Assessing and Monitoring Security Policy Compliance of RHEL Systems
Understanding the Security Compliance Status of your Infrastructure
Chapter 1. Compliance service reporting and assessment
The Red Hat Insights Compliance service enables you to assess and monitor the compliance of your Red Hat Enterprise Linux (RHEL) systems with SCAP security policies.
The Compliance service provides a simple but powerful user interface, enabling the creation, configuration, and management of SCAP security policies. With the filtering and context-adding features built in, administrators can easily identify and manage security compliance issues in the RHEL infrastructure.
This documentation describes some of the functionality of the Compliance service, to help administrators understand Compliance service reporting, manage issues, and get maximum value from Compliance service.
You can also create Ansible playbooks to resolve security compliance issues and share reports with stakeholders to communicate compliance status. For more information about remediating compliance issues and generating reports, see the following documentation:
1.1. Requirements and prerequisites
The Compliance service is part of Red Hat Insights, which is included with your Red Hat Enterprise Linux (RHEL) subscription and can be used with all versions of RHEL currently supported by Red Hat. You do not need additional Red Hat subscriptions to use Red Hat Insights and the Compliance service.
Verify the following conditions are met before using the Compliance service:
- Install and register the Insights client. If your RHEL system does not already have the Insights client installed and operational, follow the Red Hat Insights, Get Started instructions to install and register the client on each system you want to monitor.
- Set up OpenSCAP. OpenSCAP has been set up for your organization, with SCAP security guides (SSGs) and datastreams, and can report data to the Compliance service. Policies can then be added and modified using the Compliance service. If you are unfamiliar with OpenSCAP, see Getting Started with OpenSCAP.
1.2. Supported configurations
Use the supported version of SCAP Security Guide (SSG) for the RHEL minor version
Regardless of whether you define a policy within Compliance or upload reports for policies defined and managed outside of the Compliance service, accurate reporting requires that you use the Red Hat-supported version of the SCAP Security Guide (SSG) for the RHEL minor version installed on the system. Systems using unsupported SCAP versions are identified in the application.
Reports from systems using unsupported SSG versions will be displayed by the Compliance service with the following conditions:
- These results will be a “best-guess” effort because using any other versions than what is outlined above can lead to inaccurate results.
- Reports for unsupported configurations will not be used to determine a compliance score for a policy.
- Remediations will not be available with such results.
The following table lists the supported version of scap-security-guide for each minor version of RHEL:
Officially supported versions of the SCAP Security Guide are versions provided in the related minor release of RHEL or in the related batch update of RHEL.
Table 1.1. Supported versions of the SCAP Security Guide in RHEL
|Red Hat Enterprise Linux version||SCAP Security Guide version|
RHEL 7.2 AUS
RHEL 7.3 AUS
RHEL 7.4 AUS, E4S
RHEL 7.5 (batch update)
RHEL 7.6 EUS
RHEL 7.7 EUS
RHEL 7.8 (batch update)
RHEL 8.0 SAP
RHEL 8.1 EUS
RHEL 8.2 (batch update)
1.3. Best practices
To benefit from the best user experience and receive the most accurate information in the Compliance service, Red Hat recommends that you follow a few best practices.
Ensure that your RHEL systems are registered with the Insights client
The Insights client must be installed and registered on the system from which you wish to see Compliance reporting. Enter the insights-client command with the --register option to register your RHEL system with Insights:
[root@insights]# insights-client --register
Ensure that the RHEL OS minor version used on the system is visible to the Insights client
The Insights client allows users to redact certain data, including RHEL OS minor version, from the data payload uploaded to Red Hat Insights. If the Compliance service cannot see your RHEL OS minor version, then the supported SCAP Security Guide version cannot be validated and your reporting may not be accurate.
To learn more about data redaction, see the following documentation: Configuring Red Hat Insights client redaction
Define security policies within the Compliance service
Red Hat recommends that you create and define your organization’s security policies within the Compliance service to get the most feature-rich user experience and reliable reporting.
When you create a policy within the Compliance service, you can associate multiple systems with it, be assured of using the supported SSG for your RHEL version, and edit which rules are included, based on your organization’s needs.
Reports for policies defined outside of the Compliance service will be visible within the Compliance service, but you will not be able to use many of the features available to internally defined policies.
The Compliance service will no longer support any externally sourced and uploaded policies after Summit 2021.
Chapter 2. Managing SCAP security policies in the Compliance service
Create and manage your SCAP security policies entirely within the Compliance service. Define new policies and select the rules and systems you want to associate with them. Edit existing policies as your requirements change.
Unlike other Red Hat Insights services, the Compliance service does not run automatically on a default schedule. In order to upload OpenSCAP data to the Compliance service, you must run
insights-client --compliance, either on-demand or on a scheduled job that you set.
2.1. Creating new SCAP policies
To use the Compliance service, you have to associate SCAP security policies with your Insights-registered RHEL systems. Red Hat recommends that Compliance service users create their security policies directly within the service to get the most value and feature-rich user experience. Compliance reports uploaded from an external source, without a policy defined in the Compliance service, cannot be edited to include a business objective or compliance threshold, eliminating the ability to add important context to policies.
