Contact

Compliance Management

CIS, STIG, and custom framework compliance scanning

Enforce compliance policies across your fleet with automated scans, exception management, per-host overrides, and historical score trending for audit-ready operations.

Technical Manual
Status: Available

Prerequisites

  • At least one organization with online hosts running the Go agent v1.7.0 or later
  • User role with compliance.view permission for read access
  • User role with compliance.manage permission for creating policies, triggering scans, and managing exceptions
  • Hosts must have an active agent installed and a status of "online" or "maintenance"

Understanding compliance frameworks

SPOG ships system templates for three compliance frameworks. Each template contains a set of checks that the agent evaluates against the host's configuration.

FrameworkCodeDescription
CIS Level 1cis_level1Baseline security configuration. Recommended for all hosts. Minimal performance impact.
CIS Level 2cis_level2Extended hardening controls. May restrict some functionality. Recommended for sensitive systems.
STIGstigDoD Security Technical Implementation Guide. Strictest controls. Required for government/defense environments.
Customuser-definedOrganization-scoped templates created by copying a system template and customizing checks.
System templates are read-only. You cannot modify checks on system templates. To customize, copy the template first (see workflow below), then modify the copy.

Activating a system template

To start compliance scanning, create a policy that binds a template to an organization and OS type.

  1. Navigate to Compliance page.
  2. View available system templates on the Templates tab (filter to system templates).
  3. Click Create Policy and select the organization, OS type, template, and scan interval.
  4. The system enforces one framework per OS type per organization. If a policy already exists for that combination, update or delete it first.
  5. Scans begin automatically on the next scheduler tick (within 30 minutes).
Scan interval constraints. Minimum: 24 hours (1 day). Maximum: 168 hours (7 days). Validated on both policy creation and update.

Customizing a template

Copy a system template to create an org-scoped version where you can enable/disable individual checks, edit parameters, and add custom checks.

  1. Navigate to the system template and click Copy Template. Provide a name and select the target organization.
  2. This creates an organization-scoped copy with all checks from the source.
  3. Use Bulk Toggle to enable or disable individual checks.
  4. Click on individual checks to edit parameters or expected values.
  5. Click Add Check to create custom checks.
  6. Assign the custom template to a policy by creating or updating a policy with the new template.

Template deletion rules

  • System templates cannot be deleted.
  • Custom templates referenced by active policies cannot be deleted. Remove or update the policy first.
  • Deleting a template also removes all its checks.

Running compliance scans

Scheduled scans

The scheduler checks for due scans every 30 minutes. For each active policy, it identifies hosts matching the organization and OS type, checks whether a scan is due based on the interval, resolves the correct template (including per-host overrides), and dispatches compliance check jobs to agents. Up to 50 hosts per sweep.

On-demand scan

  1. Navigate to the host or policy detail page and click Trigger Scan.
  2. The host must be online and in the same organization as the policy.
  3. The scan starts with status "pending".
  4. Monitor progress on the scan detail page. Status transitions: pending → running → completed or failed.

What the agent does

The agent receives a compliance check job containing the list of checks. For each check, it runs the appropriate collector (e.g., registry value on Windows, file permissions on Linux), compares the actual value against the expected value using the configured operator, and returns a per-check result with status pass, fail, error, or skip.

Shipped CIS benchmark templates

Two comprehensive CIS benchmark templates are seeded at installation with 316 total checks across 10+ categories.

CIS Benchmarks -- Linux Level 1 (158 checks)

Based on CIS v2.0.0. Categories: filesystem configuration, services, network parameters, logging and auditing, access/authentication, firewall configuration, mandatory access control (MAC), process hardening, password policy, account lockout, and user rights assignment.

Check types include: command output, file content, file permissions, file existence, package installed, service state, sysctl settings, and login banner. Includes distro-specific overrides for expected values (Ubuntu, RHEL, Debian).

CIS Benchmarks -- Windows Server Level 1 (158 checks)

Based on CIS v3.0.0. Categories: registry configuration, services, audit policy, account policy, firewall, security options, user rights assignment, password policy, account lockout, and network security.

Check types include: registry value, security policy, audit policy, service state, and login banner.

System templates are extensible. Copy a system template to your organization, then add or remove checks to fit your compliance requirements. The base 129/133 checks were extended with 54 additional checks across password policy, account lockout, audit policy, user rights, and network security categories.

Server-side evaluated checks

Two check types are evaluated on the server rather than on the agent: Software Installed and Service Running. The agent already collects software inventory and service status through its host-info sync cycle, so these checks query the existing data instead of requiring a separate agent collection.

Software Installed

Checks the host's software inventory with case-insensitive matching. Supports wildcard patterns in the expected value (e.g., Microsoft Defender*). Returns pass if the software is found, fail with "not installed" otherwise.

Service Running

Checks the host's service list with case-insensitive matching. Returns pass if the service exists and is running or active, fail with the actual service status otherwise.

Server-evaluated checks are handled automatically. The agent skips these check types during collection. After receiving the agent results, the server evaluates them using the existing host data. This happens after version overrides but before exception application.

Reviewing scan results

  1. Navigate to a host's detail page > Compliance tab to view the latest scan results.
  2. Click a scan to view the per-check results detail.
  3. Use the History view to see scan history for a specific policy.

Per-check result fields

Check IDUnique identifier tag for the check rule (e.g., CIS-1.1.1).
StatusResult: pass, fail, error, skip, or waived.
Actual ValueThe value collected from the host by the agent.
TitleHuman-readable check title from the template.
CategoryCheck grouping category (e.g., "Account Policies", "Audit Policy").
SeverityCheck severity: critical, high, medium, low, or info.

