openshift-docs/modules/compliance-filtering-results.adoc

// Module included in the following assemblies:
//
// * security/compliance_operator/co-scans/compliance-operator-remediation.adoc

:_mod-docs-content-type: PROCEDURE
[id="filtering-compliance-check-results_{context}"]
= Filters for compliance check results

By default, the `ComplianceCheckResult` objects are labeled with several useful labels that allow you to query the checks and decide on the next steps after the results are generated.

List checks that belong to a specific suite:

[source,terminal]
----
$ oc get -n openshift-compliance compliancecheckresults \
  -l compliance.openshift.io/suite=workers-compliancesuite
----

List checks that belong to a specific scan:

[source,terminal]
----
$ oc get -n openshift-compliance compliancecheckresults \
-l compliance.openshift.io/scan=workers-scan
----

Not all `ComplianceCheckResult` objects create `ComplianceRemediation` objects. Only `ComplianceCheckResult` objects that can be remediated automatically do. A `ComplianceCheckResult` object has a related remediation if it is labeled with the `compliance.openshift.io/automated-remediation` label. The name of the remediation is the same as the name of the check.

List all failing checks that can be remediated automatically:

[source,terminal]
----
$ oc get -n openshift-compliance compliancecheckresults \
-l 'compliance.openshift.io/check-status=FAIL,compliance.openshift.io/automated-remediation'
----


List all failing checks sorted by severity:

[source,terminal]
----
$ oc get compliancecheckresults -n openshift-compliance \
-l 'compliance.openshift.io/check-status=FAIL,compliance.openshift.io/check-severity=high'
----

.Example output
[source,terminal]
----
NAME                                                           STATUS   SEVERITY
nist-moderate-modified-master-configure-crypto-policy          FAIL     high
nist-moderate-modified-master-coreos-pti-kernel-argument       FAIL     high
nist-moderate-modified-master-disable-ctrlaltdel-burstaction   FAIL     high
nist-moderate-modified-master-disable-ctrlaltdel-reboot        FAIL     high
nist-moderate-modified-master-enable-fips-mode                 FAIL     high
nist-moderate-modified-master-no-empty-passwords               FAIL     high
nist-moderate-modified-master-selinux-state                    FAIL     high
nist-moderate-modified-worker-configure-crypto-policy          FAIL     high
nist-moderate-modified-worker-coreos-pti-kernel-argument       FAIL     high
nist-moderate-modified-worker-disable-ctrlaltdel-burstaction   FAIL     high
nist-moderate-modified-worker-disable-ctrlaltdel-reboot        FAIL     high
nist-moderate-modified-worker-enable-fips-mode                 FAIL     high
nist-moderate-modified-worker-no-empty-passwords               FAIL     high
nist-moderate-modified-worker-selinux-state                    FAIL     high
ocp4-moderate-configure-network-policies-namespaces            FAIL     high
ocp4-moderate-fips-mode-enabled-on-all-nodes                   FAIL     high
----

List all failing checks that must be remediated manually:

[source,terminal]
----
$ oc get -n openshift-compliance compliancecheckresults \
-l 'compliance.openshift.io/check-status=FAIL,!compliance.openshift.io/automated-remediation'
----

The manual remediation steps are typically stored in the `description` attribute in the `ComplianceCheckResult` object.

.ComplianceCheckResult Status
[cols="1,1",options="header"]
|===
| ComplianceCheckResult Status | Description
| PASS
| Compliance check ran to completion and passed.
| FAIL
| Compliance check ran to completion and failed.
| INFO
| Compliance check ran to completion and found something not severe enough to be considered an error.
| MANUAL
| Compliance check does not have a way to automatically assess the success or failure and must be checked manually.
| INCONSISTENT
| Compliance check reports different results from different sources, typically cluster nodes.
| ERROR
| Compliance check ran, but could not complete properly.
| NOT-APPLICABLE
| Compliance check did not run because it is not applicable or not selected.
|===