Compliance Scanning
Overview
Compliance scanning evaluates your servers against CIS (Center for Internet Security) benchmarks. The platform uses OpenSCAP to perform automated security compliance checks.
Navigation
Menu: Infrastructure > Compliance
Understanding CIS Benchmarks
CIS Benchmarks are configuration guidelines for securing operating systems. Each benchmark contains hundreds of rules organized into sections:
- Initial Setup - Filesystem, software updates
- Services - Disable unnecessary services
- Network Configuration - Firewall, kernel parameters
- Logging and Auditing - Audit rules, log management
- Access Control - SSH, PAM, sudo configuration
- System Maintenance - File permissions, user accounts
Compliance Levels
- Level 1 - Basic security, minimal impact on functionality
- Level 2 - Enhanced security, may affect some functionality
Page Layout
Statistics Cards
The top of the page displays four summary cards:
| Card | Description |
|---|---|
| Total Scans | Number of scans for selected host |
| Latest Score | Compliance percentage from most recent completed scan |
| Passed Rules | Number of passed rules in latest scan |
| Failed Rules | Number of failed rules in latest scan (red color) |
Compliance Trends Chart
Below the statistics, a line chart shows compliance score trends over time (last 30 days). The chart title includes the profile name.
Toolbar
| Control | Description |
|---|---|
| Host Selector | Dropdown to select which host’s scans to view |
| Status Filter | Filter scans by status (All, Completed, Running, Pending, Failed) |
| Search | Search by Scan ID |
| New Scan | Create a new compliance scan |
| Refresh | Reload scan list |
| Export CSV | Export scan list to CSV file |
| Export JSON | Export scan list to JSON file |
Scan List Table
| Column | Description |
|---|---|
| Scan ID | First 8 characters of scan UUID |
| Status | Scan status with color indicator |
| Score | Compliance percentage (color-coded: green >=80%, yellow >=60%, red <60%) |
| Passed | Number of passed rules |
| Failed | Number of failed rules |
| Duration | Scan duration in seconds |
| Created | Scan creation timestamp |
| Actions | View Results and Download Report buttons (for completed scans) |
Running a Scan
Single Host Scan
- Select a host from the Host Selector dropdown
- Click New Scan button
- In the modal:
- Host: Pre-filled with selected host, can change
- SCAP Profile: Select profile matching host OS (profiles filtered by detected OS)
- Click Create Scan
Bulk Scan
- Go to Hosts page
- Select multiple hosts using checkboxes
- Click Bulk Scan (N) button
- Select a SCAP profile from the dropdown
- Click Start Scans
Progress bar shows scan creation progress.
SCAP Profiles
Available profiles depend on the detected OS of the host:
| OS | Available Profiles |
|---|---|
| Ubuntu 20.04 | CIS Level 1 Server, CIS Level 2 Server |
| Ubuntu 22.04 | CIS Level 1 Server, CIS Level 2 Server |
| Ubuntu 24.04 | CIS Level 1 Server, CIS Level 2 Server |
| Debian 11 | CIS Level 1 Server, CIS Level 2 Server |
| Debian 12 | CIS Level 1 Server, CIS Level 2 Server |
| RHEL 8/9 | CIS Level 1 Server, CIS Level 2 Server |
| AlmaLinux 8/9 | CIS Level 1 Server, CIS Level 2 Server |
| Rocky Linux 8/9 | CIS Level 1 Server, CIS Level 2 Server |
| Oracle Linux 8/9 | CIS Level 1 Server, CIS Level 2 Server |
| Amazon Linux 2 | CIS Level 1 Server, CIS Level 2 Server |
Scan Status
| Status | Color | Description |
|---|---|---|
| Pending | Gray | Scan is queued |
| Running | Blue (processing) | Scan is in progress |
| Completed | Green | Scan finished successfully |
| Failed | Red | Scan encountered an error |
Auto-Refresh
When there are running or pending scans, the page automatically refreshes every 10 seconds to show updated status.
