----- Original Message ----- > From: "Gabe Alford" <[email protected]> > To: "SCAP Security Guide" <[email protected]> > Sent: Friday, August 29, 2014 3:28:20 PM > Subject: Re: New report and guide in openscap 1.1.0 > > On Fri, Aug 29, 2014 at 3:37 AM, Martin Preisler <[email protected]> > wrote: > > [snip] > > I would maybe add or modify the message here to be something along the > lines: > > - "The system is not compliant! Please review rule results, site/network > security requirements, and consider applying remediation." > > --- or --- > > - "The system may not be compliant! Please review rule results, > site/network security requirements, and consider applying remediation."
The thing is, you should have reviewed your security requirements before you chose the benchmark and profile and decided to run the scan :-) The only thing openscap knows is that the machine is not compliant with regards to the benchmark and profile combination you evaluated. We have to be more generic than site/network security requirements. And I think saying that you are not compliant with regards to the selected benchmark and profile is redundant. That should be apparent from the report already. -- Martin Preisler -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
