Scan results

View the results of your CIS scans and find out whether your nodes are compliant.

Scan report metrics bar

On the Scan report metrics bar, the Compliance scan status section displays the compliance score with any applicable exceptions. The metrics bar also displays the percentage of nodes that passed, failed, or could not be evaluated, and the scan initiation date and time. The Puppet Enterprise job status section displays the status of scan jobs in Puppet Enterprise.

Compliance Dashboard

The Compliance Dashboard provides a breakdown of your latest CIS scan.

The dashboard has three components:

  • The Compliance score component displays the percentage of nodes that were compliant during the latest scan. If exceptions were defined, the exceptions are exempted from the compliance score.
  • The Scan status donut chart shows the percentage of rules that passed, failed, or reported a status of Error or Unknown across all nodes. The legend to the right shows the number of rules in each category.
  • The Node results table lists information about the latest scan for each node.

Node compliance

From the Compliance Dashboard, click a node name to navigate to the Node detail page and see the results of the latest scan on that node:

  • The Scan status pane shows a status breakdown for the latest scan, including the total number of rules and the number of rules that passed, failed, reported an error, or had an unknown status. You can hover over the statuses in the legend to see percentages in the donut chart. The chart and legend reflect only the statuses that are subject to scoring. Non-scoring statuses (for example, cases in which a recommendation is not applicable or cannot be automatically assessed) are excluded. Statuses are described in the following table:

    Value Included in scoring? Description
    Pass Yes The target system or component state satisfied all the conditions of any checks or rules for the recommendation.
    Fail Yes The target system or component state did not satisfy at least one condition of any checks or rules for the recommendation.
    Error Yes The assessor checking engine encountered a system error and could not complete the test. The status of the target's compliance is not certain.
    Unknown Yes The assessor was unable to collect, interpret, or evaluate against any check or rule conditions associated with the recommendation.
    Other No The Other status includes all statuses that do not fall into the categories of Pass, Fail, Error, or Unknown. For details about the statuses that are included in the Other category, see the following rows.
    Manual No This recommendation cannot be fully automated and requires manual evaluation. This status occurs when, in the CIS Benchmarks, a recommendation is deemed important but cannot be fully and reliably verified without a manual check by an organization. This status corresponds to the Extensible Configuration Checklist Description Format (XCCDF) term, Informational.
    Not Applicable No Rules, checks, or both were not applicable to the target. This situation typically occurs when the benchmark and platform are mismatched.
    Not Checked No The recommendation was not evaluated as there are no rule or check properties.
    Not Selected No This recommendation was not part of the profile selected for the configuration assessment.
    Informational No This is the same result that is displayed as Manual on the HTML report. The recommendation cannot be fully automated and requires manual evaluation.
  • The Rule scan results table lists each rule that was checked and the status of that rule from the latest scan. The table also shows the date and time of the last successful scan for each rule.

Rule results

From the Compliance Dashboard, in the Node results table, click a node. Then, in the Rule scan results table, click a rule. The Rule detail page includes the following information:

  • The Scan status pane shows the total number of nodes scanned and detailed results. You can hover over the results to see percentages in the donut chart. The compliance score in the chart and legend reflects only the statuses that are subject to scoring. Non-scoring statuses (for example, cases in which a recommendation is not applicable or cannot be automatically assessed) are excluded.
  • A tabbed section displays information about each rule:

    • Fix — the steps you can take to fix the rule if it is failing on a node.
    • Description — information on what is being checked.
    • Rationale — the reason why it is important to check that rule.
  • The Node results table lists each node the rule has been checked against and shows the current status, including when the node was last checked and when it last passed that rule. The table shows the profile, the environment in which the scan took place (for example, production or test), and any exceptions that apply.
  • The Exceptions tab displays any exceptions that are relevant to the selected rule.

Exporting results

To export your results as a .csv file, select Export CSV at the top right of the Node results tab, and then choose whether to export raw data or a report summary. After exporting, you can download past reports from the Generated reports tab in the left menu.

The raw data export contains detailed scan results for each rule, including the rule's name, ID, and status, whether the rule has an exception against it, and details about the exception if applicable.

Rather than raw data, the summary export provides an exception score and an adjusted compliance score for each rule. The exception score is the latest overall compliance score for all nodes. This score accounts for any temporary compliance rule exceptions in place, and any rules with exceptions are excluded from the overall compliance score. The adjusted compliance score does not account for any temporary compliance rule exceptions, instead providing a true compliance score for all nodes.

Scan rule report

You can view a report about scan results for a single rule. The Scan report: Rule performance page lists the nodes on which the rule was run and the results.

From the Scans page, click a scan report. Ensure that the Rules tab is displayed. Locate a rule in the table and click View report.

The data includes:
  • Overall compliance status for the nodes on which the rule was run
  • The date and time when the scan was started
  • The scan status for each node, including an indication of whether exceptions apply

Scan node report

You can view a report about scan results for a single node. The Scan report: Node performance page lists the rules that were run on the node and the results.

From the Scans page, click a scan report. Ensure that the Nodes tab is displayed. In the table, locate a node and click View report.

The data includes:
  • Overall compliance status for the node
  • The date and time when the scan was started
  • The scan status for each rule, including an indication of whether exceptions apply
Tip: If you created one or more exceptions to a rule, you must then run a scan to ensure that the compliance score correctly reflects the exceptions.

Scan data retention policy

By default, no retention period is defined for scan data in Comply. You can, however, enable this feature on the Config tab in Puppet Application Manager.

Click Enable data retention policy in the Data retention policy area to define a data retention period for the default period of 14 weeks. Enter a numerical value in the Scan data retention period in weeks field to define a custom period in weeks that Comply must retain scan data.