Node Scan Results

The term 'node' in Cloudhouse Guardian (Guardian) is used to represent any scannable object in your environment. Anything with an IP address or a single cloud entity can be added to your environment as a node. For more information on the list of supported devices, see Supported Devices. All nodes in your Guardian instance should be configured for regular scanning in order to maximize the potential for configuration differencing and troubleshooting. For more information on the various methods available for scanning your nodes, see Scan Nodes. The following topic describes the output that is generated each time a node is scanned and how to configure the data to access the information you require.

A node scan is a snapshot of a node at a certain point in time. On the node scan results page, a list of all the node's configuration items are displayed and divided into sections. These sections are built-in and cannot be modified, and they vary between node types. Examples of common sections include Roles, Users, and ServiceKeys. A configuration item is a single piece of configuration on a node. This could be a file, a registry setting, a software package version, or any other combination of defining criteria.

Tip: Configuration items are different for each node type. They are defined according to the Scan Options for the node’s assigned node groups.

Each configuration item has any number of attributes. For example, a file configuration item may have attributes for:

  • Access permissions

  • Checksum

  • File contents

  • Last modified time

  • Owner information.

Tip: Checks for specific attributes can be defined within a policy and run against a node group to uphold a desired configuration state, see Attribute Checks for more information.

On the node scan results page, you can customize this data to output information related to policy compliance, scheduled jobs, other node scans, and more. For more information, see below.

To access the results of a node scan, complete the following steps:

  1. In the Guardian web application, navigate to the Monitored tab (Inventory > Monitored).

  2. In the Node Groups drop-down menu, select the node that you want to access from the 'All Nodes' node group.

By default, the results of the most recent scan are displayed. However, the Scans drop-down menu contains a list of all the scans that have occurred on the selected node. To access the scan results for a different date or time, select a scan from the drop-down list. With the correct scan selected, you can view and customize the scan results to access the data required. See below for more information.

Note: Additionally, the Edit and Scan buttons are displayed here. For more information on either process, see Edit Node and Scan Nodes.

Policy Compliance

Policies are a series of checks that you can apply to a node during scanning to detect and uphold a desired state. The Policy Compliance drop-down menu divides the node configuration data into the following categories:

  • Passed (Green) – Configuration items with a policy check assigned that passed during the selected scan.

  • Failed (Red) – Configuration items with a policy check assigned that failed during the selected scan.

  • Unmanaged (Light Gray) – Configuration items with no policy check assigned. These are more commonly known as unmanaged nodes.

Tip: A configuration item is a single piece of configuration on a node, such as a file or service. Depending on the node type and scan options defined within the associated node group(s), the configuration items displayed will vary.

Each configuration item is represented by a square. Each square is assigned a color depending on the category it is assigned, as described above. To view more information about a policy check, select one of the green or red configuration items to display the checks that were run, whether they were successful, as well as the policy that is applied. Once selected, a side panel is displayed with the name of the configuration item, including each attribute within that configuration setting. In the example below, we can see the successful result of the 'CIS AWS IAM [latest]' policy check on the 'Administrator' Users configuration item. For more information on policies, see Policies.

Compare To

When viewing a node's scan results, Guardian offers several options for rich configuration differencing between scans of the same node, scans of the current node in comparison to a different node, as well as the ability to compare the scan results of multiple node groups. This is all achieved via the Compare To drop-down menu, with the results being compiled into a difference report. For more information on the different options available for configuration differencing in Guardian, see Configuration Differencing.

Display

You can filter the results of the node scan according to the categories outlined in the Policy Compliance section, with the addition of the following category:

  • Ignored Items – Configuration items that have been configured to be ignored within the node's scans and drift reports. For more information on how to configure your ignore list, see Node Scan Ignore Lists.

Switch the toggle on or off to filter the results of your node scans.

Policies

As described in the Policy Compliance section, policies are assigned to node groups to uphold a desired state of configuration. In the Policies drop-down menu, you can filter the Failed, Passed, and Unmanaged policies by selecting the corresponding toggle. In addition, each of the policies that are currently active and assigned to the selected nodes are displayed here. To access more information about a policy, select a policy from the list to view the Policy Details page, see Policies for more information.

Node Groups

The Node Groups drop-down menu displays all of the node groups that the selected node belongs to, including how many nodes are present within each group. In the example below, the 'IAM Account' node belongs to the 'All Nodes' node group and the 'AWS IAM Account' node group. However, a node can belong to as many node groups as required. For more information, see Node Groups.

Recent Jobs

The Recent Jobs drop-down menu displays the most recent scans that have occurred on the node. Depending on the result of the scan, it is assigned one of the following statuses:

  • Success – The node was scanned successfully with no errors or exceptions.

  • Exception – The node was unable to be scanned due to an exception occurring during the scan.

  • Error – The node was unable to be scanned due to one or more errors occurring during the scan.

  • Timeout – The node was unable to be scanned due to a timeout occurring during the scan.

  • Offline – The node was unable to be scanned due to the Guardian appliance being unable to connect to the Connection Manager responsible for scanning the node.

Select a scan from the list of Recent Jobs to access the job information for the selected scan. For more information, see Job Information.