Chapter 2. Managing SCAP security policies in the Compliance service
Create and manage your SCAP security policies entirely within the Compliance service. Define new policies and select the rules and systems you want to associate with them. Edit existing policies as your requirements change.
Unlike other Red Hat Insights services, the Compliance service does not run automatically on a default schedule. In order to upload OpenSCAP data to the Compliance service, you must run
insights-client --compliance, either on-demand or on a scheduled job that you set.
2.1. Creating new SCAP policies
To use the Compliance service, you must associate SCAP security policies with your Insights-registered RHEL systems. A policy is defined for a single major release such as RHEL 7 but can span multiple minor versions. If your RHEL servers span across multiple major releases of RHEL, you will need to create one policy per major release. Compliance service users must create their policies within the Compliance service.
To create a new policy using the Compliance service, complete the following steps:
- Navigate to the Compliance service > SCAP Policies page and log in if necessary.
- Click the blue, Create new policy button to open the Create SCAP policy wizard.
On the Create SCAP policy page of the wizard, make the following selections:
Select the correct RHEL operating system version on the systems you want to monitor.Note
SCAP policies are RHEL-version specific. If you want to use the DISA STIG policy type, for example, for systems running RHEL 7 and for systems running RHEL 8, you must create two policies, one for each major version of RHEL.
Select a Policy type.Note
The profile options are predetermined by the latest available 'scap-security-guide' for the OS version you chose in the previous step.Note
If the policy is already being use for that RHEL version, you can add new systems to it.
- Click Next.
On the Policy details page, review the prepopulated information in each field or change as needed to suit your requirements:
- Provide a descriptive Policy name.
- The Reference ID cannot be changed.
- The Description is prepopulated with the policy description from OpenSCAP but you can add more detail.
- Specify a Compliance threshold for the systems associated with this policy. In cases where 100% compliance is unrealistic, you can specify an acceptable level of compliance here.
- Click Next.
On the Rules page, search or scroll through the list of rules and tailor the policy to your requirements by clearing unneeded rules, then click Next.Note
At this time, you can only modify the rule set when the policy is created. Changing rules in existing policies is not currently available.
On the Systems page, check the box next to each system you want to associate with this policy, then click Next.Note
Enter a system name in the Search box, or filter by Status or Source to see a subset of your systems.
- On the Review page, ensure that the policy information is correct, then click Finish.
- On the Compliance service > Reports page, click on your policy and verify that details, including systems, are correct.
2.2. Editing existing policies
Use the following procedure to edit existing policies in the Compliance service to change policy details, business objective, compliance threshold, and included systems.
The ability to edit existing policies is an evolving feature set; additional capabilities are coming soon, including the ability to add or remove the rules included in an existing policy.
- Log in to cloud.redhat.com and navigate to the Compliance > SCAP Policies page.
- Use the search or filtering functionality to locate the policy to edit.
- On the far-right side of the policy row, click the more-actions icon and select Edit policy.
In the Edit <Policy name> card, click each tab to edit the following information:
- In Details, edit Policy description, Business objective, and Compliance threshold.
- Rule editing is coming soon.
- In the Systems tab, select systems to add to the policy, or, using search and filters, find and clear systems that you no longer wish to include.
- Navigate to the SCAP Policies page and locate the edited policy.
- Click on the policy and verify that the details and included systems are consistent with the edits you made.