Waivers is a mechanism to mark controls as “waived” for various reasons, and to control the running and/or reporting of those controls. It uses a YAML input file that identifies:
- which controls are waived
- a description of why it is waived
- (optionally) whether they should be skipped from running
- (optionally) an expiration date for the waiver
To use waivers, you must have a correctly formatted input file and
inspec exec with
inspec exec path/to/profile --waiver-file waivers.yaml
Waiver files are input files with a specific format:
control_id: expiration_date: YYYY-MM-DD run: false justification: "reason for waiving this control"
expiration_datesets the day that the waiver file will expire in YYYY-MM-DD format. Waiver files expire at 00:00 at the local time of the system on the specified date. Waiver files without an expiration date are permanent.
runis optional. If absent or true, the control will run and be reported, but failures in it won’t make the overall run fail. If present and false, the control will not be run. You may use any of yes, no, true or false. To avoid confusion, it is good practice to explicitly specify whether the control should run.
justificationcan be any text you want and might include a reason as well as who signed off on the waiver.
waiver_control_1_2_3: expiration_date: 2019-10-15 justification: Not needed until Q3. @secteam xccdf_org.cisecurity.benchmarks_rule_188.8.131.52_Ensure_mounting_of_hfs_filesystems_is_disabled: expiration_date: 2020-03-01 justification: "This might be a bug in the test. @qateam" run: false
Was this page helpful?