Assessing and Monitoring Security Policy Compliance of RHEL Systems
Understanding the Security Compliance Status of your Infrastructure
Chapter 1. Compliance service reporting and assessment
The Red Hat Insights Compliance service enables you to assess and monitor the compliance of your Red Hat Enterprise Linux (RHEL) systems with SCAP security policies.
The Compliance service provides a simple but powerful user interface, enabling the creation, configuration, and management of SCAP security policies. With the filtering and context-adding features built in, administrators can easily identify and manage security compliance issues in the RHEL infrastructure.
This documentation describes some of the functionality of the Compliance service, to help administrators understand Compliance service reporting, manage issues, and get re-mediatingue from Compliance service.
You can also create Ansible playbooks to resolve security compliance issues and share reports with stakeholders to communicate compliance status.
1.1. Requirements and prerequisites
The Compliance service is part of Red Hat Insights, which is included with your Red Hat Enterprise Linux (RHEL) subscription and can be used with all versions of RHEL currently supported by Red Hat. You do not need additional Red Hat subscriptions to use Red Hat Insights and the Compliance service.
Verify the following conditions are met before using the Compliance service:
- Install and register the Insights client. If your RHEL system does not already have the Insights client installed and operational, follow the Red Hat Insights, Get Started instructions to install and register the client on each system you want to monitor.
- Set up OpenSCAP. OpenSCAP has been set up for your organization, with SCAP security guides (SSGs) and datastreams, and can report data to the Compliance service. Policies can then be added and modified using the Compliance service. If you are unfamiliar with OpenSCAP, see Getting Started with OpenSCAP.
1.2. Supported configurations
Use the supported version of SCAP Security Guide (SSG) for the RHEL minor version
Accurate reporting requires that you use the correct, Red Hat-supported version of the SCAP Security Guide (SSG) for the RHEL minor version installed on the system. Officially supported versions of the SCAP Security Guide are versions provided in the related minor release of RHEL or in the related batch update of RHEL. If a policy includes one or more systems with an unsupported SSG version installed, an unsupported notification, preceded by the number of affected systems, is visible in Compliance service > Reports.
You can still see failed rules on the system with an unsupported version of SSG installed but results may not be considered accurate for compliance reporting purposes. The following conditions apply to the results for unsupported configurations:
- These results are a “best-guess” effort because using any SSG version other than what is supported by Red Hat can lead to inaccurate results.
- Results from systems with an unsupported version of SSG installed are not included in the overall compliance assessment for the policy.
- Remediations are unavailable for rules on systems with an unsupported version of SSG installed.
The following table lists the supported SSG version for each minor version of RHEL. Packages names look like this:
scap-security-guide-0.1.43-13.el7. The SSG version in this case is 0.1.43; the release is 13 and architecture is el7. The release number can differ from the version number shown in the table; however, the version number must match as indicated below for it to be a supported configuration.
Table 1.1. Supported versions of the SCAP Security Guide in RHEL
|Red Hat Enterprise Linux version||SCAP Security Guide version|
RHEL 7.2 AUS
RHEL 7.3 AUS
RHEL 7.4 AUS, E4S
RHEL 7.5 (batch update)
RHEL 7.6 EUS
RHEL 7.7 EUS
RHEL 7.8 (batch update)
RHEL 8.0 SAP
RHEL 8.1 EUS
RHEL 8.2 (batch update)
1.3. Best practices
To benefit from the best user experience and receive the most accurate information in the Compliance service, Red Hat Insights recommends that you follow a few best practices.
Ensure that your RHEL systems are registered with the Insights client
The Insights client must be installed and registered on the system from which you wish to see Compliance reporting. Enter the insights-client command with the --register option to register your RHEL system with Red Hat Insights:
[root@insights]# insights-client --register
Ensure that the RHEL OS minor version used on the system is visible to the Insights client
The Insights client allows users to redact certain data, including RHEL OS minor version, from the data payload uploaded to Red Hat Insights. If the Compliance service cannot see your RHEL OS minor version, then the supported SCAP Security Guide version cannot be validated and your reporting may not be accurate.
To learn more about data redaction, see the following documentation: Configuring Red Hat Insights client redaction
Define security policies within the Compliance service
As of November 2020, you must create and define your organization’s security policies within the Compliance service. Policies created externally are no longer supported and results for those policies will no longer be included in your results.
Creating policies within the Compliance service enables you to get the most feature-rich user experience and reliable reporting. Associate multiple systems with a policy; be assured of using the Red Hat-supported SSG for your RHEL version; edit which rules are included in the policy, based on your organization’s specific requirements.
The Compliance service will no longer support any externally sourced and uploaded policies after November 2020.
Chapter 2. Managing SCAP security policies in the Compliance service
Create and manage your SCAP security policies entirely within the Compliance service. Define new policies and select the rules and systems you want to associate with them. Edit existing policies as your requirements change.
Unlike other Red Hat Insights services, the Compliance service does not run automatically on a default schedule. In order to upload OpenSCAP data to the Compliance service, you must run
insights-client --compliance, either on-demand or on a scheduled job that you set.