Status meanings

StatusMeaningIncluded in score?
passHost configuration meets the expected value.Yes (numerator + denominator)
failHost configuration does not meet the expected value.Yes (denominator only)
errorAgent collector failed to retrieve the value.No (excluded)
skipPlatform-incompatible check (e.g., Windows-only on Linux).No (excluded)
waivedCheck failed but covered by an active exception/waiver.No (excluded)

Managing exceptions and waivers

Exceptions allow you to waive specific compliance check failures for a host, host group, or entire organization. Waived checks are excluded from the score denominator.

Creating an exception

  1. Navigate to Compliance > Exceptions and click Create Exception.
  2. Select the organization, enter the check rule ID (e.g., CIS-1.1.1), and provide a reason explaining the waiver.
  3. Optionally scope to a specific host or host group. Omitting both creates an org-wide exception.
  4. Optionally set an expiration date for temporal expiry.
  5. The exception takes effect on the next scan. Failed checks matching the rule and scope are marked as waived.

Exception lifecycle

StateTransitionTrigger
Active→ ExpiredExpiration date has passed (checked every 30 minutes)
Active→ RevokedUser deletes the exception

Expired and revoked are terminal states. Once an exception leaves the active state, the waiver no longer applies to future scans.

Exception scope resolution

During scan result processing, exceptions are matched in this order:

  • Host-level: exception is scoped to a specific host matching the scanned host.
  • Group-level: exception is scoped to a host group that the scanned host belongs to.
  • Org-wide: exception has no host or group scope (applies to all hosts in the organization).

Per-host policy overrides

Overrides let you assign a different template to a specific host within a policy, without changing the default template for all other hosts.

  1. Navigate to the policy detail page > Overrides tab.
  2. Click Add Override, select the host and the template to use.
  3. The host will now use the override template instead of the policy default for all future scans.
  4. Only one override per host per policy. Delete the existing override first if you need to change it.
  5. Click Delete on an override to remove it.
Override resolution. The scan engine checks for a per-host override first. If found, it uses the override template. Otherwise, it falls back to the policy's default template.

Compliance dashboard

The dashboard provides an aggregate view of compliance posture for an organization.

  1. Navigate to Compliance > Dashboard.

Dashboard panels

Total PoliciesCount of active compliance policies for the organization.
Total ScansTotal completed scans across all policies.
Average ScoreAverage compliance score (percentage) across all completed scans.
Hosts ScannedCount of distinct hosts that have been scanned.
Framework ScoresPer-policy average score from the last 100 scans.
Worst HostsBottom 10 hosts by compliance score.
Top Failing ChecksMost frequently failed checks aggregated from the last 50 scans.

Score calculation

Score = (passed / evaluable) x 100, where evaluable = total checks minus skipped, errors, and waived.

  • Score below 70% triggers a warning notification.
  • Score below 50% triggers a critical notification.

Exporting compliance data

Export completed scan data for offline analysis or audit submissions.

CSV export

  1. Navigate to Compliance > Export and select CSV format.
  2. Optionally filter by policy, host, and row limit (1 to 100,000; default 10,000).
  3. The export includes: scan ID, host, template, framework, OS type, score percentage, passed/failed/error/skipped/total counts, and scan date.

JSON export

  1. Select JSON format on the export page.
  2. The export streams as newline-delimited JSON (NDJSON), one scan record per line.
Streaming response. Both formats stream in batches for memory-safe handling of large datasets. Only completed scans are included.

Historical score trending

Track compliance posture over time with daily score aggregation.

  1. Navigate to Compliance > Trends. Optionally filter by policy and time range (1-365 days, default 30).

Trend data

Daily TrendDaily aggregations showing date, average score, scan count, total passed, and total failed.
Average ScoreOverall average score across the selected period.
Min ScoreLowest daily average score in the period.
Max ScoreHighest daily average score in the period.
Total ScansTotal scan count in the period.

Permissions reference

PermissionGrants
compliance.viewList/get templates, checks, policies, overrides, scans, exceptions, dashboard, export, and trends.
compliance.manageCreate/update/delete custom templates, checks, policies, overrides, and exceptions. Trigger scans. Toggle system template active status.

Navigation reference

FeatureLocation
TemplatesCompliance > Templates -- view, copy, edit, delete templates and checks
PoliciesCompliance > Policies -- create, edit, delete policies and per-host overrides
ScansCompliance > Scans or host detail > Compliance tab -- trigger and review scans
ExceptionsCompliance > Exceptions -- create and revoke exceptions/waivers
ExportCompliance > Export -- download scan data as CSV or JSON
TrendsCompliance > Trends -- daily score trending charts
DashboardCompliance > Dashboard -- aggregate compliance posture

Troubleshooting

SymptomCauseFix
No scans runningNo active policies for the org/OS combinationCreate a policy and ensure it is enabled.
Scan stuck in "pending"Host offline or agent not pollingVerify host status is "online" on the Hosts page.
All checks show "skip"Wrong OS template assigned to hostVerify the policy's OS type matches the host's actual OS type.
Low score despite fixesCached scan results from previous runTrigger an on-demand scan or wait for the next interval.
409 on policy createPolicy already exists for this org + OSUpdate the existing policy or delete it first.
409 on template deleteTemplate is referenced by an active policyDelete or update the policy before deleting the template.
403 on template editAttempted to edit a system templateCopy the template first, then edit the copy.
Wrong expected values on checksOS version override not appliedVerify the OS version overrides are configured correctly on the check definition.