The current implementation is the result of acknowledging the default DISA STIG policy:
- Contains rules that should be taken into account during installation since they cannot be easily remedied afterwards (eg. partitioning and encryption).
- Contains rules that could make the system unusable for its original purpose if a full remediation is blindly applied.
The first problem is addressed in both interactive and automated installations by issuing warnings the user must accept in order to finish the installation process. Interactive installation also includes links to the section of the installer where the configuration can be fixed.
The second problem is addressed:
- In interactive installation by making scanning and remediation optional in the first boot, so the user has the possibility to tweak the SCAP definitions (eg. with a tailoring file) or the system before running the scan or remediation manually.
- In the automated installation by using the same traditional AutoYaST mechanisms that are
always used to automate post-installation tasks. For example, using a
<file>
section to deploy the/etc/ssg-apply/override.conf
configuration file that would then be used in the scan or remediation done during first boot.