Assessing and Monitoring Security Policy Compliance of RHEL Systems

Red Hat Insights 2020-10

Understanding the Security Compliance Status of your Infrastructure

Red Hat Customer Content Services


Assess and track the security-policy compliance status of your RHEL environment to determine compliance level and plan a course of action to resolve compliance issues.
Providing Feedback: If you have a suggestion to improve this documentation, or find an error, submit a Bugzilla report at Select the Cloud Software Services ( product and use the Documentation component.

Chapter 1. Compliance service reporting and assessment

The Red Hat Insights Compliance service enables you to assess and monitor the compliance of your Red Hat Enterprise Linux (RHEL) systems with SCAP security policies.

The Compliance service provides a simple but powerful user interface, enabling the creation, configuration, and management of SCAP security policies. With the filtering and context-adding features built in, administrators can easily identify and manage security compliance issues in the RHEL infrastructure.

This documentation describes some of the functionality of the Compliance service, to help administrators understand Compliance service reporting, manage issues, and get re-mediatingue from Compliance service.

You can also create Ansible playbooks to resolve security compliance issues and share reports with stakeholders to communicate compliance status.

1.1. Requirements and prerequisites

The Compliance service is part of Red Hat Insights, which is included with your Red Hat Enterprise Linux (RHEL) subscription and can be used with all versions of RHEL currently supported by Red Hat. You do not need additional Red Hat subscriptions to use Red Hat Insights and the Compliance service.

Verify the following conditions are met before using the Compliance service:

  • Install and register the Insights client. If your RHEL system does not already have the Insights client installed and operational, follow the Red Hat Insights, Get Started instructions to install and register the client on each system you want to monitor.
  • Set up OpenSCAP. OpenSCAP has been set up for your organization, with SCAP security guides (SSGs) and datastreams, and can report data to the Compliance service. Policies can then be added and modified using the Compliance service. If you are unfamiliar with OpenSCAP, see Getting Started with OpenSCAP.

1.2. Supported configurations

Use the supported version of SCAP Security Guide (SSG) for the RHEL minor version

Accurate reporting requires that you use the correct, Red Hat-supported version of the SCAP Security Guide (SSG) for the RHEL minor version installed on the system. Officially supported versions of the SCAP Security Guide are versions provided in the related minor release of RHEL or in the related batch update of RHEL. If a policy includes one or more systems with an unsupported SSG version installed, an unsupported notification, preceded by the number of affected systems, is visible in Compliance service > Reports.

img compl assess unsupported configuration example

You can still see failed rules on the system with an unsupported version of SSG installed but results may not be considered accurate for compliance reporting purposes. The following conditions apply to the results for unsupported configurations:

  • These results are a “best-guess” effort because using any SSG version other than what is supported by Red Hat can lead to inaccurate results.
  • Results from systems with an unsupported version of SSG installed are not included in the overall compliance assessment for the policy.
  • Remediations are unavailable for rules on systems with an unsupported version of SSG installed.

The following table lists the supported SSG version for each minor version of RHEL. Packages names look like this: scap-security-guide-0.1.43-13.el7. The SSG version in this case is 0.1.43; the release is 13 and architecture is el7. The release number can differ from the version number shown in the table; however, the version number must match as indicated below for it to be a supported configuration.

Table 1.1. Supported versions of the SCAP Security Guide in RHEL

Red Hat Enterprise Linux versionSCAP Security Guide version

RHEL 6.6


RHEL 6.9


RHEL 6.10








RHEL 7.5 (batch update)






RHEL 7.8 (batch update)


RHEL 7.9








RHEL 8.2 (batch update)


RHEL 8.3


1.3. Best practices

To benefit from the best user experience and receive the most accurate information in the Compliance service, Red Hat Insights recommends that you follow a few best practices.

Ensure that your RHEL systems are registered with the Insights client

The Insights client must be installed and registered on the system from which you wish to see Compliance reporting. Enter the insights-client command with the --register option to register your RHEL system with Red Hat Insights:

[root@insights]# insights-client --register

Ensure that the RHEL OS minor version used on the system is visible to the Insights client

The Insights client allows users to redact certain data, including RHEL OS minor version, from the data payload uploaded to Red Hat Insights. If the Compliance service cannot see your RHEL OS minor version, then the supported SCAP Security Guide version cannot be validated and your reporting may not be accurate.

To learn more about data redaction, see the following documentation: Configuring Red Hat Insights client redaction

Define security policies within the Compliance service

As of November 2020, you must create and define your organization’s security policies within the Compliance service. Policies created externally are no longer supported and results for those policies will no longer be included in your results.

Creating policies within the Compliance service enables you to get the most feature-rich user experience and reliable reporting. Associate multiple systems with a policy; be assured of using the Red Hat-supported SSG for your RHEL version; edit which rules are included in the policy, based on your organization’s specific requirements.


The Compliance service will no longer support any externally sourced and uploaded policies after November 2020.

Chapter 2. Managing SCAP security policies in the Compliance service

Create and manage your SCAP security policies entirely within the Compliance service. Define new policies and select the rules and systems you want to associate with them. Edit existing policies as your requirements change.


Unlike other Red Hat Insights services, the Compliance service does not run automatically on a default schedule. In order to upload OpenSCAP data to the Compliance service, you must run insights-client --compliance, either on-demand or on a scheduled job that you set.

