Yep - STIG compliance is a pain, esp. if your linux box is an appliance, not a general-purpose multi-user box. I do think it cool they appear to care about securing their systems, though.

3 separate realms.

Policy to define what's allowed (you haz a policy, whether it is written down or even thought about).

Enforcement of that policy. FW, IPS, application fw. The higher in the stack the fw goes, the closer it should be in the net topology to the target it defends.

Audit the enforcement of that policy. IDS, stats, flow.

And rather than tie everything together, how about focus on the 3-4 sources that really kick ass? FW logs are not useful. Focus on what your targets are doing, not what the millions of bots are prevented from doing.

http://taosecurity.blogspot.com/ is your source for clear thinking on this subject.

It's the role of the press to bring us the story, especially if the powers that be want it hushed up. I think the Pentagon was chickenshit to hide the homecomings up to this point. Did you see that under the new process, 3/4 of families are fine with the photographs? Someone struck exactly the right note, giving families the right to make the call.

My agenda is truth. The truth is some of our people come back dead. It dishonors their memories to pretend otherwise, and to minimize their sacrifice. So I'm not willing to accept your formulation that its just a political bias that determines whether one should or will approve of their publishing the events.