Chapter 1. Compliance service reporting and assessment

The Red Hat Insights Compliance service enables you to assess and monitor the compliance of your Red Hat Enterprise Linux (RHEL) systems with SCAP security policies.

The Compliance service provides a simple but powerful user interface, enabling the creation, configuration, and management of SCAP security policies. With the filtering and context-adding features built in, administrators can easily identify and manage security compliance issues in the RHEL infrastructure.

This documentation describes some of the functionality of the Compliance service, to help administrators understand Compliance service reporting, manage issues, and get re-mediatingue from Compliance service.

You can also create Ansible playbooks to resolve security compliance issues and share reports with stakeholders to communicate compliance status.

1.1. Requirements and prerequisites

The Compliance service is part of Red Hat Insights, which is included with your Red Hat Enterprise Linux (RHEL) subscription and can be used with all versions of RHEL currently supported by Red Hat. You do not need additional Red Hat subscriptions to use Red Hat Insights and the Compliance service.

Verify the following conditions are met before using the Compliance service:

  • Install and register the Insights client. If your RHEL system does not already have the Insights client installed and operational, follow the Red Hat Insights, Get Started instructions to install and register the client on each system you want to monitor.
  • Set up OpenSCAP. OpenSCAP has been set up for your organization, with SCAP security guides (SSGs) and datastreams, and can report data to the Compliance service. Policies can then be added and modified using the Compliance service. If you are unfamiliar with OpenSCAP, see Getting Started with OpenSCAP.

1.2. Supported configurations

Use the supported version of SCAP Security Guide (SSG) for the RHEL minor version

Accurate reporting requires that you use the correct, Red Hat-supported version of the SCAP Security Guide (SSG) for the RHEL minor version installed on the system. Officially supported versions of the SCAP Security Guide are versions provided in the related minor release of RHEL or in the related batch update of RHEL. If a policy includes one or more systems with an unsupported SSG version installed, an unsupported notification, preceded by the number of affected systems, is visible in Compliance service > Reports.

img compl assess unsupported configuration example

You can still see failed rules on the system with an unsupported version of SSG installed but results may not be considered accurate for compliance reporting purposes. The following conditions apply to the results for unsupported configurations:

  • These results are a “best-guess” effort because using any SSG version other than what is supported by Red Hat can lead to inaccurate results.
  • Results from systems with an unsupported version of SSG installed are not included in the overall compliance assessment for the policy.
  • Remediations are unavailable for rules on systems with an unsupported version of SSG installed.
Important

The following table lists the supported SSG version for each minor version of RHEL. Packages names look like this: scap-security-guide-0.1.43-13.el7. The SSG version in this case is 0.1.43; the release is 13 and architecture is el7. The release number can differ from the version number shown in the table; however, the version number must match as indicated below for it to be a supported configuration.

Table 1.1. Supported versions of the SCAP Security Guide in RHEL

Red Hat Enterprise Linux versionSCAP Security Guide version

RHEL 6.6

scap-security-guide-0.1.18-3.el6

RHEL 6.9

scap-security-guide-0.1.28-3.el6

RHEL 6.10

scap-security-guide-0.1.28-4.el6

RHEL 7.2 AUS

scap-security-guide-0.1.25-3.el7

RHEL 7.3 AUS

scap-security-guide-0.1.30-5.el7_3

RHEL 7.4 AUS, E4S

scap-security-guide-0.1.33-6.el7_4

RHEL 7.5 (batch update)

scap-security-guide-0.1.36-10.el7_5

RHEL 7.6 EUS

scap-security-guide-0.1.40-13.el7_6

RHEL 7.7 EUS

scap-security-guide-0.1.43-13.el7

RHEL 7.8 (batch update)

scap-security-guide-0.1.46-11.el7

RHEL 7.9

scap-security-guide-0.1.49-13.el7

scap-security-guide-0.1.52-2.el7_9

RHEL 8.0 SAP

scap-security-guide-0.1.42-11.el8

RHEL 8.1 EUS

scap-security-guide-0.1.46-1.el8

scap-security-guide-0.1.47-8.el8_1

RHEL 8.2 (batch update)

scap-security-guide-0.1.48-7.el8

RHEL 8.3

scap-security-guide-0.1.50-14.el8

1.3. Best practices

To benefit from the best user experience and receive the most accurate information in the Compliance service, Red Hat Insights recommends that you follow a few best practices.

Ensure that your RHEL systems are registered with the Insights client

The Insights client must be installed and registered on the system from which you wish to see Compliance reporting. Enter the insights-client command with the --register option to register your RHEL system with Red Hat Insights:

[root@insights]# insights-client --register

Ensure that the RHEL OS minor version used on the system is visible to the Insights client

The Insights client allows users to redact certain data, including RHEL OS minor version, from the data payload uploaded to Red Hat Insights. If the Compliance service cannot see your RHEL OS minor version, then the supported SCAP Security Guide version cannot be validated and your reporting may not be accurate.

To learn more about data redaction, see the following documentation: Configuring Red Hat Insights client redaction

Define security policies within the Compliance service

As of November 2020, you must create and define your organization’s security policies within the Compliance service. Policies created externally are no longer supported and results for those policies will no longer be included in your results.

Creating policies within the Compliance service enables you to get the most feature-rich user experience and reliable reporting. Associate multiple systems with a policy; be assured of using the Red Hat-supported SSG for your RHEL version; edit which rules are included in the policy, based on your organization’s specific requirements.

Important

The Compliance service will no longer support any externally sourced and uploaded policies after November 2020.