How To View Results of Compliance Scan

naltun · October 16, 2017, 7:15pm

Hello happy ManageIQ users. Here goes my first post.

Firstly, a little about me: I am a Linux Engineer, and former System Developer; I love C and Ruby; I am an avid Linux user (home, work, & play).

Okay, so I am on my ManageIQ and have requested a compliance scan. What I want to do now is to view the results of this compliance scan.

I’ve gone through Compute -> Clouds -> Providers, selected my provider, and then Policy -> Check Compliance…

I thought I would find this information in User -> Tasks in the top right. What I am specifically looking for is the page that returns the results, so I can view the compliancy information.

Looking forward to being part of this community. Cheers.

abonas · October 17, 2017, 12:41pm

@ohadlevy @martinpovolny

iirc (I might be wrong), after this runs, you should get a Compliance section in the summary page that you already have open (but you have to manually refresh the UI page)
You can also see the Policies configurations under Control->Policies and
Control->Policies profiles

naltun · October 17, 2017, 12:53pm

Thanks for the swift response, and for tagging two additional users.

I don’t see a Compliance section, nor do I on other pages. I do have a Smart Management section, however. Not sure how that is relevant?

abonas · October 17, 2017, 1:00pm

no, Smart management is a different story
It contains the tags (labels) of this entity if it was being tagged and a zone.

naltun · October 17, 2017, 1:02pm

Good to know! Thanks How long have you been using ManageIQ? What sort of work do you do? If you don’t mind me asking.

abonas · October 17, 2017, 1:04pm

engineering

naltun · October 17, 2017, 5:52pm

UPDATE

I did some more research, and even spoke with a Red Hat representative (I asked about differences between ManageIQ and CloudForms, and asked about general usage that is leveraged in both products).

After I request the compliance scan, as @abonas said, I should

…get a Compliance section in the summary page…

I’ve requested two additional compliance scans against my Azure provider, and one more (although I requested a separate one last week) on my GCE provider. So far, no compliance section has appeared on my provider summary pages.

Is this common?

Edit: If this is not common, has it been seen before? If so, what typically causes this issue?

Thanks for all the help. I’m impressed with ManageIQ.

abonas · October 17, 2017, 6:50pm

@agrare any idea who could help on this?

agrare · October 17, 2017, 7:14pm

Can you see if you have any entries in your “compliances” or “compliance_details” tables in vmdb?
@gtanzillo should be able (I think ) with compliance questions

naltun · October 17, 2017, 7:20pm

@agrare Where can I find my VMDB info?

LorkScorguar · October 18, 2017, 7:27am

Go to Configuration>Database and click on “compliances” table. In the right pane you will view number of rows for this table.
You can also connect to the db using a psql client.

After checking on mine, I can’t find compliance status on provider. But I have a compliance section on host, machines, templates, and some other items.

In logs, I can see that compliance is checked on my provider, but I can’t see result and my “compliances” table is still empty.

naltun · October 18, 2017, 2:15pm

Thanks, I now know where to find my VMDB information.

Likewise, my compliance_details and compliances tables both have 0 rows.

naltun · October 19, 2017, 1:28pm

A friendly bump. I didn’t see anything against thread bumping, so if this is not allowed then please let me know.

I’m still not seeing any ‘Compliance’ section on the cloud provider summary screen, nor do I see any rows in the VMDB, nor can I find any log mentioning the compliance scans I requested.

cben · October 22, 2017, 10:15pm

cc @enoodle

There are 2 parts to the process:

actually scanning an image (expensive)
select image (or several from list) -> Configuration -> Perform SmartState Analysis
IIRC you should see it in Tasks, except you might need to hunt around — “My Tasks” vs “All Tasks”, 24h time period…

The built-in OpenSCAP profile, if you activate it (link below) includes a policy to initiate a scan for every image discovered.
checking compliance using result of last scan (pretty fast)
select image (or several from list) -> Policy -> Check Compliance

This just runs whatever Compliance policies you have on whatever object(s) you selected. (note that checking compliance on provider is NOT same as checking compliance on all its images.)
The built-in OpenSCAP profile includes example policy that marks images non-compliant if a scan result has at least some ≥High severity problems. You can copy & edit it, or invent entirely your own concept of compliance (it’s not compliant on a full moon if name contains “foo”)…

This is what shows up as Compliance section on the image’s page (if any compliance policy run)

http://manageiq.org/docs/reference/euwe/doc-Policies_and_Profiles_Guide/miq/#openscap

cben · October 22, 2017, 10:26pm

Also, you need libopenscap installed or some functionality will be silently missing. If you’re on fedora:

sudo dnf -y install openscap

lfu · October 24, 2017, 5:17pm

Have you created a Provider Compliance Policy and a policy profile before you check compliance?

naltun · October 30, 2017, 6:14pm

Hey @lfu. I didn’t.

I solved the issue; it turned out there were many things I didn’t do. I can’t quite recall where it was that I finally solved it, but things that I’ve learned in order to do the compliance scan successfully: 1) Policies, 2) Policy Profiles, 3) SmartState Analysis.

Somewhere in between all 3 of those subjects, I eventually figured it out.