Red Hat SummitChapter 1. Red Hat Lightspeed compliance service overview
The Red Hat Lightspeed compliance service enables IT security and compliance administrators to assess, monitor, and report on the security-policy compliance of RHEL systems. Learn how to understand reporting, manage issues, and get the maximum value from the service.
The compliance service provides a simple but powerful user interface, enabling the creation, configuration, and management of SCAP security policies. With its filtering and context-adding features, IT security administrators can easily identify and manage security compliance issues in the RHEL infrastructure.
You can also create Ansible Playbooks to resolve security compliance issues and share reports with stakeholders to communicate compliance status.
1.1. Requirements and prerequisites
Your Red Hat Enterprise Linux (RHEL) subscription includes the Red Hat Lightspeed compliance service, which you can use with all versions of RHEL currently supported by Red Hat. You do not need additional Red Hat subscriptions to use Red Hat Lightspeed and the compliance service.
1.2. Supported configurations
Red Hat supports specific versions of the SCAP Security Guide (SSG) for each minor version of Red Hat Enterprise Linux (RHEL). The rules and policies in an SSG version are accurate for only one RHEL minor version. To receive accurate compliance reporting, the system must have the supported SSG version installed.
Red Hat Enterprise Linux minor versions ship and upgrade with the supported SSG version included. However, you might decide to use an earlier version temporarily.
If a policy includes systems that use unsupported SSG versions, an unsupported warning with the number of affected systems is displayed next to the policy in Security > Compliance > Reports.
Additional resources
For more information about which versions of the SCAP Security Guide are supported in RHEL, refer to Red Hat Lightspeed Compliance - Supported configurations (Red Hat Knowledgebase).
1.2.1. Frequently asked questions about the compliance service
Package names are in the format scap-security-guide-0.1.43-13.el7. In this example, the SSG version is 0.1.43, the release is 13, and the architecture is el7.
When more than one SSG version is supported for a RHEL minor version, the compliance service will use the latest available version. This is the case for RHEL 7.9 and RHEL 8.1.
As RHEL minor versions get older, fewer SCAP profiles are supported. To view which SCAP profiles are supported, refer to Red Hat Lightspeed Compliance - Supported configurations (Red Hat Knowledgebase).
Although you can still see results for a system with an unsupported version of SSG installed, the results might be considered inaccurate for compliance reporting purposes. The following factors apply with unsupported versions:
- These results are a “best-guess” effort because using any SSG version other than what is supported by Red Hat can lead to inaccurate results.
- Results for systems using an unsupported version of SSG are not included in the overall compliance assessment for the policy.
- Remediation plans are not available for rules on systems that have an unsupported version of SSG installed.
1.3. Best practices
To optimize the user experience and to receive the most accurate results in the compliance service, follow the recommended guidelines.
1.3.1. Make the RHEL operating system minor version visible
If the compliance service cannot access your RHEL operating system minor version, then the supported SCAP Security Guide version cannot be validated, and your reporting might not be accurate. With the insights-client, users can redact data like the Red Hat Enterprise Linux operating system minor version from the data payload that is uploaded to Red Hat Lightspeed. But, this redaction prohibits accurate compliance service reporting.
1.3.2. Create security policies in the compliance service
Creating your organization’s security policies in the compliance service enables you to do the following actions:
- Associate many systems with the policy
- Use the supported SCAP Security Guide for your RHEL minor version
- Edit which rules are included based on your organization’s requirements
Additional resources
1.4. Manage user permissions for Red Hat Lightspeed services
Manage user permissions to control access to Red Hat Lightspeed applications. Use the User Access feature to apply role-based access control (RBAC). Red Hat provides predefined groups and a set of predefined roles to make it easier for Organization Administrators to assign, restrict, and remove user permissions to Red Hat Lightspeed.
1.4.1. User Access overview
Understand how the role-based access control (RBAC) User Access feature of the Red Hat Hybrid Cloud Console manages user permissions through roles instead of individual user assignments. User Access simplifies permission management by assigning specific permissions to roles, which can then be assigned to user groups.
You can also create custom groups and roles to provide more fine-tuned control over specific features of Red Hat Lightspeed to suit the needs of your organization.
If you are an Organization Administrator, you can use the User Access feature under Identity & Access Management in the Hybrid Cloud Console to:
- Control user permissions and organize roles.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
1.4.2. Predefined groups in User Access
Understand the two predefined groups available in User Access: Default access and Default admin access. Create custom groups to align permissions with specific personas, job functions, or teams in your organization.
- The Default access group
- By default, the Default access group is assigned many granular predefined roles, such as Remediations viewer and Inventory Hosts viewer, so that group members have basic visibility. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group. The Default access group is automatically updated by Red Hat.
If your Organization Administrator modifies the Default access group, for example, by removing roles to restrict access to specific applications or to use the consolidated roles, the group is automatically renamed to Custom default access. Once converted, this group is no longer automatically updated by Red Hat.
- The Default admin access group
- The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained, and users and roles in this group cannot be changed.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their names.
1.4.3. Predefined roles assigned to groups
Understand how predefined roles in Red Hat Hybrid Cloud Console bundle permissions across multiple Red Hat Lightspeed applications to align with common user personas. Use predefined roles to reduce administrative effort, or create custom roles for more fine-tuned control over specific features.
