Remediating Security-Policy Compliance issues using Ansible Playbooks

Red Hat Insights 2020-04

Improve Compliance Status with Automated Remediations

Red Hat Customer Content Services

Abstract

Remediate issues resulting in the noncompliance of RHEL systems with adopted security policies.
Providing Feedback: If you have a suggestion to improve this documentation, or find an error, submit a Bugzilla report at http://bugzilla.redhat.com. Select the Cloud Software Services (cloud.redhat.com) product and use the Documentation component.

Chapter 1. Compliance service remediation overview

The Compliance service shows the compliance status of your Red Hat Enterprise Linux (RHEL) environment with adopted OpenSCAP security policies, and identifies the individual rules affecting the compliance of your systems.

For each rule + system pairing, the Compliance service shows the steps to resolve the issue, and enables automated remediation with the creation of Ansible Playbooks.

The Compliance service enables the following approaches to remediating issues:

  • Remediate multiple systems to which a single policy is applied to bring a policy up to an acceptable threshold of compliance.
  • Remediate multiple rules, whether for one or more policies, affecting the compliance status of a single system.

Chapter 2. Remediating systems to improve the compliance threshold of a selected policy

Complete the following steps to remediate systems affecting the compliance threshold of a policy:

Procedure

  1. Navigate to the Compliance service > SCAP Policies page and click on a policy.
  2. Click the Systems tab.
  3. Check the boxes for the systems you want to remediate and click Remediate.
  4. Select whether to add the remediations to an existing or new playbook and take the following action:

    1. Click Existing Playbook and select the desired playbook from the dropdown list, OR
    2. Click Create new Playbook and add a playbook name.
    3. Click Next.
  5. Review the information in the summary.

    1. Scroll to the bottom of the summary and toggle Auto Reboot if available and desired.
    2. Click Create.

Verification steps

  1. Select Remediations in the Red Hat Insights services menu.
  2. Locate the playbook you just created and check the box next to it.
  3. Download the playbook using the Download playbook link.

Chapter 3. Remediating rules from multiple policies to improve the compliance score of a system

Complete the following steps to remediate rules affecting the compliance score of a system:

Procedure

  1. Navigate to the Compliance service > Reports page and click the By System tab.
  2. Click on a system.
  3. Scroll down to see the list of rules impacting the system.
  4. Use filters to refine the list to expose the most critical rules.
  5. Check the boxes next to the rules to remediate and click Remediate.
  6. Select whether to add to an existing or new playbook and take one of the following actions:

    1. Click Existing Playbook and select the desired playbook from the dropdown list, OR
    2. Click Create new Playbook and add a playbook name.
    3. Click Next.
  7. Review the information in the summary.

    1. Scroll to the bottom of the summary and toggle Auto Reboot if available and desired.
    2. Click Create.

Verification steps

  1. Select Remediations in the Red Hat Insights services menu.
  2. Locate the playbook you just created and check the box next to it.
  3. Download the playbook using the Download playbook link.

Chapter 4. Reference materials

To learn more about the Red Hat Insights service, or the other {GUIName_short}, the following resources might also be of interest:

Chapter 5. Important changes with the 2020-04 release of Red Hat Insights

The 2020-04 release of Red Hat Insights includes significant changes to the application features and services.

Changes to the Red Hat Insights application

The Red Hat Insights application now includes the services that were previously bundled with the Cloud Management Services for RHEL application, and were part of the Red Hat Smart Management bundle, along with Red Hat Satellite.

The former cloud management services, plus a couple of new services, are now included in the value that Insights brings to each Red Hat Enterprise Linux (RHEL) subscription.

Insights Advisor

The tools and capabilities that constituted Red Hat Insights prior to this release are now available as the Advisor service. The rules that have always been the currency of Insights are now called Advisor Recommendations.

Insights security rules have moved

The CVE security rules that were previously curated by the Insights rules team are now included with all other Red Hat CVEs in the Vulnerability service. Security rules are high profile CVEs, some of which have been through the Customer Security Awareness Program. They are identifiable in the Vulnerability service by a security rule icon. You can also filter security rules in the Vulnerability service.

Services included with Red Hat Insights

The services included with Red Hat Insights in the 2020-04 release are:

  • Advisor. Identify and fix configuration issues that can negatively impact the availability, performance, stability, and security of RHEL systems.
  • Vulnerability. Assess and monitor the exposure of your RHEL environment to CVEs and security rules.
  • Compliance. Assess and monitor the compliance of your RHEL systems with SCAP security policies.
  • Patch. Enable consistent patch workflows for RHEL systems across the open hybrid cloud.
  • Drift. Compare system configurations of a system over time, or to other systems and baselines, to identify discrepancies in your environment and perform drift analysis.
  • Policies. Evaluate and react to system configuration changes in your environment.

The integrated tools that work with each of the services above are:

  • Inventory. Topological inventory of RHEL systems under Red Hat Insights management
  • Remediations. Repository of Ansible Playbooks that you create and manage using Red Hat Insights
  • Subscription Watch. Comprehensive, product-by-product, account-level subscription reporting service across hybrid cloud deployments

Legal Notice

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.