[Open-scap] Waiver support in HTML report
Kayse, Josh
Joshua.Kayse at gtri.gatech.edu
Thu Nov 6 17:58:33 UTC 2014
> On Nov 6, 2014, at 10:49 AM, Martin Preisler <mpreisle at redhat.com> wrote:
>
> Hi,
> I wrote a short blog post about waivers in HTML report.
> These changes are coming in 1.2.0 so we would like to gather
> some feedback before the release.
>
> Suggestions welcome!
>
> http://martin.preisler.me/2014/11/waivers-in-openscap-html-report/
This is awesome. I’ll echo Shawn Wells question about generating waivers. Additionally, does a waived rule still impact the score of the system?
We would like to be able to use the STIG from SSG with minimal modifications (changing variables in the STIG only). Unfortunately this results in several rules failing that we have obtained waivers for. Therefore we currently modify the weight of the known failures such that they do not impact the score of the system. This allows us to confidently monitor the posture of the system by monitoring the score. If the known failures were integrated in to the score we would not know whether the score is due to a known failure or a new failure.
For example, say the score is 90 because prelink is enabled. An admin comes in and changes prelink to be disable but also causes another rule, such as password complexity, to fail which leaves the score at 90.
-josh
More information about the Open-scap-list
mailing list