Chapter 1. Overview of the Insights for RHEL vulnerability service

The vulnerability service enables quick assessment and comprehensive monitoring of the exposure of your RHEL infrastructure to Common Vulnerabilities and Exposures (CVEs) so you can better understand your most critical issues and systems and effectively manage remediations.

With your data uploaded to the vulnerability service, you can filter and sort groups of systems and CVEs to refine and optimize your views. You can also add context to individual CVEs when they pose an extraordinary risk to systems. After gaining an understanding of your risk exposure, report on the status of the CVEs to appropriate stakeholders, then create Ansible Playbooks to remediate issues to secure your organization.

Prerequisites

The vulnerability service is available for all supported versions of RHEL 6, 7, 8 and 9. The following conditions must be met before you can use the vulnerability service:

  • Each system has the Insights client installed and registered to the Insights for Red Hat Enterprise Linux application. Follow the Red Hat Insights for Red Hat Enterprise Linux, Get Started instructions to install the client and register your system(s).
  • The vulnerability service is fully supported for RHEL systems managed by Red Hat Subscription Management (RHSM) and Satellite 6 and later. Using any other means to obtain package updates, other than Satellite 6 with RHSM or RHSM registered with subscription.redhat.com (Customer Portal), can lead to misleading results.
  • Vulnerability service remediations are not fully supported and may not work properly on Satellite 5 and Spacewalk-hosted RHEL systems.
  • Some features require special privileges provided by your organization administrator. Specifically, the ability to view Red Hat Security Advisories (RHSAs) associated with certain CVEs and systems, and to view and patch those vulnerabilities in the Red Hat Insights for Red Hat Enterprise Linux patch service, requires permissions granted through user access.

1.1. How the vulnerability service works

The vulnerability service uses the Insights client to gather information about your RHEL systems. The client gathers information about the systems and uploads it to the vulnerability service.

The vulnerability service then assesses the data against the Red Hat CVE database and security bulletins to determine if there are any outstanding CVEs that could affect the systems, and provides the results of those comparisons.

Once the data has been analyzed, you can view and sort the displayed results, assess the risks and priorities of the vulnerabilities, report their status, and create and deploy Ansible Playbooks to remediate them. The goal of the vulnerability service is to enable a repeatable process that protects against security weaknesses in your RHEL infrastructure.

1.2. User Access considerations

An Organization Administrator on your account configures settings in User Access to control access to Red Hat Insights for Red Hat Enterprise Linux features. All users on your account have access to most of the data in Insights for Red Hat Enterprise Linux. However, performing some actions requires users to have elevated access.

Access is granted in User Access in the Red Hat Hybrid Cloud Console. To grant or change access, an Organization Administrator or User Access administrator must add you to a User Access group with the required roles in Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Users.

Important

In this documentation, prerequisites for procedures declare whether you need elevated access to perform the procedure.

Important predefined groups and roles relevant to understanding User Access are:

  • Default access group
  • Default admin access group
  • Organization Administrator role

Brief overview about some predefined groups and roles

The following predefined groups and roles are relevant to access:

  • Default access group. All users on the account are members of the Default access group. Members of the Default access group have read-only access, which allows you to view most information in Insights for Red Hat Enterprise Linux.
  • Default admin access group. All users on the account who are Organization Administrators are members of this group. Users cannot modify the roles in the Red Hat-managed Default admin access group. Members of the Default admin access group have read-write access, which allows you to view and perform other actions in Insights for Red Hat Enterprise Linux.
  • Organization Administrator role. All users on the account who are Organization Administrators can create and modify User Access groups and grant access to other account users. To find out whether you are an Organization Administrator, click your name in the Red Hat Hybrid Cloud Console header, in the upper right of your screen, and see whether the words “Org. Administrator” show under your username.
Important

Requesting elevated access If you do not have access to features that you need, you can:

  • Contact Customer Service to get Organization Administrator details for your account.

    • Provide your account number when you send the request.
  • Contact the Organization Administrator and ask for access, providing the following information:

    • The name of the role you need access to, for example, Remediations administrator
    • A link to full User Access documentation, to help inform the Organization Administrator about how to give you access.

1.2.1. User Access roles for vulnerability-service users

The following roles enable standard or enhanced access to vulnerability service features in Insights for Red Hat Enterprise Linux:

  • Vulnerability viewer. Read any vulnerability-service resource.
  • Vulnerability administrator. Perform any available operation against any vulnerability-service resource.