Viewing Results
Results Modal
Click the Results button on a completed scan to open the results modal:
Toolbar
- Filter by Result: Dropdown to filter by pass/fail/error/notapplicable
- Total Rules: Shows total number of rules checked
- Failed Rules Count: Red tag showing failed rules count
- Export CSV: Export results to CSV
- Export JSON: Export results to JSON
Results Table
| Column | Description |
|---|---|
| Rule ID | Unique identifier for the CIS rule |
| Rule Title | Description of the rule |
| Severity | High (red), Medium (orange), Low (blue) |
| Result | Pass (green), Fail (red), Error (yellow), Not Applicable (gray), Not Checked (blue) |
| AI Help | Explain button (if LLM is configured) |
Expandable Row Details
Click the expand icon to view:
- Description: Detailed explanation of the rule
- Rationale: Why this rule is important for security
- Remediation: Commands or steps to fix the issue
- Explain with AI button (if LLM is configured)
Quick Fix Feature
The Quick Fix feature allows you to remediate failed rules:
- In the Results modal, select failed rules using checkboxes (only failed rules can be selected)
- Click Quick Fix (N) button (shows count of selected rules)
- Confirm the action in the popup
- A hardening job is created to fix the selected rules
AI Explanation
If LLM is configured (see AI Settings), you can get AI-powered explanations:
- Click the Explain button in the AI Help column, or
- Expand a rule and click Explain with AI button
- A modal opens showing:
- Rule ID, Severity, and Result tags
- Rule title
- AI-generated explanation in markdown format
Understanding Results
Pass
The system configuration meets the CIS requirement.
Fail
The system configuration does not meet the CIS requirement. Review the rule and consider applying hardening.
Error
The check could not be completed. Common causes:
- Missing required package
- Permission issues
- Unsupported configuration
Not Applicable
The rule does not apply to this system. For example:
- IPv6 rules when IPv6 is disabled
- GUI rules on server without desktop
Not Checked
The rule was not evaluated (skipped).
Reports
Viewing Reports
- Find the completed scan
- Click Report button
- Report opens in new browser tab (HTML format)
Report Contents
- Executive summary
- Compliance score
- Detailed findings
- Rule descriptions
- Remediation guidance
Exporting Data
Scan List Export
- Click Export CSV or Export JSON in toolbar
- Downloads all visible scans
Results Export
- Open Results modal
- Click CSV or JSON button
- Downloads all rule results for that scan
Compliance Trends
The Compliance page shows a trends chart:
- Line graph of compliance scores over last 30 days
- Profile name displayed in chart title
- Helps track improvement over time
The Dashboard also shows compliance trends across all hosts.
Best Practices
Regular Scanning
- Schedule weekly compliance scans (see Schedules page)
- Compare results over time using trends chart
- Track improvement after hardening
Profile Selection
- Start with Level 1 for basic security
- Use Level 2 for high-security environments
- Match profile to server role
Result Analysis
- Focus on high-severity failures first
- Use Quick Fix to remediate selected rules
- Use AI explanation to understand complex rules
- Group similar failures for batch remediation
- Document exceptions for business-justified deviations
Troubleshooting
Scan Stuck in Pending
- Check worker service is running
- Verify Redis connection
- Check worker logs for errors
- Check Jobs page for detailed status
Scan Failed
- Check SSH connectivity to host (use Check action on Hosts page)
- Verify sudo permissions for SSH user
- Check available disk space
- Review error message in Jobs page
Low Compliance Score
- Review failed rules in Results modal
- Filter by severity (High first)
- Use Quick Fix to auto-remediate
- Re-scan after hardening to measure improvement
No Profiles Available
- Ensure host OS is detected (check Hosts page)
- Use Detect OS action on the host
- Verify the OS version is supported
Related Pages
- Hosts - Manage servers and run bulk scans
- Jobs - View scan job progress and errors
- Hardening - Apply security fixes
- Schedules - Schedule recurring scans
- AI Assistant - Configure AI for rule explanations