on your system. Then you fix the remaining rules using > remediation. > In the end the machine will be compliant. > > > I would maybe add or modify the message here to be something along the > lines: > > - "The system is not compliant! Please review rule results, > site/network security requirements, and consider applying remediation." > > --- or --- > > - "The system may not be compliant! Please review rule results, > site/network security requirements, and consider applying remediation." > > I personally would prefer the last one as it says, "Hey. Check your > system as well as check your security requirements to see if what you > are seeing from the scan matches with those security requirements."
Systems are scanned against a specific profile (STIG, USGCB....) which represent defined requirements. It's fair to say "The system /is not/ compliant" vs "may not." Recognizing deployments may have exceptions, the override/tailoring file can be user (e.g. "my site uses 5 char passwords, not 12, so don't fail me"). > > > The job of openscap is to check your machines for compliance over > and over. > When the machines are suddenly not compliant you really want to > know that! > > > 2) On the guide document, the text beginning "Providing system > > administrators" occurs twice. > > Looks like an issue with SSG but I will look more into it. > > -- > Martin Preisler > -- > SCAP Security Guide mailing list > scap-security-guide@lists.fedorahosted.org > <mailto:scap-security-guide@lists.fedorahosted.org> > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > > -- Shawn Wells Director, Innovation Programs sh...@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
