Start Trial
PortalMeridianKeystoneRMM
IT Service & Operations Manual

Compliance Operations

Operational compliance posture, configuration discipline, and the review model teams use to keep IT operations auditable.

Audience: Security, compliance, and operations teamsFocus: Compliance-oriented operational controlStatus: Public manual

Scope

Compliance in RMM should stay attached to the systems and actions that create risk, not become a separate reporting exercise. This public guide keeps that model while excluding private internals.

SSOT Document – Single Source of Truth for compliance management operational procedures, setup guides, and troubleshooting.

Related SSOT documents: - Architecture: compliance.md – System design and data models - Functional: compliance.md – API endpoints, template versioning, scan execution - Manual: patching.md – Patch operations - Manual: vulnerability-management.md – Vulnerability operations - Architecture: alerts-monitoring.md – Alert engine, monitoring, event rules - Architecture: itsm.md – Incident management, change records

Template Creation and Publishing

System templates: 9 built-in templates (CIS Level 1, CIS Level 2, STIG x Windows, Linux, BSD). These cannot be edited.

Creating a custom template: 1. Navigate to Security > Compliance > Templates 2. Click “Copy” on a system template 3. Select the target organization 4. Provide a name 5. The copy includes all checks from the source template 6. Edit checks as needed (add, remove, modify, toggle)

Template versioning workflow: 1. Create/copy a template (starts in draft status) 2. Edit checks and configuration as needed. The edit modal includes a Scan Interval (hours) field (24–168 hours) to control the default scan frequency for this template. 3. When ready, click Publish in the edit modal (or with {"status": "published"}). The UI saves current edits first, then publishes. 4. Published templates are immutable – no check or config edits allowed. The Publish button is hidden for already-published templates. 5. To make changes, click New Version on the published template row: creates a draft copy with an incremented version number. 6. Edit and publish the new version. 7. Update policies to reference the new template.

  1. Export a template portability document:
  2. Import into an organization as a new draft template:
  3. Imports always create a custom draft template in the target organization. Publish after review.

Policy Assignment

Create a compliance policy: 1. Navigate to Security > Compliance > Policies 2. Click “Create Policy” 3. Select: - Organization: Target org - OS type: Windows, Linux, or BSD (one policy per OS per org) - Template: Which template to evaluate - Scan interval: Hours between scans (default 24) - Batch size: Hosts per scan cycle (default 100) 4. Configure auto-remediation gates (if desired): - Enable for severity levels: critical, high, medium, low - Set approval mode: auto (immediate) or manual (requires change approval)

Host-level overrides: - Use to assign a different template to a specific host - The override applies only for that policy

Running Compliance Scans

Automatic scans: - The scheduler runs every 30 minutes - Checks each policy’s scan_interval_hours to determine due hosts - Creates compliance_check jobs dispatched to agents - Respects dynamic batch sizing (larger orgs get bigger batches)

On-demand scans: - Host must be online and in the same org as the policy - Returns scan record immediately

Reviewing Scan Results

View scan results:

Results include per-check pass/fail/error/skip status with actual values found.

Score interpretation: - Score = passed / (total - skipped - errors - waived) * 100 - Score < 70%: triggers low-score notification - Score < 50%: triggers critical-severity notification

Host compliance view: Shows latest scan results for the host across all policies.

Compliance history: Shows historical scan results for trend analysis.

Triggering Remediation

Automatic remediation: - Configure auto-remediation severity gates on the policy - After each scan, failed checks with script/workflow bindings are auto-dispatched (severity must match an enabled gate) - If Organization.automation_paused is set, no remediation is dispatched for any host in that org regardless of policy settings - After a remediation is dispatched, the scheduler automatically re-scans the host ~15 minutes later to verify the fix - Remediation outcomes (success/failed) are reflected in the scan result_data within ~5 minutes of the job finishing - In manual approval mode: change records are created but remediation waits for approval

One-click fix: - Works for checks with script or workflow remediation type - Returns 400 for checks with none or manual type - Creates change record if remediation_requires_change is true

Manual remediation flow (approval_mode = “manual”): 1. Scan completes, finds failed checks 2. Change records created with status="pending_approval" 3. CAB or change manager reviews and approves 4. resume_approved_remediations() picks up approved records 5. Remediation jobs/workflows dispatched 6. Change record transitions to “implementing”

Managing Compliance Exceptions

Step 1: Create an exception (status: pending_approval) The exception is created with status="pending_approval". It does NOT affect scan results until approved.

Step 2: Approve or reject the exception

A different user (not the creator) must approve or reject: This transitions the exception to active. It will now cause matching check failures to be marked as waived in scan results.

To reject instead: This transitions the exception to rejected. The rejection reason is optional and recorded in audit logs.

Scope options: - Neither: Org-wide waiver for the rule

Exception lifecycle: - Only active exceptions cause matching check failures to be marked as waived in scan results - Waived checks are excluded from the compliance score - Exceptions with expires_at are auto-expired by the scheduler (every 30 min) - DELETE endpoint soft-deletes (sets status to revoked, returns updated record) - Updates (reason, expires_at) are only allowed on active exceptions

Monitoring Compliance Scores

Dashboard: Returns: - Total policies, total scans, average score, hosts scanned - Per-framework scores - Worst 10 hosts by score - Top failing checks

Trends: Returns daily compliance score averages with min/max/avg summary.

