Run a CIS scan

Run your desired compliance scan or an ad-hoc scan on your nodes.

You can run scans on individual nodes by selecting the Scan node drop-down on the node's Node detail page, and then selecting desired compliance or custom options if you have those set up. Then follow the scan wizard as outlined in steps 4-7 on this help page.

You can also all nodes by selecting the Scan all nodes drop-down on the Dashboard page, and then selecting desired compliance or custom options if you have those set up. Then follow the scan wizard as outlined in steps 4-7 on this help page.

  1. In Comply, click Scan in the sidebar menu.
    Tip: You can also run a full scan from the Scan Reports page by click Run a new scan.
  2. In the Benchmark drop-down, select Desired compliance or a benchmark and profile of your choice.
    If you have not set desired compliance, see Setting desired compliance for instructions.
  3. Next, select an option from the Profile drop-down. If you want to use a custom profile for this scan, select the Use an associated custom profile? option and choose the relevant option from the Custom profile drop-down.
    For more information on custom profiles, see Custom profiles
  4. Click Next to review the PE credentials and environment you want the scan to run on.
  5. Click Next to see the nodes selected for scanning.
    To only scan a subset of nodes, deselect any that you do not want to include.
  6. Click Scan, and then Scan again to confirm.
    You'll be taken to the Activity Feed, which lists each scan. Scans are run as a task in PE. To see the details of the job, click on the job ID to be taken to PE.
    Tip: You can also run a scan by clicking the Scan nodes button at the top right corner on several pages. This option uses the nodes listed on the page you are currently viewing.
  7. In Comply, navigate to Compliance dashboard to see the results of your scans.
    See Viewing scan results for a description of the scan data.

    To find out how you can enforce and automate CIS benchmarks on your failing nodes, see Enforce CIS benchmarks.

CIS scan reports

The Scan Report page provides info on the latest CIS scan and is where you can run CIS scan reports to receive data about the compliance of your nodes.

The Scan report metrics bar at the top of the Scan Report page is divided into two sections: Compliance scan status and Puppet Enterprise job status areas.

The Compliance scan status area provides a brief overview of the number of nodes that have passed and failed compliance, as well the error percentage, the rules that couldn't be evaluated across nodes, and the scan initiation date and time.

The Puppet Enterprise job status area in the Scan report metrics bar shows the number of nodes that ran the CIS scanner job successfully, the number that failed to run the scanner job and the number of nodes that showed an error for the scanner job.

Click Run a new scan to kick off a new scan of your network.

More detailed information on the success and failure of rules is given on the Nodes tab. The Rules tab provides detail on the performance of individual rules in the scan.

Rules tab

The Rules table on the Rules tab lists all the rules that were assessed as part of the latest scan. The Rules table provides information on the rule profile, and the number of nodes on which the rule failed. Click the rule name on any given row to visit the Rule detail page for the selected node.

Nodes tab

The Nodes table on the Nodes tab lists all the nodes that were part of the latest scan. The Nodes table provides information on the node profile, and the percentage of rules in compliance on each node. Click the node name in any given row to visit the Node detail page for the selected node.