Exceptions

Each Center for Internet Security (CIS) Benchmark specifies many controls, commonly known as rules. In some cases, you might find it useful to create a temporary exception to a rule and apply the exception to one node, several nodes, or all nodes.

For example, assume that your environment includes legacy nodes that are installed on an operating system that is not CIS compliant, and you plan to decommission those nodes. You create an exception that specifies the rule, the affected nodes, the expiration date, the reason for the exception, and the name of the approver. On the next scan, the rule is not applied to the specified nodes, and the compliance score accurately reflects the exception. Later, after the nodes are decommissioned, the exception expires on your specified date. If an audit occurs, a record of the exception remains available on the Exceptions page.

Create an exception

When you create an exception to a rule, you prevent the rule from being applied to one or more nodes. If you run a scan while the exception is active, the compliance score of the rule is excluded from the overall compliance score of any specified nodes.

Tip: Exceptions are typically temporary with a specified expiration date and time. However, you can create an exception with no expiration date or time.
  1. Click Scans > Scan reports and select a scan to which you want to add an exception.
  2. On the Scan report page, on the Rules tab, locate the rule for which you want to create an exception. Click View report.
  3. On the Scan report: Rule performance page, next to the rule name, click View rule detail.
  4. On the Rule detail page, click Create exception and follow the exception creation workflow:
    1. Select a profile and, optionally, a custom profile. Click Next.
    2. Select one or more nodes to which the exception will apply. Click Set expiry.
    3. Optionally, set an expiration date, time, and time zone. Click Add details and review.
    4. Provide a name and reason for the exception.
    5. Optionally, for audit or tracking purposes, you can specify the name of the person who approved the exception and the associated ticket number, if applicable.
    6. Click Save exception and exit.
    Tip: Alternatively, you can create an exception by going to the Security Compliance Management navigation pane, clicking Exceptions and then clicking How do I create an exception?
What to do next
Optionally, to see how the exception affects the compliance score, run a scan.

View an exception

To view one or more exceptions, go to the Puppet Security Compliance Management navigation pane and click Exceptions.

You can filter exceptions by Active, Resolved, or Expired. For each exception, you can view the associated benchmark and profile. You can also see the rule, the number of nodes affected, and the expiration information.

When viewing exceptions, select an exception and then click View exception detail for a detailed view of the exception. Here you can find the nodes for which the exception is active. You can also edit the exception details by clicking Edit details, or resolve the exception by clicking Resolve. For more information on resolving exceptions, visit Resolve an exception.

The Exceptions page also includes the How do I create an exception? button. You can click the button for instructions on how to create an exception.

Resolve an exception

To stop using an exception before its expiration date, resolve the exception for all nodes or a subset of nodes. After an exception is resolved, the rule scan results again count towards the overall compliance score for the impacted nodes.

  1. Go to the Puppet Security Compliance Management navigation pane and click Exceptions.
  2. Specify the exception to resolve, and then click View exception detail.
  3. To resolve the exception for all nodes, click Resolve.
    • Provide a reason for resolution, and an approver if applicable, and then click Submit.
  4. To resolve the exception for only some nodes, select the checkboxes for the nodes on which you would like to resolve the exception, and then select Resolve selected from the Actions dropdown menu.
    • Provide a reason for resolution, and an approver if applicable, and then select Submit.

Delete an exception

In general, exceptions should not be deleted because an auditor might want to see a record of the exception. However, you might want to delete an exception in rare cases. For example, if you create an exception by mistake, create an exception incorrectly, or you no longer require a record of the exception, you can delete it.

CAUTION: After you delete an exception, you cannot restore it.
  1. Go to the Puppet Security Compliance Management navigation pane and click Exceptions.
  2. Specify the exception to delete, then select View exception detail.
  3. Select Delete.
  4. Provide a reason for deletion, and an approver if applicable, then select Delete.