Monitoring compliance is an ongoing task of ensuring that audits are conducted and that non-compliance is identified. Red Hat Satellite 6 enables centralized compliance monitoring and management. Hosts under Satellite management are checked for compliance according to your custom schedule and details are collated by the Satellite Server. A compliance dashboard provides an overview of hosts' compliance and the ability to view details for each host within the scope of that policy. Compliance reports provide a detailed analysis of each host's compliance with the applicable policy. With this information you can evaluate the risks presented by each host and better manage the resources required to bring hosts into compliance.
Common objectives when monitoring compliance using SCAP include the following:
The Satellite web UI provides all the necessary information to achieve these objectives. Verify policy compliance with the compliance policy dashboard. Detect changes in policy compliance by either viewing a compliance report's history or subscribing to notification of changes by email.
5.4.1. Compliance Policy Dashboard
The compliance policy dashboard provides an overview of hosts' compliance with a policy. To view a compliance policy's dashboard, open the Satellite web UI and navigate to
→ , then click the policy's name. The dashboard provides the following information:
A ring chart illustrating a high-level view of hosts' compliance with the policy.
A statistical breakdown of hosts' compliance with the policy, in tabular format.
Links to the policy's latest report for each host.
The dashboard view provides a statistical summary of hosts' compliance and is a good starting point for compliance management. For all hosts which were evaluated as non-compliant, the
Failed statistic provides a useful metric for prioritizing compliance effort. Those hosts detected as
Never audited should also be a priority, since their status is unknown.
Figure 5.1. Compliance Policy Dashboard
5.4.2. Compliance Reports Overview
A compliance report is the output of a policy run against a host. To list all available compliance reports, open the Satellite web UI and navigate Compliance Reports page, click View Report to view an individual report or use the Search field to narrow the list of reports to a host or a subset of hosts. To delete a compliance report, select from the drop-down list beside .
→ . For each report the total number of rules passed or failed per policy are listed. By default, all reports are listed in descending date order. To change the sort order, click on the label of the column by which you want it sorted. Click on the same label again to change to either descending or ascending order. From the
When managing the policy compliance of hosts, it is useful to monitor compliance changes over time. Satellite 6 provides the information necessary to monitor compliance changes manually, also notification via email. Use the Search
field to narrow the list of reports to one or more hosts and evaluate changes manually, as detailed in Section 5.4.3, “Searching Compliance Reports”
. Subscribe to compliance change email messages, as detailed in Configuring Email Notifications
in the Server Administration Guide
Figure 5.2. Compliance Reports Overview
5.4.3. Searching Compliance Reports
The Compliance Reports search field allows you to narrow the list of reports. Narrowing your attention on a subset of hosts allows you to focus resources where they are most needed. To apply a filter, enter search criteria in the Search field and either press Enter or click . The search performed is case-insensitive. Click on the empty Search field to see a list of available search parameters.
See Supported Operators for Granular Search
in the Server Administration Guide
for details of all available search operators. You can create complex queries with the logical operators:
. Regular expressions are not valid search criteria, however multiple fields can be used in a single search expression.
not: Negates an expression.
has: Object must have a specified property.
and: Combines search criteria.
Search Use Cases
The following search criteria finds all compliance reports for which more than five rules failed.
failed > 5
The following search criteria finds all compliance reports created after November 5, 2015, for hosts whose host name contains the string
host ~ prod- AND date > "Nov 5, 2015"
The following search criteria finds all reports generated by the compliance_policy
rhel7_audit from an hour ago.
"1 hour ago" AND compliance_policy = date = "1 hour ago" AND compliance_policy = rhel7_audit
To again list all available compliance reports, delete the Search criteria and press Enter or click .
Bookmarking Your Searches
You can bookmark a search, allowing you to apply the same search criteria again.
Procedure 5.8. To Bookmark a Search:
Apply your search criteria.
From the Search list select Bookmark this search.
Complete the Name field.
If you want the bookmark available to other users of this Satellite instance, select the Public check box.
To use a bookmark, navigate to Search button and click the bookmark.
→ , click the drop-down item beside the
5.4.4. Viewing a Compliance Report
Navigate to View Report in the row of the specific host.
→ and click
A compliance report consists of the following sections:
220.127.116.11. Evaluation Characteristics
This section provides details about an evaluation against a specific profile, including the host that was evaluated, the profile used in the evaluation, and when the evaluation started and finished. For reference, the IPv4, IPv6, and MAC addresses of the host are also listed.
The fully-qualified domain name (FQDN) of the evaluated host. Example:
The URL of the SCAP content against which the host was evaluated. Example:
The identifier of the benchmark against which the host was evaluated. A benchmark is a set of profiles. Example:
The identifier of the profile against which the host was evaluated. Example:
The date and time at which the evaluation started, in ISO 8601 format. Example:
The date and time at which the evaluation finished, in ISO 8601 format. Example:
The local account name under which the evaluation was performed on the host. Example:
Figure 5.3. Evaluation Characteristics
18.104.22.168. Compliance and Scoring
This section provides an overview of whether or not the host is in compliance with the profile’s rules, a breakdown of compliance failures by severity, and an overall compliance score as a percentage. If compliance with a rule was not checked, this is categorized in the Rule results as Other.
Figure 5.4. Compliance and Scoring
This section provides details of every rule and the compliance result, with the rules presented in a hierarchical layout.
Select or clear the check boxes to narrow the list of rules included in the compliance report. For example, if the focus of your review is any non-compliance, clear the pass and informational check boxes.
To search all rules, enter a criterion in the Search field. The search is dynamically applied as you type. The Search field only accepts a single plain-text search term and it is applied as a case-insensitive search. When you perform a search, only those rules whose descriptions match the search criterion will be listed. To remove the search filter, delete the search criterion.
For an explanation of each result, hover the cursor over the status shown in the Result column.
Figure 5.5. Rule Overview
22.214.171.124. Examining Rule Results
To determine why a host failed compliance on a rule, click on the rule's title. The window which then opens provides further details, including: a description of the rule (with instructions for bringing the host into compliance if available), the rationale for the rule, and in some cases a remediation script.
Figure 5.6. Rule Evaluation Result
Do not implement any of the recommended remedial actions or scripts without first testing them in a non-production environment.
5.4.5. Compliance Email Notifications
The Satellite Server sends an OpenSCAP Summary email to all users who subscribe to the Openscap policy summary
email notifications (refer to Configuring Email Notifications
in the Server Administration Guide
). Each time a policy is run, Satellite checks the results against the previous run, noting any changes between them. The email is sent according to the frequency requested by each subscriber, providing a summary of each policy and its most recent result.
An OpenSCAP Summary email message contains the following information:
Details of the time period it covers.
Totals for all hosts by status: changed, compliant, and incompliant.
A tabular breakdown of each host and the result of its latest policy, including totals of the rules that passed, failed, changed, or where results were unknown.
The following is an example OpenSCAP Summary email message.