----- Original Message ----- > From: "Gabe Alford" <redhatri...@gmail.com> > To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org> > Sent: Friday, August 29, 2014 3:28:20 PM > Subject: Re: New report and guide in openscap 1.1.0 > > On Fri, Aug 29, 2014 at 3:37 AM, Martin Preisler <mprei...@redhat.com> > wrote: > > [snip] > > I would maybe add or modify the message here to be something along the > lines: > > - "The system is not compliant! Please review rule results, site/network > security requirements, and consider applying remediation." > > --- or --- > > - "The system may not be compliant! Please review rule results, > site/network security requirements, and consider applying remediation."
The thing is, you should have reviewed your security requirements before you chose the benchmark and profile and decided to run the scan :-) The only thing openscap knows is that the machine is not compliant with regards to the benchmark and profile combination you evaluated. We have to be more generic than site/network security requirements. And I think saying that you are not compliant with regards to the selected benchmark and profile is redundant. That should be apparent from the report already. -- Martin Preisler -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
