Menu Close

Chapter 3. Managing SCAP security policies in the Insights for RHEL compliance service

Create and manage your SCAP security policies entirely within the compliance service UI. Define new policies and select the rules and systems you want to associate with them, and edit existing policies as your requirements change.

Important

Unlike most other Red Hat Insights for Red Hat Enterprise Linux services, the compliance service does not run automatically on a default schedule. In order to upload OpenSCAP data to the Insights for RHEL application, you must run insights-client --compliance, either on-demand or on a scheduled job that you set.

  1. Additional resources For more information about scheduling compliance scans, see How do I setup recurring uploads for Insights services?.

3.1. Creating new SCAP policies

You must add each Insights for RHEL-registered system to one or more security policies before you can perform a scn or see results for that scan in the compliance service UI. To create a new policy, and include specific systems and rules, complete the following steps:

Important

If your RHEL servers span across multiple major releases of RHEL, you must create a separate policy for each major release. For example, all of your RHEL 7 servers would be on one Standard System Security Profile for RHEL policy and all of your RHEL 8 servers will be on another.

Procedure

  1. Log in to Red Hat Hybrid Cloud Console and navigate to the Red Hat Enterprise Linux > Compliance > SCAP policies page.
  2. Click the Create new policy button.
  3. On the Create SCAP policy page of the wizard, select the RHEL major version of the systems you will include in the policy.

    img compl assess create policy wizard 1

  4. Select one of the policy types available for that RHEL major version, then click Next.
  5. On the Details page, accept the name and description already provided or provide your own more meaningful entries.
  6. Optionally, add a Business objective to give context, for example, “CISO mandate.”
  7. Define a compliance threshold acceptable for your requirements and click Next.
  8. Select the Systems to include on this policy and click Next. Your selection of a RHEL major version in the first step automatically determines which systems can be added to this policy.
  9. Select which Rules to include with each policy. Because each minor version of RHEL supports the use of a specific SCAP Security Guide (SSG) version (sometimes more than one, in which case we use the latest), the rule set for each RHEL minor version is slightly different and must be selected separately.

    img compl assess create policy rules tabs

    1. Optionally, use the filtering and search capabilities to refine the list of rules.

      For example, to show only the highest severity rules, click the primary filter dropdown and select Severity. In the secondary filter, check the boxes for High and Medium.

      img compl assess create policy filter rules

    2. The rules shown by default are those designated for that policy type and that version of SSG. By default, the Selected only toggle next to the filter boxes is enabled. You may remove this toggle if so desired.
    3. Repeat this process as needed for each RHEL minor version tab.
    4. After you select rules for each Red Hat Enterprise Linux minor version SSG, click Next.
  10. On the Review page, verify that the information shown is correct, then click Finish.
  11. Give the app a minute to create the policy, then click the Return to application button to view your new policy.
Note

You have to go to the system and run the compliance scan before results will be shown in the compliance service UI.

3.2. Editing existing policies

You may decide after creating a security policy that you want to change which rules (or systems) are included because they may no longer apply to your requirements. Use the following procedure to edit an existing policy to add or remove specific rules.

Procedure

  1. Log in to Red Hat Hybrid Cloud Console and navigate to the Red Hat Enterprise Linux > Compliance > SCAP policies page.
  2. Locate the policy to edit.
  3. On the right side of the policy row, click the More Actions icon, more actions icon , and click Edit policy.
  4. In the Edit <Policy name> card, click the Rules tab.

    1. Use the filter or search functions to locate the rules to remove.

      Important

      By default, the Selected only toggle to the right of the search box is enabled. You may remove the toggle as needed.

    2. Uncheck the box next to any rule you want to remove.
    3. Repeat this process as needed for each RHEL minor version SSG tab.
  5. Click Save.

Verification

  1. Navigate to the Red Hat Enterprise Linux > Compliance > SCAP policies page and locate the edited policy.
  2. Click on the policy and verify that the included rules are consistent with the edits you made.