Chapter 3. Managing SCAP security policies in the Insights for RHEL compliance service

Create and manage your SCAP security policies entirely within the compliance service UI. Define new policies and select the rules and systems you want to associate with them, and edit existing policies as your requirements change.

Important

Unlike most other Red Hat Insights for Red Hat Enterprise Linux services, the compliance service does not run automatically on a default schedule. In order to upload OpenSCAP data to the Insights for Red Hat Enterprise Linux application, you must run insights-client --compliance, either on-demand or on a scheduled job that you set.

3.1. Creating new SCAP policies

You must add each Insights for Red Hat Enterprise Linux-registered system to one or more security policies before you can perform a scan or see results for that scan in the compliance service UI. To create a new policy, and include specific systems and rules, complete the following steps:

Important

If your RHEL servers span across multiple major releases of RHEL, you must create a separate policy for each major release. For example, all of your RHEL 7 servers would be on one Standard System Security Profile for RHEL policy and all of your RHEL 8 servers will be on another.

Procedure

  1. Navigate to the Security > Compliance > SCAP Policies page.
  2. Click the Create new policy button.
  3. On the Create SCAP policy page of the wizard, select the RHEL major version of the systems you will include in the policy.

    img compl assess create policy wizard 1

  4. Select one of the policy types available for that RHEL major version, then click Next.
  5. On the Details page, accept the name and description already provided or provide your own more meaningful entries.
  6. Optionally, add a Business objective to give context, for example, “CISO mandate.”
  7. Define a compliance threshold acceptable for your requirements and click Next.
  8. Select the Systems to include on this policy and click Next. Your selection of a RHEL major version in the first step automatically determines which systems can be added to this policy.
  9. Select which Rules to include with each policy. Because each minor version of RHEL supports the use of a specific SCAP Security Guide (SSG) version (sometimes more than one, in which case we use the latest), the rule set for each RHEL minor version is slightly different and must be selected separately.

    img compl assess create policy rules tabs

    1. Optionally, use the filtering and search capabilities to refine the list of rules.

      For example, to show only the highest severity rules, click the primary filter dropdown and select Severity. In the secondary filter, check the boxes for High and Medium.

      img compl assess create policy filter rules

    2. The rules shown by default are those designated for that policy type and that version of SSG. By default, the Selected only toggle next to the filter boxes is enabled. You may remove this toggle if so desired.
    3. Repeat this process as needed for each RHEL minor version tab.
    4. After you select rules for each Red Hat Enterprise Linux minor version SSG, click Next.
  10. On the Review page, verify that the information shown is correct, then click Finish.
  11. Give the app a minute to create the policy, then click the Return to application button to view your new policy.
Note

You have to go to the system and run the compliance scan before results will be shown in the compliance service UI.

3.2. Editing compliance policies

After creating a compliance policy, you can later edit the policy to change the policy details, or which rules or systems are included.

Use the following procedures to edit a policy to suit the needs of your organization.

User Access Note

Editing the included rules and systems in a policy requires that a user be a member of a User Access Group with the Compliance adminstrator role. The Compliance admistrator role includes enhanced permissions that are not granted by default to all Insights for Red Hat Enterprise Linux users.

3.2.1. Editing policy details

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console.

Procedure

  1. Navigate to the Security > Compliance > SCAP policies page.
  2. Locate the policy you want to edit.
  3. Click on the policy name. This opens the policy details view.
  4. Wherever you see a pencil icon, you can click on the icon to edit the details in that field. Editable fields include

    • Compliance threshold
    • Business objective
    • Policy description
  5. After you edit a field, click the blue checkmark to the right of the field to save your input.

3.2.2. Editing included rules

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console.
  • You have Compliance administrator User Access permissions.

Procedure

  1. Navigate to the Security > Compliance > SCAP policies page.
  2. Locate the policy you want to edit.
  3. On the right side of the policy row, click the More actions icon, more actions icon , and click Edit policy.
  4. In the Edit popup, click the Rules tab.
  5. Click on a RHEL minor version.

    Important

    Because a different SCAP Style Guide (SSG) version exists for each minor version of RHEL, you must edit the rules for each minor version of RHEL separately.

  6. Use the Name filter and search function to locate the rules to remove.

    Note

    With the Name primary filter selected, you can search by the rule name or its identifier.

  7. Uncheck the box next to any rule you want to remove.

    Or, check the box next to any rule you want to add.

