Compliance Exception Management
Track and manage security compliance exceptions across your infrastructure. All exceptions require business justification, approval, and regular review cycles.
3 Exceptions Require Review
Review dates have passed for 3 exceptions. Please review and update approval dates or remove exceptions.
📄
Total Exceptions
23
18 group-level, 5 host-specific
Active Exceptions
20
Within review period
Expiring Soon
3
Review in next 30 days
🔔
Affected Servers
34
With at least one exception

Active Compliance Exceptions

23 Documented Exceptions
Rule & Scope Business Justification Review Status Actions
Disable HTTP Service
xccdf_org.ssgproject.content_rule_service_httpd_disabled
Group: nginx_servers
nginx web server required for production traffic serving customer applications
Compensating Controls:
  • Firewall rules restrict access to ports 80/443 only
  • WAF in front of all web servers
  • TLS 1.3 enforced with modern cipher suites
Approved By: [email protected]
Ticket: SEC-1234
Approved: 2026-01-15
Active
Next review: 2027-01-15
Edit
Enable IP Forwarding
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
Group: nginx_servers
Required for nginx reverse proxy functionality to backend application servers
Compensating Controls:
  • Firewall rules restrict forwarding to internal networks only
  • No external routing allowed
Approved By: [email protected]
Approved: 2026-01-15
Active
Next review: 2027-01-15
Edit
Disable NFS Service
xccdf_org.ssgproject.content_rule_service_nfs_disabled
Host: nginx-prod-01.example.com
NFS required for shared static assets across cluster. Critical for content delivery.
Compensating Controls:
  • NFSv4 with Kerberos authentication
  • Read-only mount configuration
  • Dedicated storage VLAN with ACLs
  • Regular security audits of NFS configuration
Approved By: [email protected]
Ticket: SEC-1567
Approved: 2026-03-01
Expiring Soon
Next review: 2026-09-01
Review Now
Disable PostgreSQL Service
xccdf_org.ssgproject.content_rule_service_postgresql_disabled
Group: database_servers
PostgreSQL database service required for production application data storage
Compensating Controls:
  • Access restricted to application servers only
  • SSL/TLS required for all connections
  • Password complexity enforced
  • Database activity monitoring enabled
Approved By: [email protected]
Ticket: SEC-1156
Approved: 2025-12-10
Active
Next review: 2026-12-10
Edit
Disable Docker Service
xccdf_org.ssgproject.content_rule_service_docker_disabled
Group: container_hosts
Container runtime required for microservices architecture
Compensating Controls:
  • Docker daemon socket access restricted
  • User namespace remapping enabled
  • Content trust and image signing enforced
  • Regular vulnerability scanning of images
Approved By: [email protected]
Approved: 2026-02-20
Active
Next review: 2027-02-20
Edit
Remove TFTP Package
xccdf_org.ssgproject.content_rule_package_tftp_removed
Host: pxe-server-01.example.com
TFTP required for PXE boot operations and bare-metal provisioning
Compensating Controls:
  • TFTP access restricted to provisioning VLAN only
  • Read-only TFTP configuration
  • Network segmentation enforced
Approved By: [email protected]
Ticket: SEC-1892
Approved: 2025-11-05
Expiring Soon
Next review: 2026-05-05
Review Now

Exception Summary by Server Group

Group-Level Exceptions
Server Group Exceptions Affected Servers Last Updated Actions
nginx_servers 4 12 2026-03-01 View Details
database_servers 6 8 2026-02-15 View Details
container_hosts 5 15 2026-02-20 View Details
pci_compliance_scope 3 6 2026-01-10 View Details