Scan results

View the results of your CIS scans and find out whether your nodes are compliant.

Scan report metrics bar

The Scan report metrics bar provides a brief overview of the number of nodes that passed and failed, as well as the error percentage, the rules that couldn't be evaluated across nodes, and the scan initiation date and time.

Compliance dashboard

The Compliance dashboard provides a breakdown of your latest CIS scan.

The dashboard has three components:

  • The Node results chart shows the percentage of rules that passed and failed across all of your nodes. These percentages are shown with the statuses of Pass, Fail, Error, and Unknown.
  • The Desired compliance status chart shows the number of nodes that have desired compliance set. Desired compliance is the default benchmark and profile that you assigned to that node.
  • The Node results table lists information about the latest scan for each node.

Node compliance

From the Compliance dashboard, click a node name to get to the Node detail page and see the results of the latest scan on that node:

  • The Scan status pane shows a status breakdown for the latest scan, including the total number of rules and the number of rules that passed, failed, reported an error, or had an unknown or other type of status. You can hover over the statuses to see percentages in the donut chart. Statuses are described in the following table:

    Value Included in scoring? Description
    Pass Yes The target system or component state satisfied all the conditions of any checks or rules for the recommendation.
    Fail Yes The target system or component state did not satisfy at least one condition of any checks or rules for the recommendation.
    Error Yes The assessor checking engine encountered a system error and could not complete the test. The status of the target's compliance is not certain.
    Unknown Yes The assessor was unable to collect, interpret, or evaluate against any check or rule conditions associated with the recommendation.
    Other No The Other status includes all statuses that do not fall into the categories of Pass, Fail, Error, or Unknown. For details about the statuses that are included in the Other category, see the following rows.
    Manual No This recommendation cannot be fully automated and requires manual evaluation. This status occurs when, in the CIS Benchmarks, a recommendation is deemed important but cannot be fully and reliably verified without a manual check by an organization. This status corresponds to the Extensible Configuration Checklist Description Format (XCCDF) term, Informational.
    Not Applicable No Rules, checks, or both were not applicable to the target. This situation typically occurs when the benchmark and platform are mismatched.
    Not Checked No The recommendation was not evaluated as there are no rule or check properties.
    Not Selected No This recommendation was not part of the profile selected for the configuration assessment.
    Informational No This is the same result that is displayed as Manual on the HTML report. The recommendation cannot be fully automated and requires manual evaluation.
  • The Rule scan results table lists each rule that was checked and the status of that rule from the latest scan. The table also shows the date and time of the last successful scan for each rule.

Rule results

From the Compliance dashboard, in the Node results table, click a node. Then, in the Rule scan results table, click a rule. The Rule detail page includes the following information:

  • The Scan status pane shows the total number of nodes scanned and detailed results. You can hover over the results to see percentages in the donut chart.
  • A tabbed section displays information about each rule:

    • Fix — the steps you can take to fix the rule if it is failing on a node.
    • Description — information on what is being checked.
    • Rationale — the reason why it is important to check that rule.
  • The Node results table lists each node the rule has been checked against and shows the current status — when it was last checked and when it last passed that rule. The table also shows the environment in which the scan took place, for example, production or test.

Scan rule report

You can view a report about scan results for a single rule. The Scan rule report lists the nodes on which the rule was run and the results.

From the Scans page, click a scan report. Ensure that the Rules tab is displayed. Hover over a rule and click View report.

The data includes:
  • Overall compliance status for the nodes on which the rule was run
  • The date and time when the scan was started
  • The scan status for each node

Scan node report

You can view a report about scan results for a single node. The Scan node report lists the rules that were run on the node and the results.

From the Scans page, click a scan report. Ensure that the Nodes tab is displayed. Hover over a node and click View report.

The data includes:
  • Overall compliance status for the node
  • The date and time when the scan was started
  • The scan status for each rule

Scan data retention policy

By default, no retention period is defined for scan data in Comply. You can, however, enable this feature on the Config tab in Puppet Application Manager.

Click Enable data retention policy in the Data retention policy area to define a data retention period for the default period of 14 weeks. Enter a numerical value in the Scan data retention period in weeks field to define a custom period in weeks that Comply must retain scan data.