  8. Repeat these steps for each RHEL minor version tab.
  9. Click Save.

Verification

  1. Navigate to the Security > Compliance > SCAP policies page and locate the edited policy.
  2. Click on the policy and verify that the included rules are consistent with the edits you made.

3.2.3. Editing included systems

  1. Navigate to the Security > Compliance > SCAP policies page.
  2. Locate the policy you want to edit.
  3. On the right side of the policy row, click the More actions icon, more actions icon , and click Edit policy.
  4. In the Edit popup, click the Systems tab.

    A list of all available systems is displayed.

    Systems that are already included in the policy have a checkmark in the box to the left side of the system name.

    Systems without a checkmark next to the system name are not included in this policy.

  5. Search for a system by name. To include that system in the policy, check the box next to the system name.

    Or, to remove the system from the policy, uncheck the box next to the system name.

  6. Click Save to save your changes.

Verification

  1. Navigate to the Security > Compliance > SCAP policies page and locate the edited policy.
  2. Click on the policy and verify that the included systems are consistent with the edits you made.

3.3. Viewing policy rules

Insights Compliance displays rules in categorized groups, so that similar rules are close together. You can see rules grouped according to category or classification for the compliance checks that will take place for a policy. The nested group structure (or tree view) is the default view. The tree view provides additional contextual information that allows you to see categories of rules, and at times, multiple rules for a policy. The tree view also allows you to see rules that have editable values (for more information about editable rule values, see “Editing values for policy rules”).

You can view rules in the tree view or the classic view. In the classic view, rules appear in a linear list.

highlight view options

You can switch from the tree view to the classic view by toggling between the two buttons under View policy rules.

To see rules listed in tree view format, click the tree view icon ( tree view ).

highlights the tree view and lists rules in the tree view

To see rules listed in the classic view format, click the classic view icon ( classic view ).

highlights the classic view and lists rules in the classic view
Note
  • When you use the filter feature to search for a specific rule, the view automatically switches to the classic view.
  • After you expand a rule to show additional information, it will stay in the expanded view, even if you switch to a different view.

You can switch views when you are:

3.4. Editing values for policy rules

Organizations sometimes need a level of customization for their regulatory compliance policies based on their security requirements. One level of customization is adding or removing the rules that do not apply to your organization’s needs. You can customize your SCAP policies in the compliance service by editing the value of rules within a policy. Editing specific values provides more granular control, allowing accurate tracking to meet organizational security needs. By editing policies to meet your specific needs, you can create a compliance framework that is relevant and meaningful to your security posture.

Understanding Rule Values

A rule can appear more than one time for a given SCAP Security Guide (SSG) version, so it is possible to use the same value for more than one rule within the same SSG version. In such a case, when you update the value of a rule for a given policy in the SSG version, this will not update the rule in other policies. It will only update the rule for the current policy and SSG version you are updating.

Additionally, rules can and will be different from one minor version of RHEL to another. For example, if you have RHEL 8.5 and RHEL 8.7, changing the value of a rule for the RHEL 8.5 rules will not automatically edit the value in RHEL 8.7. You must change values individually for each listed RHEL version, as needed. You will also find that rules in one version are not the same in another version.

Use the following procedure to edit a rule’s values.

Prerequisites

Procedure

  1. Navigate to Security > Compliance > SCAP policies.
  2. Locate the policy you want to edit.
  3. Click on a policy that has a rule that you want to edit.
  4. Click the Rules tab. In the Filter by name field, enter the first few letters of the rule that you want to edit. For this example, enter ANSSI.
  5. Locate the rule that you want to edit, and click the caret beside the rule to expand the content.
  6. Locate the Depends on values field within the expanded text, and click the edit value icon ( edit value ) to change the value. (If you do not see Depends on values, the value is not editable.)
  7. Edit the value. To change back to the default value, click the revert icon ( img compl icon revert ). Check your edit carefully because edited values are not check or validate the entered values. For example, if you enter a symbol in the value field where numeric characters are expected, you will not get an error message.
  8. Click the save icon ( save ) to save the new value. You will see an alert on your screen indicating Rule value updated.
  9. (Optional) To change an edited value back to the default value, click the revert icon ( img compl icon revert ). You will see an alert message: Rule values reset to default. You can revert back to the default value while an edit is in progress or after saving the edit. The presence of the revert icon indicates the value is different from the default value.
Important

Currently, the compliance service does not support rule values that have more than 50 characters or rules that have more than one value.

Note

You can only edit rule values for rules in the SCAP policies section of the compliance service. You can see your edits in Security > Compliance > Reports section, but will not be able to edit them in the reporting section.