On 11/13/14, 8:52 AM, Martin Preisler wrote: > ----- Original Message ----- >> > From: "Gabe Alford" <[email protected]> >> > To: "SCAP Security Guide" <[email protected]> >> > Sent: Thursday, November 13, 2014 2:05:40 PM >> > Subject: Re: Waiver support in HTML report >> > >> > Really like the new feature! One thing is how do I remove a waiver, e.g. >> > what if I accidentally add a waiver to the wrong rule? > Right now you can't but this is a planned feature. There will be a waiver > removal callback that integrations can set. I will most likely not add > waiver modification, if you need waiver modification you can always remove > a waiver and add a new one.
In an earlier thread someone mentioned setting a "waiver expiration" concept. This would be INCREDIBLY useful, but would this be better discussed for SCAPtimony integration? As a sample use case.... During many C&A efforts, I've had a control assessor find something I've overlooked. An example would be setting the system login banners -- sometimes on small, compartmentalized networks, setting the login banner is more a formality to pass a compliance check than a meaningful legal countermeasure. So they grant ATO given that I must fix the finding within 5-10 days. In such a scenario, I load up the SCAP report and click "add waiver." I select a "expires on" date, which somehow integrates into SCAPtimony. As that date approaches I get nag screens. Would something like this be achievable? And if so, should an RFE be filed to the SCAPtimony GitHub page or somewhere else? -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
