Scan results

View the results of your CIS scans and find out whether your nodes are compliant.

Scan report metrics bar

The Scan report metrics bar provides a brief overview of the number of nodes that have passed and failed, as well the error percentage, the rules that couldn't be evaluated across nodes, and the scan initiation date and time.

Compliance dashboard

The Compliance dashboard provides a breakdown of your latest CIS scan.

It has three components:

  • The Node results chart shows the percentage of rules that passed and failed across all of your nodes. These percentages are shown with the statuses of Pass, Fail, Error, and Unknown.
  • The Desired compliance chart shows the number of nodes that have desired compliance set. Desired compliance is the default benchmark and profile that you have assigned to that node.
  • The Node results table lists information about the latest scan for each node.

Node compliance

From the Compliance dashboard, click a node name to get to the Node compliance page, and see the results of the latest scan on that node. The data includes:

  • The Rules checked chart shows a status breakdown for the latest scan on that node — the rules that passed, failed, had an error, or an unknown status. The percentage displayed in the Rules checked pie chart is an aggregate of these four statuses.

    Other statuses that are not included in scoring are included in the table below:

    Value Included in Scoring? Description
    Pass Yes The target system or component state satisfied all the conditions of the check(s)/rule(s) for the recommendation.
    Fail Yes The target system or component state did not satisfy at least one condition of the check(s)/rule(s) for the recommendation.
    Error Yes The assessor checking engine encountered a system error and could not complete the test. The status of the target's compliance is not certain.
    Unknown Yes Assessor was unable to collect, interpret, or evaluate against the check/rule conditions associated with the recommendation.
    Manual No This recommendation cannot be fully automated and requires manual evaluation. On CIS Benchmarks, a recommendation is deemed important during the consensus process but cannot be fully and reliably verified without organizational manual verification. Corresponds to xccdf terminology of "Informational".
    Not Applicable No The rule(s)/check(s) were not applicable to the target. This typically occurs when the wrong benchmark is selected for the platform i.e.: platform mismatch.
    Not Checked No The recommendation was not evaluated as there are no rule/check properties.
    Not Selected No This recommendation was not part of the profile selected for the configuration assessment.
    Informational No This is the same result that is displayed as Manual on the HTML report. The recommendation cannot be fully automated and requires manual evaluation.
  • The Rule scan results table lists each rule that was checked and the status of that rule from the latest scan.

Rule results

From Node compliance, click a rule title on the Rule results page, and see the details of that rule and the status of the nodes it is checked on. The data includes:

  • A tabbed section that displays information about each rule:

    • Description — information on what is being checked.
    • Rationale — the reason why it is important to check that rule.
    • Fix — the steps you can take to fix the rule if it is failing on a node.
  • The Node results chart shows the nodes that this rule is checked on, and which nodes passed or failed the rule.

  • The Node compliance result table lists each node the rule has been checked against and shows the current status — when it was last checked and when it last passed that rule.

Scan data retention policy

By default, no retention period is defined for scan data in Comply. You can, however, enable this feature on the Config tab in Puppet Application Manager.

Click Enable data retention policy in the Data retention policy area to define a data retention period for the default period of 14 weeks. Enter a figure in the Scan data retention period in weeks field to define a custom period in weeks that Comply must retain scan data.