What is the biggest advantage of running periodical audits? To me, it’s speed by which a configuration change somewhere can be sighted and brought to my attention.

In Spacewalk, we have stepped forward and we visualize all the detected changes in a single icon. (Detailed view is available as well). For each scan we search the previous similar scan, compare them together, and show the icon of comparison. From the list of icons, it is obvious when the state of the system has changed, and the red flag flies if it deteriorates.

icon list

In the screen-shot, you see history of scans on some machine. Each line starts with icon indicating result of comparison with the previous similar scan. The icon indicates that in the newer scan there is either:

  • check no difference compared to the previous.
  • alert arbitrary differences.
  • error major differences, either more failures or less passes.
  • checkin no comparable scan was found, no comparison was made.

Each difference is displayed only once. So even single red mark followed by dozens of green checks means that there are more failures than on the day zero. Similar icon is placed on scan’s details page, near the reschedule link.

diff

Behind the icon, there is a link to detailed comparison page. Separate tables shows diff of metadata and diff of xccdf:rule-results. Each xccdf:TestResult has separate column.

diff full

On the toolbar, there are three possible comparison modes: Full Comparison which shows all the scan items, Only Changed Items which shows only varying items, and finally Only invariant items which shows only common and equal items. The items contained only in one of the compared scans, are considered to be varying. Varying items are always highlighted with beige.

diff varying

The XCCDF diff is not limited to similar scans. You can diff arbitrary scans, you need only to specify their id (so called xid) in the database.