2.1. Creating new SCAP policies

To use the Compliance service, you must associate SCAP security policies with your Insights-registered RHEL systems. A policy is defined for a single major release such as RHEL 7 but can span multiple minor versions. If your RHEL servers span across multiple major releases of RHEL, you will need to create one policy per major release. Compliance service users must create their policies within the Compliance service.

To create a new policy using the Compliance service, complete the following steps:


  1. Navigate to the Compliance service > SCAP Policies page and log in if necessary.
  2. Click the blue, Create new policy button to open the Create SCAP policy wizard.
  3. On the Create SCAP policy page of the wizard, make the following selections:

    1. Select the correct RHEL operating system version on the systems you want to monitor.


      SCAP policies are RHEL-version specific. If you want to use the DISA STIG policy type, for example, for systems running RHEL 7 and for systems running RHEL 8, you must create two policies, one for each major version of RHEL.

    2. Select a Policy type.


      The profile options are predetermined by the latest available 'scap-security-guide' for the OS version you chose in the previous step.


      If the policy is already being use for that RHEL version, you can add new systems to it.

    3. Click Next.
  4. On the Policy details page, review the prepopulated information in each field or change as needed to suit your requirements:

    1. Provide a descriptive Policy name.
    2. The Reference ID cannot be changed.
    3. The Description is prepopulated with the policy description from OpenSCAP but you can add more detail.
    4. Specify a Compliance threshold for the systems associated with this policy. In cases where 100% compliance is unrealistic, you can specify an acceptable level of compliance here.
    5. Click Next.
  5. On the Rules page, search or scroll through the list of rules and tailor the policy to your requirements by clearing unneeded rules, then click Next.


    At this time, you can only modify the rule set when the policy is created. Changing rules in existing policies is not currently available.

  6. On the Systems page, check the box next to each system you want to associate with this policy, then click Next.


    Enter a system name in the Search box, or filter by Status or Source to see a subset of your systems.

  7. On the Review page, ensure that the policy information is correct, then click Finish.
  8. On the Compliance service > Reports page, click on your policy and verify that details, including systems, are correct.

2.2. Editing existing policies

Use the following procedure to edit existing policies in the Compliance service to change policy details, business objective, compliance threshold, and included systems.


The ability to edit existing policies is an evolving feature set; additional capabilities are coming soon, including the ability to add or remove the rules included in an existing policy.


  1. Log in to and navigate to the Compliance > SCAP Policies page.
  2. Use the search or filtering functionality to locate the policy to edit.
  3. On the far-right side of the policy row, click the more-actions icon and select Edit policy.
  4. In the Edit <Policy name> card, click each tab to edit the following information:

    1. In Details, edit Policy description, Business objective, and Compliance threshold.
    2. Rule editing is coming soon.
    3. In the Systems tab, select systems to add to the policy, or, using search and filters, find and clear systems that you no longer wish to include.
  5. Navigate to the SCAP Policies page and locate the edited policy.
  6. Click on the policy and verify that the details and included systems are consistent with the edits you made.

Chapter 3. Understanding your Compliance service reporting

The Compliance service displays the latest available OpenSCAP results for each system. View summary results for each policy in Red Hat Insights Compliance > Reports.

For a deeper understanding of compliance status per system, and to reduce the "noise" of many systems reporting data, you can filter and sort your data to see which rules have passed and failed.

The following sections describe ways to refine your data, depending on your location in the Compliance service, to focus on your most important issues.

3.1. SCAP policies

Use the Search function to locate a specific policy by name. Then click on the policy name to see the policy card, which includes the following information:

  • Details. View details such as compliance threshold, business objective, OS and SSG versions.
  • Rules. View and filter the rules included in the specific SSG version of the policy by name and severity, then sort results by rule name, severity, or Ansible Playbook support.
  • Systems. Search by system name to locate a specific system associated with the policy then click the system name to see more information about that system and issues that may affect it.

3.2. Systems

  • The default functionality on this page is to search by system name.
  • Break systems into smaller groups by

    • Name. Search by system name.
    • Policy. Search by policy name and see the systems included in that policy.
    • Operating system. Search by RHEL OS major versions to see only RHEL 7 or RHEL 8 systems.

3.3. Searching

The search function in the Compliance service works in the context of the page you are viewing.

  • SCAP Policies. Search for a specific policy by name.
  • Systems. Search by system name, policy, or RHEL operating system major version.
  • Rules list (single system). The rules list search function allows you to search by the rule name or identifier. Identifiers are shown directly below the rule name.

3.4. Filtering

Filtering is available from multiple views in the Compliance service and filtering options are unique to the page view. The Filters icon is located on the left side of the Search field. Click the down arrow and check the boxes to set filters.

  • Systems list. Filter by Name, Status, and Source.
  • Single system rules list. Filter rules that have passed or not passed, or by rule severity.

3.5. Sorting your data

You can order your results by sorting columns in the Compliance service Systems list and the Rules list for a policy. The following columns are sortable on each list:

  • Compliance service Systems list

    • System name (Alphabetical)
    • Policy name (Alphabetical)
    • Compliance score (Percentage of rules passed on a system)
    • Last scan (Time elapsed since last scan)
  • Rules list for a policy

    • Rule name (Alphabetical)
    • Severity (Low, Medium, High, Critical)
    • Ansible support (Playbook available or not available)

Chapter 4. Reference materials

To learn more about the Compliance service, see the following resources:

Legal Notice

Copyright © 2021 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.