Several participants in the thread "Re: New report and guide in openscap 1.1.0" raised concerned over a language "The system is not compliant!" in the report.
I agree. "not compliant" ideally should only be done against a policy established by an organization for that system. The assessment and passing of any set of controls != compliance, it is a step toward compliance.
Public profiles are, generally speaking, against *baselines*. It would be great if the use of OpenSCAP and SSG inspired/encouraged Departments and Agencies to develop and manage their own profiles that build on top of the baseline profiles.
For example, if a test is run against a default profile, feedback should emphasize the profile is a default profile and encourage organization to maintain their own organizational profiles.
Imagine if by default OpenSCAP tried to find to an agency's default repository of profiles. If no agency-defined repository existed, OpenSCAP would communicate it "No agency-specific profiles available. To create agency specific profiles blah, blah...OpenSCAP using default SCAP-Security-Guide baseline profile blah, blah, blah." This would constantly remind users they should be managing their own set of profiles.
Of course, managing drift among agency specific profiles vs the baselines becomes another issue -- but that is something further for OpenSCAP and SSG to assist.
Greg Elin
phone: 917-304-3488