usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Indicate manual rules that are included in the baseline #161

New Issue
Closed
opened 2026-01-19 18:29:27 +00:00 by michael · 2 comments
michael commented 2026-01-19 18:29:27 +00:00
Owner
Copy Link

Originally created by @bernstei on GitHub.

As discussed in #114 , rules that are labeled with the tag manual are not pointed out to the user at all, from what I can tell, at any point in the process. Except for manually (pun not intended) going through the baseline and checking each rule yaml file for the manual tag, nothing in the process indicates that a rule is manual and the remediation script doesn't even check it.

I think it's crucial that at least someplace in the process manual rules are pointed out. Ideally, the remediation script would not just exclude manual rules, but list them with a message indicating that no checks or remediation are being done.

Originally created by @bernstei on GitHub. As discussed in #114 , rules that are labeled with the tag `manual` are not pointed out to the user at all, from what I can tell, at any point in the process. Except for manually (pun not intended) going through the baseline and checking each rule yaml file for the `manual` tag, nothing in the process indicates that a rule is manual and the remediation script doesn't even check it. I think it's crucial that at least someplace in the process manual rules are pointed out. Ideally, the remediation script would not just exclude manual rules, but list them with a message indicating that no checks or remediation are being done.
michael commented 2026-01-19 18:29:27 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Added NOTE in PDF/HTML to rules that are marked as manual.

@brodjieski commented on GitHub: Added NOTE in PDF/HTML to rules that are marked as manual.
michael commented 2026-01-19 18:29:27 +00:00
Author
Owner
Copy Link

@bernstei commented on GitHub:

My preference would be to indicate this in the remediation script's output, although I agree that'd be non trivial - it's easy enough to note that it's manual when the script is being generated, but I guess you'd need to add logic to avoid running a check or remediation scriptlet (or replace the rule-based ones with null ones) and some way of noting that it's a manual rule that can't be checked when the report is generated. It's really misleading when the remediation script says "100%" compliance but manual rules are excluded.

At a minimum, though, it should be noted in the generated html/PDF docs, which don't, so far as I can tell, give any indication that the remediation script is not going to even attempt to evaluate the rule.

@bernstei commented on GitHub: My preference would be to indicate this in the remediation script's output, although I agree that'd be non trivial - it's easy enough to note that it's manual when the script is being generated, but I guess you'd need to add logic to avoid running a check or remediation scriptlet (or replace the rule-based ones with null ones) and some way of noting that it's a manual rule that can't be checked when the report is generated. It's really misleading when the remediation script says "100%" compliance but manual rules are excluded. At a minimum, though, it should be noted in the generated html/PDF docs, which don't, so far as I can tell, give any indication that the remediation script is not going to even attempt to evaluate the rule.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#161
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?