The predefined roles are a starting point to help you to control and manage user permissions. You can then use these roles to create custom roles that are tailored to your specific use cases and organization. For example, you can use the predefined granular roles to create custom roles that provide more fine-tuned control over specific features of Red Hat Lightspeed.
By default, Red Hat provides a set of consolidated roles and a set of granular roles in the Red Hat Hybrid Cloud Console User Access UI. The consolidated roles significantly reduce the administrative effort required to manage user permissions, while the granular roles provide more fine-tuned control over specific features of Red Hat Lightspeed.
You can use the predefined consolidated and granular roles in User Access simultaneously, but using consolidated roles can significantly reduce the administrative effort.
- Select from the predefined consolidated roles library
The Red Hat Hybrid Cloud Console provides three predefined, consolidated User Access roles to help you manage user permissions to Red Hat Lightspeed applications and services that run on registered Red Hat Enterprise Linux systems. These roles help simplify how the Organization Administrator creates groups and permissions for various levels of access to the Red Hat Lightspeed services. If you want to reduce the administrative effort required to manage user permissions and your use case aligns with the permissions included in these roles, select from the consolidated roles library.
The consolidated roles are as follows:
RHEL viewer: The RHEL viewer role provides users visibility without the ability to make changes. It allows read-only access to Red Hat Lightspeed. You can view system configurations, compliance reports, inventory data, patch information, vulnerabilities, and overall resource states and activities. The only action permitted with this role is to generate activation keys.
RHEL operator: The RHEL operator role allows active management of your Red Hat Lightspeed environment. With this role, you can edit system configurations, inventory details, policies, and notification/integration settings. The RHEL operator role allows many of the RHEL administrator role functions, but it is restricted from editing compliance policies, content source templates, policies, or tasks. In addition, the RHEL operator role cannot execute remediation plans.
RHEL administrator: The RHEL administrator role provides comprehensive administrative privileges across your RHEL systems and Red Hat Lightspeed. With this role, you can manage system configurations, inventory, compliance policies, notifications, patch management, remediations, malware detection, and advisor recommendations. The role can also view and modify all vulnerability settings.
ImportantTo use the consolidated roles effectively, you might need to remove the granular RHEL roles from the Default access group to prevent permission conflicts. This action automatically changes the name of the predefined Default access group to Custom default access group, after which, it is no longer automatically updated by Red Hat.
See Predefined User Access roles for a list of the roles included in the Default admin access group and a reference table that lists most of the predefined groups and roles that are available in the Red Hat Hybrid Cloud Console and the permissions included in each role.
- Granular roles
- The granular roles are specific roles for individual services that allow for fine-tuned control over specific features of Red Hat Lightspeed, for example, Inventory Hosts administrator or Compliance viewer. If you want to have more control over specific features of Red Hat Lightspeed and your use case does not align with the permissions included in the consolidated roles, use the granular predefined roles.
Across the Red Hat Lightspeed product documentation, the Prerequisites section for each procedure lists which predefined roles provide the permissions needed to use the features in that procedure. For example, if a procedure requires permissions to view and manage remediations, the Prerequisites section for that procedure lists the Remediations administrator or other valid role as a recommended predefined role to use for that procedure.
1.4.4. Check your permissions
Verify your current permissions and the roles or groups assigned to you in the Red Hat Hybrid Cloud Console. Check your permissions to troubleshoot access issues or understand your level of access to Red Hat Lightspeed applications.
Only users with the Organization Administrator role can view the permissions of other users in the User Access settings and manage user permissions to Red Hat Lightspeed services. For more information, see the Configure user permissions section.
Prerequisites
- You are logged in to the Red Hat Hybrid Cloud Console.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to My User Access.
- Optional: If you require additional permissions, use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.
Results
All of the applications that you have permissions to access are listed on this page and are grouped by product, for example, RHEL, OpenShift Container Platform, and Ansible Automation Platform.
You can also filter your permissions by application, for example, by advisor, cost management, inventory, and remediations.
1.4.5. Configure user permissions
If you are an Organization Administrator, you can view and manage user permissions for all users in your organization. Control access to Red Hat Lightspeed and other Red Hat Hybrid Cloud Console services through the User Access interface.
If you are not an Organization Administrator, you will be unable to complete this task. However, you can check your own permissions for different applications by navigating to My User Access. Contact your Organization Administrator to request more permissions.
Prerequisites
- You have logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator, or you have the required administrator User Access role permissions.
Procedure
- In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to Identity & Access Management > User Access.
Results
From here, you can create and manage:
1.4.6. User Access roles for permissions to compliance-service features
Understand the predefined roles that control access to the compliance service of Red Hat Lightspeed. Use these role definitions to assign appropriate permissions to users based on their responsibilities.
The following table shows the standard and enhanced access permissions provided by the predefined roles in User Access for the compliance service:
| User Access role | Grants permissions to … | Included in the Default access group |
|---|---|---|
| Compliance administrator |
| |
| Compliance viewer |
| X |
| RHEL administrator |
| |
| RHEL operator |
Note The RHEL operator role is restricted from editing compliance policies, content source templates, policies, or tasks. Also, the RHEL operator role cannot execute remediation plans. | |
| RHEL viewer |
Note Cannot perform actions other than generating activation keys. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}