Exceptions
Each Center for Internet Security (CIS) Benchmark specifies many controls, commonly known as rules. In some cases, you might find it useful to create a temporary exception to a rule and apply the exception to one node, several nodes, or all nodes.
For example, assume that your environment includes legacy nodes that are installed on an operating system that is not CIS compliant, and you plan to decommission those nodes. You create an exception that specifies the rule, the affected nodes, the expiration date, the reason for the exception, and the name of the approver. On the next scan, the rule is not applied to the specified nodes, and the compliance score accurately reflects the exception. Later, after the nodes are decommissioned, the exception expires on your specified date. If an audit occurs, a record of the exception remains available on the Exceptions page.
Create an exception
When you create an exception to a rule, you prevent the rule from being applied to one or more nodes. If you run a scan while the exception is active, the compliance score of the rule is excluded from the overall compliance score of any specified nodes.
View an exception
To view one or more exceptions, go to the Puppet Security Compliance Management navigation pane and click Exceptions.
You can filter exceptions by Active, Resolved, or Expired. For each exception, you can view the associated benchmark and profile. You can also see the rule, the number of nodes affected, and the expiration information.
When viewing exceptions, select an exception and then click View exception detail for a detailed view of the exception. Here you can find the nodes for which the exception is active. You can also edit the exception details by clicking Edit details, or resolve the exception by clicking Resolve. For more information on resolving exceptions, visit Resolve an exception.
The Exceptions page also includes the How do I create an exception? button. You can click the button for instructions on how to create an exception.
Resolve an exception
To stop using an exception before its expiration date, resolve the exception for all nodes or a subset of nodes. After an exception is resolved, the rule scan results again count towards the overall compliance score for the impacted nodes.
Delete an exception
In general, exceptions should not be deleted because an auditor might want to see a record of the exception. However, you might want to delete an exception in rare cases. For example, if you create an exception by mistake, create an exception incorrectly, or you no longer require a record of the exception, you can delete it.
- Go to the Puppet Security Compliance Management navigation pane and click Exceptions.
- Specify the exception to delete, then select View exception detail.
- Select Delete.
- Provide a reason for deletion, and an approver if applicable, then select Delete.