I'm going to start a new thread regarding language of compliance and baseline threads.
On Sun, Aug 31, 2014 at 2:30 AM, Shawn Wells <sh...@redhat.com> wrote: > On 8/29/14, 9:28 AM, Gabe Alford wrote: > > On Fri, Aug 29, 2014 at 3:37 AM, Martin Preisler <mprei...@redhat.com> > wrote: > >> ----- Original Message ----- >> > From: "Andrew Gilmore" <agilmo...@gmail.com> >> > To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org> >> > Sent: Thursday, August 28, 2014 8:29:48 PM >> > Subject: Re: New report and guide in openscap 1.1.0 >> > >> > I like the new look and functionality. >> > >> > Two first blush comments: >> > 1) On the report document, I can imagine my security officials freaking >> out >> > over the in-your-face "*The system is not compliant!*" text. What is >> the >> > recommended course to ensure this text does not appear if you're running >> > the scan on a webserver, for example? Is it as simple as creating a >> custom >> > profile derived from the STIG profile? Does anyone directly use the STIG >> > profile, have a completely compliant system, and have a server that >> > actually does anything useful? >> > Up to now, I've left tests in that I have waivers for, and then pointed >> at >> > the waivers to justify the test failures. Perhaps I will need to change >> > that practice. >> >> Isn't that a good thing? They should freak out, their system is not >> compliant! >> The recommended course is to tailor the profile, leaving out rules that >> make >> no sense on your system. Then you fix the remaining rules using >> remediation. >> In the end the machine will be compliant. >> > > I would maybe add or modify the message here to be something along the > lines: > > - "The system is not compliant! Please review rule results, site/network > security requirements, and consider applying remediation." > > --- or --- > > - "The system may not be compliant! Please review rule results, > site/network security requirements, and consider applying remediation." > > I personally would prefer the last one as it says, "Hey. Check your > system as well as check your security requirements to see if what you are > seeing from the scan matches with those security requirements." > > > Systems are scanned against a specific profile (STIG, USGCB....) which > represent defined requirements. It's fair to say "The system *is not* > compliant" vs "may not." > > Recognizing deployments may have exceptions, the override/tailoring file > can be user (e.g. "my site uses 5 char passwords, not 12, so don't fail > me"). > > > > > > The job of openscap is to check your machines for compliance over and >> over. >> When the machines are suddenly not compliant you really want to know that! >> >> > 2) On the guide document, the text beginning "Providing system >> > administrators" occurs twice. >> >> Looks like an issue with SSG but I will look more into it. >> >> -- >> Martin Preisler >> -- >> SCAP Security Guide mailing list >> scap-security-guide@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ >> > > > > -- > Shawn Wells > Director, Innovation programssh...@redhat.com | 443.534.0130 > @shawndwells > > > > -- > SCAP Security Guide mailing list > scap-security-guide@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ >
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