Score regression alerts: - Per-host scan processing uses a rolling 7-day baseline when enough history exists (fallback: previous scan baseline) - If drop exceeds 10 percentage points, a warning-severity compliance_score_regression alert is fired - Alert metadata includes baseline type, baseline score, current score, and drop percentage

Compliance incident automation: - Severe compliance outcomes automatically open ITSM incidents (AlertIncident) when any of these occur: - at least one critical failed check - compliance score below 50% - a fired regression alert (>10pp drop) - Incidents are deduped per host+policy so recurring scans do not create duplicate open tickets.

Exporting Compliance Data

CSV export:

Compliance report: Returns: - Summary: total_hosts, avg_score, hosts_above_80, hosts_below_50 - By framework: grouped scores - By host: per-host latest scores - Failing checks: aggregated failure counts (when include_details=true)

UI Feature Reference

The compliance UI (Security > Compliance) has seven tabs:

Dashboard — Aggregate compliance scores, worst hosts, top failing checks. Shows a loading spinner while data is being fetched.

Templates — List, copy, edit, and delete compliance templates. The edit modal includes a Scan Interval (hours) field (24–168 hours). Published non-system templates have a New Version button that creates a draft clone with incremented version number for iterative editing. Draft templates show a Publish button that saves current edits first then publishes the template.

Policies — Create and edit policies with approval_mode (auto/manual), batch_size, and four auto-remediation severity toggles (critical/high/medium/low). Each policy row expands to show host overrides with inline add (by host) and delete. - Host override selection uses server-side search as you type, so operators can target hosts beyond previous client preload limits. - If policy lists, template lists, override rows, or host search cannot be loaded, the tab shows an inline warning with Retry instead of silently rendering an empty policy state.

Host Compliance — Server-side paginated table loaded from the report endpoint (no N+1). Search by hostname and select 10, 25, 50, or 100 rows per page. Pagination is handled server-side so the full fleet is accessible regardless of size. Click a row to see the latest scan detail. Failed checks with script or workflow remediation show an “Apply Fix” button for one-click remediation dispatch.

Scan History — Server-side paginated list of scan summaries with status and type filters. The backend returns X-Total-Count header so the pager shows the correct total pages. Detail modal for completed scans shows individual check results with remediation actions.

Exceptions — Full exception lifecycle: create (pending_approval), approve, reject, update, revoke. Server-side pagination with X-Total-Count header for accurate page counts. Status badges, creator/approver tracking, expiry dates. - Create modal: Host and host group selectors are searchable dropdowns (show hostname+IP or group name, not raw IDs). - Host search behavior: Host selector queries the backend while typing instead of filtering a capped preloaded host list. - Edit modal: Visible for active exceptions. Allows updating the reason and expiry date. - Scope display: Shows resolved hostname or group name (from backend enrichment) rather than raw IDs where available.

Reports — Three sections: 1. Score Trends: Date-range selector (7/14/30/90 days), visual line chart (Recharts) of daily avg/min/max scores 3. Compliance Report: Framework breakdown with per-framework scores and host details

All mutation actions show toast notifications. All tabs respect RBAC (compliance.view / compliance.manage).

Common Compliance Scenarios

Scenario: Rolling out a new compliance standard 1. Copy the appropriate system template (e.g., CIS Level 1 Windows) 2. Review and customize checks for your environment 3. Disable checks that don’t apply (bulk-toggle) 4. Publish the template 5. Create a compliance policy referencing the template 6. Set scan interval and batch size 7. Wait for first scan cycle (up to 30 minutes) 8. Review results and create exceptions for known acceptable deviations

Scenario: Investigating a score drop 1. Check score regression alerts for affected org 3. Identify which hosts dropped: check dashboard’s worst hosts 4. Drill into specific host: 5. Compare with history: 6. Determine if a change caused the regression (new software, config change, etc.)

Scenario: Setting up auto-remediation 1. Ensure compliance checks have remediation bindings: - Provide the script or workflow ID - Set remediation_requires_change if change governance needed 2. Enable auto-remediation on the policy: - Set auto_remediate_critical = true (and other severity levels as needed) 3. Failed checks matching enabled severity gates will auto-remediate after each scan

Scenario: Updating a template without breaking scans 1. Published templates are immutable – this is by design 2. Create a new version: 3. Edit the draft version with your changes 4. Publish the new version 5. Update policies to reference the new template (or rely on pinned_template_version = null for auto-latest) 6. Old scans retain their results against the old template version

Cross-Domain Operations

Vulnerability-Driven Patching

The vulnerability management system automatically drives patch deployments:

  1. CVE sources are synced (NVD daily, CISA KEV daily)
  2. Host matching detects vulnerable hosts (every 6 hours)
  3. Vuln-patch bridge links CVEs to available patches
  4. Auto-remediation creates patch deployments for qualifying vulns
  5. Lifecycle sync resolves alerts when patches are applied

No manual intervention needed if: - Remediation policy is configured - Auto-deploy ring set exists - Patches are auto-approved by policy

Compliance-Driven Remediation

Compliance scans can trigger remediation through:

  1. Script remediation: Direct script execution on the agent
  2. Workflow remediation: Trigger a multi-step workflow
  3. Change-controlled remediation: Create change records for governance

The compliance and patching systems share: - Agent job infrastructure - Change management integration - Alert and incident correlation

Automation Kill Switch

If Organization.automation_paused = True: - Auto-deploy is skipped - Auto-remediation is skipped - Manual operations still work

Use this during major incidents or change freezes.