No concerns outside of the technical area...but curious why "additional" requirements would be categorized as "mysteriously appearing" in addition to the SSG community inputs? Are the additional STIG rules an expansion based on CNSSI-1253 recommendations? Do additional STIG rules address areas where physical checks/audits are required where remediation is difficult to automate?
Will RHEL-7 Benchmark more closely resemble current SSG community contributions? -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
