Exceptions

Each Center for Internet Security (CIS) Benchmark specifies many controls, commonly known as rules. In some cases, you might find it useful to create a temporary exception to a rule and apply the exception to one node, several nodes, or all nodes.

For example, assume that your environment includes legacy nodes that are installed on an operating system that is not CIS compliant, and you plan to decommission those nodes. You create an exception that specifies the rule, the affected nodes, the expiration date, the reason for the exception, and the name of the approver. On the next scan, the rule is not applied to the specified nodes, and the compliance score accurately reflects the exception. Later, after the nodes are decommissioned, the exception expires on your specified date. If an audit occurs, a record of the exception remains available on the Exceptions page.

Create an exception

When you create an exception to a rule, you prevent the rule from being applied to one or more nodes. If you run a scan while the exception is active, the compliance score of the rule is excluded from the overall compliance score of any specified nodes.

Tip: Exceptions are typically temporary with a specified expiration date and time. However, you can create an exception with no expiration date or time.
  1. Click Scans > Scan reports and select a scan to which you want to add an exception.
  2. On the Scan report page, on the Rules tab, locate the rule for which you want to create an exception. Click View report.
  3. On the Scan report: Rule performance page, next to the rule name, click View rule detail.
  4. On the Rule detail page, click Create exception and follow the exception creation workflow:
    1. Select a profile and, optionally, a custom profile. Click Next.
    2. Select one or more nodes to which the exception will apply. Click Set expiry.
    3. Optionally, set an expiration date, time, and time zone. Click Add details and review.
    4. Provide a name and reason for the exception.
    5. Optionally, for audit or tracking purposes, you can specify the name of the person who approved the exception and the associated ticket number, if applicable.
    6. Click Save exception and exit.
    Tip: Alternatively, you can create an exception by going to the Comply navigation pane, clicking Exceptions and then clicking How do I create an exception?
What to do next
Optionally, to see how the exception affects the compliance score, run a scan.

View an exception

To view one or more exceptions, go to the Puppet Comply navigation pane and click Exceptions.

For each exception, you can view the associated benchmark and profile. You can also see the rule, the number of nodes affected, and the expiration information.

The Exceptions page also includes the How do I create an exception? button. You can click the button to start creating an exception.

Delete an exception

In general, exceptions should not be deleted because an auditor might want to see a record of the exception. However, you might want to delete an exception in rare cases. For example, if you create an exception by mistake, create an exception incorrectly, or you no longer require a record of the exception, you can delete it.

CAUTION: After you delete an exception, you cannot restore it.
  1. Go to the Puppet Comply navigation pane and click Exceptions.
  2. Specify the exceptions to delete:
    • To specify one or more exceptions, select the checkboxes.
    • To specify all exceptions, select at least one checkbox and then click Select All. (Optionally, to revoke the selection, click Clear Selection.)
  3. From the Actions drop-down menu, select Delete selected.
  4. When you are prompted to confirm the choice, click Delete.