5.4. Monitoring Compliance

Monitoring compliance is an ongoing task of ensuring that audits are conducted and that non-compliance is identified. Red Hat Satellite 6 enables centralized compliance monitoring and management. Hosts under Satellite management are checked for compliance according to your custom schedule and details are collated by the Satellite Server. A compliance dashboard provides an overview of hosts' compliance and the ability to view details for each host within the scope of that policy. Compliance reports provide a detailed analysis of each host's compliance with the applicable policy. With this information you can evaluate the risks presented by each host and better manage the resources required to bring hosts into compliance.
Common objectives when monitoring compliance using SCAP include the following:
  • Verifying policy compliance.
  • Detecting changes in compliance.
The Satellite web UI provides all the necessary information to achieve these objectives. Verify policy compliance with the compliance policy dashboard. Detect changes in policy compliance by either viewing a compliance report's history or subscribing to notification of changes by email.

5.4.1. Compliance Policy Dashboard

The compliance policy dashboard provides an overview of hosts' compliance with a policy. To view a compliance policy's dashboard, open the Satellite web UI and navigate to HostsPolicies, then click the policy's name. The dashboard provides the following information:
  • A ring chart illustrating a high-level view of hosts' compliance with the policy.
  • A statistical breakdown of hosts' compliance with the policy, in tabular format.
  • Links to the policy's latest report for each host.
The dashboard view provides a statistical summary of hosts' compliance and is a good starting point for compliance management. For all hosts which were evaluated as non-compliant, the Failed statistic provides a useful metric for prioritizing compliance effort. Those hosts detected as Never audited should also be a priority, since their status is unknown.
Compliance Policy Dashboard

Figure 5.1. Compliance Policy Dashboard

5.4.2. Compliance Reports Overview

A compliance report is the output of a policy run against a host. To list all available compliance reports, open the Satellite web UI and navigate HostsReports. For each report the total number of rules passed or failed per policy are listed. By default, all reports are listed in descending date order. To change the sort order, click on the label of the column by which you want it sorted. Click on the same label again to change to either descending or ascending order. From the Compliance Reports page, click View Report to view an individual report or use the Search field to narrow the list of reports to a host or a subset of hosts. To delete a compliance report, select Delete from the drop-down list beside View Report.
When managing the policy compliance of hosts, it is useful to monitor compliance changes over time. Satellite 6 provides the information necessary to monitor compliance changes manually, also notification via email. Use the Search field to narrow the list of reports to one or more hosts and evaluate changes manually, as detailed in Section 5.4.3, “Searching Compliance Reports”. Subscribe to compliance change email messages, as detailed in Configuring Email Notifications in the Server Administration Guide.
Compliance Reports Overview

Figure 5.2. Compliance Reports Overview

5.4.3. Searching Compliance Reports

The Compliance Reports search field allows you to narrow the list of reports. Narrowing your attention on a subset of hosts allows you to focus resources where they are most needed. To apply a filter, enter search criteria in the Search field and either press Enter or click Search. The search performed is case-insensitive. Click on the empty Search field to see a list of available search parameters.
See Supported Operators for Granular Search in the Server Administration Guide for details of all available search operators. You can create complex queries with the logical operators: and, not and has. Regular expressions are not valid search criteria, however multiple fields can be used in a single search expression.

Logical Operators

  • not: Negates an expression.
  • has: Object must have a specified property.
  • and: Combines search criteria.
Search Use Cases

The following search criteria finds all compliance reports for which more than five rules failed.

failed > 5
The following search criteria finds all compliance reports created after November 5, 2015, for hosts whose host name contains the string prod-.
host ~ prod- AND date > "Nov 5, 2015"
The following search criteria finds all reports generated by the compliance_policy rhel7_audit from an hour ago.
"1 hour ago" AND compliance_policy = date = "1 hour ago" AND compliance_policy = rhel7_audit
To again list all available compliance reports, delete the Search criteria and press Enter or click Search.
Bookmarking Your Searches

You can bookmark a search, allowing you to apply the same search criteria again.

