----- Original Message ----- > From: "Steve Grubb" <sgr...@redhat.com> > To: scap-security-guide@lists.fedorahosted.org > Cc: "Martin Preisler" <mprei...@redhat.com> > Sent: Tuesday, September 2, 2014 5:33:05 PM > Subject: Re: Best ways to say this system is not compliant > > On Tuesday, September 02, 2014 08:48:17 AM Martin Preisler wrote: > > > Several participants in the thread "Re: New report and guide in openscap > > > 1.1.0" > > > raised concerned over a language "The system is not compliant!" in the > > > report. > > > > I decided to avoid using the word compliant at all in this case. > > XCCDF spec defines what it means on the report but people may think > > the word has a different meaning and may be shocked. > > > > So instead I decided to explicitly say how many rules failed or were > > inconclusive. > > > > For example: > > "The target system did not satisfy conditions of 131 rules! Furthermore, > > the results of 2 rules were inconclusive. Please review rule results > > and consider applying remediation." > > Inconclusive is a word that I would not use. It prejudices the results by > indicating that something may or may not be wrong and it can't really tell.
That is exactly the case. It's not prejudice, it's fact. > That's not the message I want from any tool. Imagine running badblocks, aide, > or find and the message output is that it's inconclusive. :-) > > I'd simply say something to the effect that the scan has findings that need > to > be reviewed. Short & simple. The report says "inconclusive" for rules 'error' or 'unknown' as cdf:result. Excerpt from XCCDF 1.2 spec: error - The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information. unknown - The testing tool encountered some problem and the result is unknown. For example, a result of 'unknown' might be given if the testing tool was unable to interpret the output of the checking engine (the output has no meaning to the testing tool). I am not a native speaker but I am pretty sure inconclusive is the right word for this. If not, please provide an alternative. -- Martin Preisler -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
