Scan results

View the results of your CIS scans and find out whether your nodes are compliant.

Scan report metrics bar

On the Scan report metrics bar, the Compliance scan status section displays the compliance score with any applicable exceptions. The metrics bar also displays the percentage of nodes that passed, failed, or could not be evaluated, and the scan initiation date and time. The Puppet Enterprise job status section displays the status of scan jobs in Puppet Enterprise.

Compliance Dashboard

The Compliance Dashboard provides a breakdown of your latest CIS scan.

The dashboard can be filtered by environment, operating system, and node group in order to show subsets of your infrastructure. It has several widgets containing information about your nodes and exceptions:

  • Number of scanned nodes: the number of nodes included in your last scan. Clicking this widget takes you to the Node results page.
  • Number of nodes in inventory: clicking this widget takes you to the Inventory page.
  • Active exceptions: clicking this widget takes you to the Exceptions page.
  • Nodes added: the number of nodes added in the specified time frame. Use the arrow buttons to change the time frame.
  • Overall compliance score over time: a graph of changes in your compliance score. Use the drop-down list to change the specified time frame.
  • Compliance score with exceptions applied and Compliance score without exceptions applied: clicking this widget takes you to the Node results page.
  • Nodes without desired compliance applied: clicking this widget takes you to a filter on the Inventory page.
  • Expiring exceptions: clicking this widget takes you to a filter on the Exceptions page.
  • Out-of-date assessors: clicking this widget takes you to a filter on the Inventory page.
  • Unscanned nodes: clicking this widget takes you to the Run a desired compliance scan page.
  • 5 least compliant nodes: clicking a node name within this widget takes you to the Node detail page for that node.

Node compliance

From the Node results page, click a node name to navigate to the Node detail page and see the results of the latest scan on that node:

  • The Scan status pane shows a status breakdown for the latest scan, including the total number of rules and the number of rules that passed, failed, reported an error, or had an unknown status. You can hover over the statuses in the legend to see percentages in the donut chart. The chart and legend reflect only the statuses that are subject to scoring. Non-scoring statuses (for example, cases in which a recommendation is not applicable or cannot be automatically assessed) are excluded. Statuses are described in the following table:

    ValueIncluded in scoring?Description
    PassYesThe target system or component state satisfied all the conditions of any checks or rules for the recommendation.
    FailYesThe target system or component state did not satisfy at least one condition of any checks or rules for the recommendation.
    ErrorYesThe assessor checking engine encountered a system error and could not complete the test. The status of the target's compliance is not certain.
    UnknownYesThe assessor was unable to collect, interpret, or evaluate against any check or rule conditions associated with the recommendation.
    OtherNoThe Other status includes all statuses that do not fall into the categories of Pass, Fail, Error, or Unknown. For details about the statuses that are included in the Other category, see the following rows.
    ManualNoThis recommendation cannot be fully automated and requires manual evaluation. This status occurs when, in the CIS Benchmarks, a recommendation is deemed important but cannot be fully and reliably verified without a manual check by an organization. This status corresponds to the Extensible Configuration Checklist Description Format (XCCDF) term, Informational.
    Not ApplicableNoRules, checks, or both were not applicable to the target. This situation typically occurs when the benchmark and platform are mismatched.
    Not CheckedNoThe recommendation was not evaluated as there are no rule or check properties.
    Not SelectedNoThis recommendation was not part of the profile selected for the configuration assessment.
    InformationalNoThis is the same result that is displayed as Manual on the HTML report. The recommendation cannot be fully automated and requires manual evaluation.

  • The Rule scan results table lists each rule that was checked and the status of that rule from the latest scan. The table also shows the date and time of the last successful scan for each rule.

Rule results

From the Node results page, in the Node results table, click a node. Then, in the Rule scan results table, click a rule. The Rule detail page includes the following information:

  • The Scan status pane shows the total number of nodes scanned and detailed results. You can hover over the results to see percentages in the donut chart. The compliance score in the chart and legend reflects only the statuses that are subject to scoring. Non-scoring statuses (for example, cases in which a recommendation is not applicable or cannot be automatically assessed) are excluded.
  • A tabbed section displays information about each rule:

    • Fix — the steps you can take to fix the rule if it is failing on a node.
    • Description — information on what is being checked.
    • Rationale — the reason why it is important to check that rule.
  • The Node results table lists each node the rule has been checked against and shows the current status, including when the node was last checked and when it last passed that rule. The table shows the profile, the environment in which the scan took place (for example, production or test), and any exceptions that apply.
  • The Exceptions tab displays any exceptions that are relevant to the selected rule.

Exporting results

To export your results as a .csv file, select Export CSV at the top right of the Node results tab, and then choose whether to export raw data or a report summary. After exporting, you can download past reports from the Generated reports tab in the left menu.

The raw data export contains detailed scan results for each rule, including the rule's name, ID, and status, whether the rule has an exception against it, and details about the exception if applicable.

Rather than raw data, the summary export provides an exception score and an adjusted compliance score for each rule. The exception score is the latest overall compliance score for all nodes. This score accounts for any temporary compliance rule exceptions in place, and any rules with exceptions are excluded from the overall compliance score. The adjusted compliance score does not account for any temporary compliance rule exceptions, instead providing a true compliance score for all nodes.

Scan rule report

You can view a report about scan results for a single rule. The Scan report: Rule performance page lists the nodes on which the rule was run and the results.

From the Scans page, click a scan report. Ensure that the Rules tab is displayed. Locate a rule in the table and click View report.

The data includes:

  • Overall compliance status for the nodes on which the rule was run
  • The date and time when the scan was started
  • The scan status for each node, including an indication of whether exceptions apply

Scan node report

You can view a report about scan results for a single node. The Scan report: Node performance page lists the rules that were run on the node and the results.

From the Scans page, click a scan report. Ensure that the Nodes tab is displayed. In the table, locate a node and click View report.

The data includes:

  • Overall compliance status for the node
  • The date and time when the scan was started
  • The scan status for each rule, including an indication of whether exceptions apply
If you created one or more exceptions to a rule, you must then run a scan to ensure that the compliance score correctly reflects the exceptions.

Scan data retention policy

By default, no retention period is defined and Security Compliance Management retains scan data indefinitely. You can, however, enable this feature on the Config tab in the complyadm::configuration plan or in Settings > Configure your install in Security Compliance Management. We recommend that you run no more than 1 complete scan per week and retain data for no more than 14 weeks at a time. If you do plan to retain historical data for more than 14 complete scans, increase Security Compliance Management PostgreSQL capacity in the complyadm::configuration plan by approximately 3GB per additional scan.

Data retention is always enabled and set to an unlimited period. You can change this value using the complyadm::configuration plan and set the Data retention period: to one of the following:

  • (1) Unlimited
  • (2) 1 week
  • (3) 4 weeks
  • (4) 14 weeks
  • (5) 28 weeks
  • (6) 1 year
  • (7) 2 years