Procedure 5.8.  To Bookmark a Search:

  1. Apply your search criteria.
  2. From the Search list select Bookmark this search.
  3. Complete the Name field.
    If you want the bookmark available to other users of this Satellite instance, select the Public check box.
  4. Click Submit.
To use a bookmark, navigate to HostsReports, click the drop-down item beside the Search button and click the bookmark.

5.4.4. Viewing a Compliance Report

Navigate to HostsReports and click View Report in the row of the specific host.
A compliance report consists of the following sections:
  • Introduction
  • Evaluation Characteristics
  • Compliance and Scoring
  • Rule Overview

5.4.4.1. Evaluation Characteristics

This section provides details about an evaluation against a specific profile, including the host that was evaluated, the profile used in the evaluation, and when the evaluation started and finished. For reference, the IPv4, IPv6, and MAC addresses of the host are also listed.

Evaluation Characteristics

Target machine
The fully-qualified domain name (FQDN) of the evaluated host. Example: test-system.example.com.
Benchmark URL
The URL of the SCAP content against which the host was evaluated. Example: /var/lib/openscap/content/1fbdc87d24db51ca184419a2b6f.
Benchmark ID
The identifier of the benchmark against which the host was evaluated. A benchmark is a set of profiles. Example: xccdf_org.ssgproject.content_benchmark_RHEL_7.
Profile ID
The identifier of the profile against which the host was evaluated. Example: xccdf_org.ssgproject_content_profile_rht-ccp.
Started at
The date and time at which the evaluation started, in ISO 8601 format. Example: 2015-09-12T14:40:02.
Finished at
The date and time at which the evaluation finished, in ISO 8601 format. Example: 2015-09-12T14:40:05.
Performed by
The local account name under which the evaluation was performed on the host. Example: root.
Evaluation Characteristics

Figure 5.3. Evaluation Characteristics

5.4.4.2. Compliance and Scoring

This section provides an overview of whether or not the host is in compliance with the profile’s rules, a breakdown of compliance failures by severity, and an overall compliance score as a percentage. If compliance with a rule was not checked, this is categorized in the Rule results as Other.
Compliance and Scoring

Figure 5.4. Compliance and Scoring

5.4.4.3. Rule Overview

This section provides details of every rule and the compliance result, with the rules presented in a hierarchical layout.
Select or clear the check boxes to narrow the list of rules included in the compliance report. For example, if the focus of your review is any non-compliance, clear the pass and informational check boxes.
To search all rules, enter a criterion in the Search field. The search is dynamically applied as you type. The Search field only accepts a single plain-text search term and it is applied as a case-insensitive search. When you perform a search, only those rules whose descriptions match the search criterion will be listed. To remove the search filter, delete the search criterion.
For an explanation of each result, hover the cursor over the status shown in the Result column.
Rule Overview

Figure 5.5. Rule Overview

5.4.4.4. Examining Rule Results

To determine why a host failed compliance on a rule, click on the rule's title. The window which then opens provides further details, including: a description of the rule (with instructions for bringing the host into compliance if available), the rationale for the rule, and in some cases a remediation script.
Rule Evaluation Result

Figure 5.6. Rule Evaluation Result

Warning

Do not implement any of the recommended remedial actions or scripts without first testing them in a non-production environment.

5.4.5. Compliance Email Notifications

The Satellite Server sends an OpenSCAP Summary email to all users who subscribe to the Openscap policy summary email notifications (refer to Configuring Email Notifications in the Server Administration Guide). Each time a policy is run, Satellite checks the results against the previous run, noting any changes between them. The email is sent according to the frequency requested by each subscriber, providing a summary of each policy and its most recent result.
An OpenSCAP Summary email message contains the following information:
  • Details of the time period it covers.
  • Totals for all hosts by status: changed, compliant, and incompliant.
  • A tabular breakdown of each host and the result of its latest policy, including totals of the rules that passed, failed, changed, or where results were unknown.
The following is an example OpenSCAP Summary email message.