Reports in Compliance > Reports are grouped by SCAP Security Guide (SSG) version. When multiple RHEL 7 systems use the same policy, but those systems run different minor versions of RHEL, there will be a separate policy report for each version of SSG.
To create a new policy using the Compliance service, complete the following steps:
- Navigate to the Compliance service > SCAP Policies page and log in if necessary.
- Click the blue, Create new policy button to open the Create SCAP policy wizard.
On the Create SCAP policy page of the wizard, make the following selections:
Select the correct RHEL operating system version on the systems you want to monitor.Note
SCAP policies are RHEL-version specific. If you want to use the DISA STIG policy type, for example, for systems running RHEL 7 and for systems running RHEL 8, you must create two policies, one for each major version of RHEL.
Select a Policy type.Note
The profile options are predetermined by the latest available 'scap-security-guide' for the OS version you chose in the previous step.Note
If the policy is already being use for that RHEL version, you can add new systems to it.
- Click Next.
On the Policy details page, review the prepopulated information in each field or change as needed to suit your requirements:
- Provide a descriptive Policy name.
- The Reference ID cannot be changed.
- The Description is prepopulated with the policy description from OpenSCAP but you can add more detail.
- Specify a Compliance threshold for the systems associated with this policy. In cases where 100% compliance is unrealistic, you can specify an acceptable level of compliance here.
- Click Next.
On the Rules page, search or scroll through the list of rules and tailor the policy to your requirements by clearing unneeded rules, then click Next.Note
At this time, you can only modify the rule set when the policy is created. Changing rules in existing policies is not currently available.
On the Systems page, check the box next to each system you want to associate with this policy, then click Next.Note
Enter a system name in the Search box, or filter by Status or Source to see a subset of your systems.
- On the Review page, ensure that the policy information is correct, then click Finish.
- On the Compliance service > Reports page, click on your policy and verify that details, including systems, are correct.
2.2. Editing existing policies
Use the following procedure to edit existing policies in the Compliance service to change policy details, business objective, compliance threshold, and included systems.
The ability to edit existing policies is an evolving feature set; additional capabilities are coming soon, including the ability to add or remove the rules included in an existing policy.
- Log in to cloud.redhat.com and navigate to the Compliance > SCAP Policies page.
- Use the search or filtering functionality to locate the policy to edit.
- On the far-right side of the policy row, click the more-actions icon and select Edit policy.
In the Edit <Policy name> card, click each tab to edit the following information:
- In Details, edit Policy description, Business objective, and Compliance threshold.
- Rule editing is coming soon.
- In the Systems tab, select systems to add to the policy, or, using search and filters, find and clear systems that you no longer wish to include.
- Navigate to the SCAP Policies page and locate the edited policy.
- Click on the policy and verify that the details and included systems are consistent with the edits you made.
Chapter 3. Understanding your Compliance service reporting
The Compliance service displays the latest available OpenSCAP results for each system. View summary results for each policy in Red Hat Insights Compliance > Reports.
For a deeper understanding of compliance status per system, and to reduce the "noise" of many systems reporting data, you can filter and sort your data to see which rules have passed and failed.
The following sections describe ways to refine your data, depending on your location in the Compliance service, to focus on your most important issues.
3.1. SCAP policies
Use the Search function to locate a specific policy by name. Then click on the policy name to see the policy card, which includes the following information:
- Details. View details such as compliance threshold, business objective, OS and SSG versions.
- Rules. View and filter the rules included in the specific SSG version of the policy by name and severity, then sort results by rule name, severity, or Ansible Playbook support.
- Systems. Search by system name to locate a specific system associated with the policy then click the system name to see more information about that system and issues that may affect it.
- The default functionality on this page is to search by system name.
Break systems into smaller groups by
- Name. Search by system name.
- Policy. Search by policy name and see the systems included in that policy.
- Operating system. Search by RHEL OS major versions to see only RHEL 7 or RHEL 8 systems.
The search function in the Compliance service works in the context of the page you are viewing.
- SCAP Policies. Search for a specific policy by name.
- Systems. Search by system name, policy, or RHEL operating system major version.
- Rules list (single system). The rules list search function allows you to search by the rule name or identifier. Identifiers are shown directly below the rule name.
Filtering is available from multiple views in the Compliance service and filtering options are unique to the page view. The Filters icon is located on the left side of the Search field. Click the down arrow and check the boxes to set filters.
- Systems list. Filter by Name, Status, and Source.
- Single system rules list. Filter rules that have passed or not passed, or by rule severity.
3.5. Sorting your data
You can order your results by sorting columns in the Compliance service Systems list and the Rules list for a policy. The following columns are sortable on each list:
Compliance service Systems list
- System name (Alphabetical)
- Policy name (Alphabetical)
- Compliance score (Percentage of rules passed on a system)
- Last scan (Time elapsed since last scan)
Rules list for a policy
- Rule name (Alphabetical)
- Severity (Low, Medium, High, Critical)
- Ansible support (Playbook available or not available)
Chapter 4. Reference materials
To learn more about the Compliance service, see the following resources: