Chapter 1. Red Hat Insights compliance service overview
The Red Hat Insights for Red Hat Enterprise Linux compliance service enables IT security and compliance administrators to assess, monitor, and report on the security-policy compliance of RHEL systems.
The compliance service provides a simple but powerful user interface, enabling the creation, configuration, and management of SCAP security policies. With the filtering and context-adding features built in, IT security administrators can easily identify and manage security compliance issues in the RHEL infrastructure.
This documentation describes some of the functionality of the compliance service, to help users understand reporting, manage issues, and get the maximum value from the service.
You can also create Ansible Playbooks to resolve security compliance issues and share reports with stakeholders to communicate compliance status.
Additional Resources
1.1. Requirements and prerequisites
The compliance service is part of Red Hat Insights for Red Hat Enterprise Linux, which is included with your Red Hat Enterprise Linux (RHEL) subscription and can be used with all versions of RHEL currently supported by Red Hat. You do not need additional Red Hat subscriptions to use Insights for Red Hat Enterprise Linux and the compliance service.
1.2. Supported configurations
Red Hat supports specific versions of the SCAP Security Guide (SSG) for each minor version of Red Hat Enterprise Linux (RHEL). The rules and policies in an SSG version are only accurate for one RHEL minor version. In order to receive accurate compliance reporting, the system must have the supported SSG version installed.
Red Hat Enterprise Linux minor versions ship and upgrade with the supported SSG version included. However, some organizations may decide to continue using an earlier version temporarily, prior to upgrading.
If a policy includes systems using unsupported SSG versions, an unsupported warning, preceded by the number of affected systems, is visible next to the policy in Security > Compliance > Reports.
For more information about which versions of the SCAP Security Guide are supported in RHEL, refer to Insights Compliance - Supported configurations.
Example of a compliance policy with a system running an unsupported version of SSG
1.2.1. Frequently asked questions about the compliance service
How do I interpret the SSG package name?
Packages names look like this: scap-security-guide-0.1.43-13.el7. The SSG version in this case is 0.1.43; the release is 13 and architecture is el7. The release number can differ from the version number shown in the table; however, the version number must match as indicated below for it to be a supported configuration.
What if Red Hat supports more than one SSG for my RHEL minor version?
When more than one SSG version is supported for a RHELminor version, as is the case with RHEL 7.9 and RHEL 8.1, the compliance service will use the latest available version.
Why is my old policy no longer supported by SSG?
As RHEL minor versions get older, fewer SCAP profiles are supported. To view which SCAP profiles are supported, refer to Insights Compliance - Supported configurations.
More about limitations of unsupported configurations
The following conditions apply to the results for unsupported configurations:
These results are a “best-guess” effort because using any SSG version other than what is supported by Red Hat can lead to inaccurate results.
ImportantAlthough you can still see results for a system with an unsupported version of SSG installed, those results may be considered inaccurate for compliance reporting purposes.
- Results for systems using an unsupported version of SSG are not included in the overall compliance assessment for the policy.
- Remediations are not available for rules on systems with an unsupported version of SSG installed.
1.3. Best practices
To benefit from the best user experience and receive the most accurate results in the compliance service, Red Hat recommends that you follow some best practices.
Ensure that the RHEL OS system minor version is visible to the Insights client
If the compliance service cannot see your RHEL OS minor version, then the supported SCAP Security Guide version cannot be validated and your reporting may not be accurate. The Insights client allows users to redact certain data, including Red Hat Enterprise Linux OS minor version, from the data payload that is uploaded to Red Hat Insights for Red Hat Enterprise Linux. This will prohibit accurate compliance service reporting.
To learn more about data redaction, see the following documentation: Red Hat Insights client data redaction.
Create security policies within the compliance service
Creating your organization’s security policies within the compliance service allows you to:
- Associate many systems with the policy.
- Use the supported SCAP Security Guide for your RHEL minor version.
- Edit which rules are included, based on your organization’s requirements.
1.4. User Access considerations
All users on your account have access to most of the data in Insights for Red Hat Enterprise Linux.
Brief overview about predefined groups and roles
The following predefined groups and roles are relevant to access:
- Default access group. All users on the account are members of the Default access group. Members of the Default access group have read-only access, which allows you to view most information in Insights for Red Hat Enterprise Linux.
1.4.1. User Access roles for compliance-service users
The following roles enable standard or enhanced access to remediations features in Insights for Red Hat Enterprise Linux:
- Compliance viewer. A compliance-service role that grants read access to any compliance resource.
- Compliance administrator. A compliance-service role that grants full access to any compliance resource. If a procedure requires that you be granted the Compliance administrator role or other enhanced permissions, it will be noted in the Prerequisites for that procedure.
