I think there should be an option to track the score even if a rule is waived. The score is a representation of risk, waiving the rule doesn't mean the risk disappeared but simply accepted. The amount of risk being accepted should be made available to the authorizing official or system owner. Also, a field for how long the waiver is valid for will be beneficial since permanent waivers are frowned upon in general.
Regards, Wei ---------------------------------------------------------------------- ----- Original Message ----- > From: "Josh Kayse" <[email protected]> > To: "Martin Preisler" <[email protected]> > Cc: "open-scap-list" <[email protected]>, > [email protected], "SCAP Security Guide" > <[email protected]> > Sent: Thursday, November 6, 2014 6:58:33 PM > Subject: Re: [Open-scap] Waiver support in HTML report > > > > On Nov 6, 2014, at 10:49 AM, Martin Preisler <[email protected]> wrote: > > > > Hi, > > I wrote a short blog post about waivers in HTML report. > > These changes are coming in 1.2.0 so we would like to gather > > some feedback before the release. > > > > Suggestions welcome! > > > > http://martin.preisler.me/2014/11/waivers-in-openscap-html-report/ > > This is awesome. I’ll echo Shawn Wells question about generating waivers. Replied about this to Shawn. > Additionally, does a waived rule still impact the score of the system? It does not. For all intents and purposes it behaves like a rule of the result the waiver set it to. So if you waive a failed rule and make it "pass" you basically make it behave exactly like a passed rule. -- Martin Preisler ------------------------------ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
