Skip to main content

Compliance

The Compliance section measures your fleet against industry-standard security baselines. TridentStack Control supports multiple compliance frameworks and provides per-agent and per-control scoring.

Supported Frameworks

TridentStack Control includes built-in support for the following compliance frameworks:

CIS Benchmarks (Level 1 and Level 2)

The Center for Internet Security publishes hardening guidelines for Windows and Linux. CIS benchmarks are widely adopted across industries and are often referenced by regulatory requirements.

  • Level 1: Designed for broad deployment with minimal impact on functionality. Suitable for most organizations as a starting baseline.
  • Level 2: Extended hardening for high-security environments. May restrict some functionality in exchange for stronger security posture.

DISA STIG

The Defense Information Systems Agency publishes Security Technical Implementation Guides. STIGs are mandatory for U.S. Department of Defense systems and widely used in government and defense contracting.

Microsoft Security Baselines

Microsoft's recommended security configurations for Windows operating systems. These baselines represent Microsoft's own guidance for hardening Windows, updated with each major OS release.

NIST SP 800-53

The National Institute of Standards and Technology's comprehensive catalog of security and privacy controls. NIST 800-53 is referenced by FedRAMP, FISMA, and many private-sector compliance programs.

Navigating the Compliance Page

The Compliance page is organized into five tabs, each providing a different angle on your compliance posture.

Overview

The fleet-wide compliance dashboard. This tab shows:

  • Overall compliance score: An aggregate score across all active baselines and agents
  • Framework-by-framework breakdown: How your fleet scores against each active baseline
  • Trend charts: Compliance improvement (or regression) over time

Per-Agent

Each agent's compliance score across all active baselines. This tab answers the question: "How compliant is this specific machine?"

Click any agent to drill into its detailed results, showing which controls pass and which fail for each assigned baseline.

By Framework

Detailed compliance results organized by framework. Select a framework to see the pass/fail status for every control it contains.

This view is useful when preparing for an audit against a specific standard, as it shows your exact posture against every control in the framework.

By Category

Compliance results grouped by control category, such as:

  • Account Policies
  • Audit Policies
  • Security Options
  • User Rights Assignment
  • Windows Firewall

This view is useful for identifying systemic gaps. For example, if most of your agents fail controls in the "Audit Policies" category, you know to focus your remediation efforts on audit configuration.

Baselines

Manage which compliance baselines are active and which agents they target. This is where you deploy new baselines and adjust targeting.

Deploying a Baseline

To start measuring compliance against a framework:

  1. Navigate to Compliance > Baselines.
  2. Select the framework you want to deploy (e.g., CIS Level 1 for Windows).
  3. Assign the baseline to one or more agent tags.
  4. Click Save.

Compliance evaluation begins on the next agent check-in. Results will appear in the other tabs as agents report their configuration state.

info

Compliance evaluation runs automatically during agent check-ins. No manual scans are needed.

Compliance Scoring

Each agent receives a compliance percentage per baseline. For example, an agent might show:

BaselineScorePassingFailingNot Applicable
CIS Level 187%1742612
Microsoft Baseline92%138125

The score is calculated as:

Compliance % = (Passing Controls / Total Applicable Controls) x 100

Controls that are not applicable to an agent (e.g., a BitLocker control on a machine without a TPM) are excluded from the calculation entirely. This prevents non-applicable controls from artificially lowering scores.

Investigating Failures

When an agent fails a compliance control, you need to understand what is wrong and how to fix it. Click any failing control to see:

  • Control description: What the control requires and why it matters
  • Expected configuration: The value or state the control expects to find
  • Actual configuration: What was found on the agent
  • Remediation steps: How to bring the agent into compliance

For example, a failing "Minimum password length" control might show:

FieldValue
ExpectedMinimum 14 characters
Actual8 characters
RemediationSet the "Minimum password length" policy to 14 or greater

Remediation with Configuration Policies

Many compliance failures can be remediated by deploying configuration policies. When a compliance control maps to an ADMX policy setting, the control detail page includes a direct link to the relevant setting.

The recommended workflow:

  1. Identify failing controls in the By Category or Per-Agent view.
  2. Click into a failing control to see the remediation guidance.
  3. If the control links to an ADMX setting, navigate to Configuration Policies.
  4. Create or update a policy to configure that setting with the expected value.
  5. Assign the policy to the appropriate agent tags.
  6. On the next check-in, the agent applies the setting and the compliance score updates.
tip

Start with CIS Level 1 as your baseline. Level 1 controls are designed to be applied broadly with minimal impact on functionality. Move to Level 2 for higher-security environments.

Best Practices

  • Baseline before remediating. Deploy a baseline and measure your current posture before making changes. This gives you a clear before/after comparison.
  • Prioritize by category. Use the By Category tab to find systemic issues that affect many agents, rather than fixing controls one agent at a time.
  • Track trends. The Overview trend charts show whether your compliance posture is improving. Share these with stakeholders to demonstrate progress.
  • Document exceptions. If a control cannot be met due to business requirements, document the reason and any compensating controls in place.
  • Review after OS updates. Major Windows updates can change default settings. Re-evaluate compliance after deploying feature updates to catch any regressions.