2.1. Creating new SCAP policies
To use the Compliance service, you must associate SCAP security policies with your Insights-registered RHEL systems. A policy is defined for a single major release such as RHEL 7 but can span multiple minor versions. If your RHEL servers span across multiple major releases of RHEL, you will need to create one policy per major release. Compliance service users must create their policies within the Compliance service.
To create a new policy using the Compliance service, complete the following steps:
- Navigate to the Compliance service > SCAP Policies page and log in if necessary.
- Click the blue, Create new policy button to open the Create SCAP policy wizard.
On the Create SCAP policy page of the wizard, make the following selections:
Select the correct RHEL operating system version on the systems you want to monitor.Note
SCAP policies are RHEL-version specific. If you want to use the DISA STIG policy type, for example, for systems running RHEL 7 and for systems running RHEL 8, you must create two policies, one for each major version of RHEL.
Select a Policy type.Note
The profile options are predetermined by the latest available 'scap-security-guide' for the OS version you chose in the previous step.Note
If the policy is already being use for that RHEL version, you can add new systems to it.
- Click Next.
On the Policy details page, review the prepopulated information in each field or change as needed to suit your requirements:
- Provide a descriptive Policy name.
- The Reference ID cannot be changed.
- The Description is prepopulated with the policy description from OpenSCAP but you can add more detail.
- Specify a Compliance threshold for the systems associated with this policy. In cases where 100% compliance is unrealistic, you can specify an acceptable level of compliance here.
- Click Next.
On the Rules page, search or scroll through the list of rules and tailor the policy to your requirements by clearing unneeded rules, then click Next.Note
At this time, you can only modify the rule set when the policy is created. Changing rules in existing policies is not currently available.
On the Systems page, check the box next to each system you want to associate with this policy, then click Next.Note
Enter a system name in the Search box, or filter by Status or Source to see a subset of your systems.
- On the Review page, ensure that the policy information is correct, then click Finish.
- On the Compliance service > Reports page, click on your policy and verify that details, including systems, are correct.
2.2. Editing existing policies
Use the following procedure to edit existing policies in the Compliance service to change policy details, business objective, compliance threshold, and included systems.
The ability to edit existing policies is an evolving feature set; additional capabilities are coming soon, including the ability to add or remove the rules included in an existing policy.
- Log in to cloud.redhat.com and navigate to the Compliance > SCAP Policies page.
- Use the search or filtering functionality to locate the policy to edit.
- On the far-right side of the policy row, click the more-actions icon and select Edit policy.
In the Edit <Policy name> card, click each tab to edit the following information:
- In Details, edit Policy description, Business objective, and Compliance threshold.
- Rule editing is coming soon.
- In the Systems tab, select systems to add to the policy, or, using search and filters, find and clear systems that you no longer wish to include.
- Navigate to the SCAP Policies page and locate the edited policy.
- Click on the policy and verify that the details and included systems are consistent with the edits you made.
Chapter 3. Understanding your Compliance service reporting
The Compliance service displays the latest available OpenSCAP results for each system. View summary results for each policy in Red Hat Insights Compliance > Reports.
For a deeper understanding of compliance status per system, and to reduce the "noise" of many systems reporting data, you can filter and sort your data to see which rules have passed and failed.
The following sections describe ways to refine your data, depending on your location in the Compliance service, to focus on your most important issues.
3.1. SCAP policies
Use the Search function to locate a specific policy by name. Then click on the policy name to see the policy card, which includes the following information:
- Details. View details such as compliance threshold, business objective, OS and SSG versions.
- Rules. View and filter the rules included in the specific SSG version of the policy by name and severity, then sort results by rule name, severity, or Ansible Playbook support.
- Systems. Search by system name to locate a specific system associated with the policy then click the system name to see more information about that system and issues that may affect it.
- The default functionality on this page is to search by system name.
Break systems into smaller groups by
- Name. Search by system name.
- Policy. Search by policy name and see the systems included in that policy.
- Operating system. Search by RHEL OS major versions to see only RHEL 7 or RHEL 8 systems.
The search function in the Compliance service works in the context of the page you are viewing.
- SCAP Policies. Search for a specific policy by name.
- Systems. Search by system name, policy, or RHEL operating system major version.
- Rules list (single system). The rules list search function allows you to search by the rule name or identifier. Identifiers are shown directly below the rule name.
Filtering is available from multiple views in the Compliance service and filtering options are unique to the page view. The Filters icon is located on the left side of the Search field. Click the down arrow and check the boxes to set filters.
- Systems list. Filter by Name, Status, and Source.
- Single system rules list. Filter rules that have passed or not passed, or by rule severity.
3.5. Sorting your data
You can order your results by sorting columns in the Compliance service Systems list and the Rules list for a policy. The following columns are sortable on each list:
Compliance service Systems list
- System name (Alphabetical)
- Policy name (Alphabetical)
- Compliance score (Percentage of rules passed on a system)
- Last scan (Time elapsed since last scan)
Rules list for a policy
- Rule name (Alphabetical)
- Severity (Low, Medium, High, Critical)
- Ansible support (Playbook available or not available)
Chapter 4. Reference materials
To learn more about the Compliance service, see the following resources: