HCR module
The HCR (Host Configuration Review) page lists every CIS-benchmark-style finding from filesystem scans of your VMs, container hosts, and Kubernetes nodes.
Columns
| Column | Notes |
|---|---|
| Severity | Driven by the CIS scoring level. |
| Status | OPEN / IGNORED / RESOLVED. |
| Rule | Stable CIS-style ID + name (e.g. CIS-5.2.4 SSH Protocol must be 2). |
| Target | linux, windows, docker, kubernetes_node. |
| Host | Stable host ID, plus hostname. |
| File path | The config file the rule reads. |
Filters
- Severity, Status.
- Target platform:
linux,windows,docker,kubernetes_node. - Host: narrow to one host.
- Rule: free text against rule key and rule name.
Detail panel
For each finding the panel shows:
- Actual value: what we found in the config file.
- Expected value: what the rule wants.
- File path the rule reads, e.g.
/etc/ssh/sshd_config. - Remediation tabs: bash one-liner, Ansible task, Terraform user_data block (when applicable).
Tips
- Group by host for a per-host hardening checklist.
- Group by rule to see which CIS controls fail across the fleet.
- Snapshots are stale by design. A fix you apply on a live host shows up only after the next snapshot scan . Don't panic if a finding lingers for a few minutes after the fix.
- Read-only by construction. HCR cannot make changes to your hosts. The remediation tabs are for you to apply manually or through your config-management tool.
What's next
- HCR concept
- Vulnerability management, sibling detector for CVEs in installed packages
- Agentless vs agent-based