How To View Results of Compliance Scan


#1

Hello happy ManageIQ users. Here goes my first post.

Firstly, a little about me: I am a Linux Engineer, and former System Developer; I love C and Ruby; I am an avid Linux user (home, work, & play).

Okay, so I am on my ManageIQ and have requested a compliance scan. What I want to do now is to view the results of this compliance scan.

I’ve gone through Compute -> Clouds -> Providers, selected my provider, and then Policy -> Check Compliance…

I thought I would find this information in User -> Tasks in the top right. What I am specifically looking for is the page that returns the results, so I can view the compliancy information.

Looking forward to being part of this community. Cheers.


#2

@ohadlevy @martinpovolny

iirc (I might be wrong), after this runs, you should get a Compliance section in the summary page that you already have open (but you have to manually refresh the UI page)
You can also see the Policies configurations under Control->Policies and
Control->Policies profiles


#3

Thanks for the swift response, and for tagging two additional users.

I don’t see a Compliance section, nor do I on other pages. I do have a Smart Management section, however. Not sure how that is relevant?


#4

no, Smart management is a different story :slight_smile:
It contains the tags (labels) of this entity if it was being tagged and a zone.


#5

Good to know! Thanks :slight_smile: How long have you been using ManageIQ? What sort of work do you do? If you don’t mind me asking.


#6

engineering


#7

UPDATE

I did some more research, and even spoke with a Red Hat representative (I asked about differences between ManageIQ and CloudForms, and asked about general usage that is leveraged in both products).

After I request the compliance scan, as @abonas said, I should

…get a Compliance section in the summary page…

I’ve requested two additional compliance scans against my Azure provider, and one more (although I requested a separate one last week) on my GCE provider. So far, no compliance section has appeared on my provider summary pages.

Is this common?

Edit: If this is not common, has it been seen before? If so, what typically causes this issue?

Thanks for all the help. I’m impressed with ManageIQ.


#8

@agrare any idea who could help on this?


#9

Can you see if you have any entries in your “compliances” or “compliance_details” tables in vmdb?
@gtanzillo should be able (I think :smile:) with compliance questions


#10

@agrare Where can I find my VMDB info? :laughing: :confused: :thinking:


#11

Go to Configuration>Database and click on “compliances” table. In the right pane you will view number of rows for this table.
You can also connect to the db using a psql client.

After checking on mine, I can’t find compliance status on provider. But I have a compliance section on host, machines, templates, and some other items.

In logs, I can see that compliance is checked on my provider, but I can’t see result and my “compliances” table is still empty.


#12

Thanks, I now know where to find my VMDB information.

Likewise, my compliance_details and compliances tables both have 0 rows. :thinking:


#13

A friendly bump. I didn’t see anything against thread bumping, so if this is not allowed then please let me know.

I’m still not seeing any ‘Compliance’ section on the cloud provider summary screen, nor do I see any rows in the VMDB, nor can I find any log mentioning the compliance scans I requested. :thinking:


#14

cc @enoodle

There are 2 parts to the process:

  1. actually scanning an image (expensive)
    select image (or several from list) -> Configuration -> Perform SmartState Analysis
    IIRC you should see it in Tasks, except you might need to hunt around — “My Tasks” vs “All Tasks”, 24h time period…

    The built-in OpenSCAP profile, if you activate it (link below) includes a policy to initiate a scan for every image discovered.

  2. checking compliance using result of last scan (pretty fast)
    select image (or several from list) -> Policy -> Check Compliance

    This just runs whatever Compliance policies you have on whatever object(s) you selected. (note that checking compliance on provider is NOT same as checking compliance on all its images.)
    The built-in OpenSCAP profile includes example policy that marks images non-compliant if a scan result has at least some ≥High severity problems. You can copy & edit it, or invent entirely your own concept of compliance (it’s not compliant on a full moon if name contains “foo”)…

    This is what shows up as Compliance section on the image’s page (if any compliance policy run)

http://manageiq.org/docs/reference/euwe/doc-Policies_and_Profiles_Guide/miq/#openscap


#15

Also, you need libopenscap installed or some functionality will be silently missing. If you’re on fedora:

sudo dnf -y install openscap

#16

Have you created a Provider Compliance Policy and a policy profile before you check compliance?


#17

Hey @lfu. I didn’t.

I solved the issue; it turned out there were many things I didn’t do. I can’t quite recall where it was that I finally solved it, but things that I’ve learned in order to do the compliance scan successfully: 1) Policies, 2) Policy Profiles, 3) SmartState Analysis.

Somewhere in between all 3 of those subjects, I eventually figured it out.