Chapter 1. Red Hat Insights compliance service overview
The Red Hat Insights for Red Hat Enterprise Linux compliance service enables IT security and compliance administrators to assess, monitor, and report on the security-policy compliance of RHEL systems.
The compliance service provides a simple but powerful user interface, enabling the creation, configuration, and management of SCAP security policies. With the filtering and context-adding features built in, IT security administrators can easily identify and manage security compliance issues in the RHEL infrastructure.
This documentation describes some of the functionality of the compliance service, to help users understand reporting, manage issues, and get the maximum value from the service.
You can also create Ansible Playbooks to resolve security compliance issues and share reports with stakeholders to communicate compliance status.
Additional Resources
1.1. Requirements and prerequisites
The compliance service is part of Red Hat Insights for Red Hat Enterprise Linux, which is included with your Red Hat Enterprise Linux (RHEL) subscription and can be used with all versions of RHEL currently supported by Red Hat. You do not need additional Red Hat subscriptions to use Insights for Red Hat Enterprise Linux and the compliance service.
1.2. Supported configurations
Red Hat supports specific versions of the SCAP Security Guide (SSG) for each minor version of Red Hat Enterprise Linux (RHEL). The rules and policies in an SSG version are only accurate for one RHEL minor version. In order to receive accurate compliance reporting, the system must have the supported SSG version installed.
Red Hat Enterprise Linux minor versions ship and upgrade with the supported SSG version included. However, some organizations may decide to continue using an earlier version temporarily, prior to upgrading.
If a policy includes systems using unsupported SSG versions, an unsupported warning, preceded by the number of affected systems, is visible next to the policy in Security > Compliance > Reports.
For more information about which versions of the SCAP Security Guide are supported in RHEL, refer to Insights Compliance - Supported configurations.
Example of a compliance policy with a system running an unsupported version of SSG
1.2.1. Frequently asked questions about the compliance service
How do I interpret the SSG package name?
Packages names look like this: scap-security-guide-0.1.43-13.el7
. The SSG version in this case is 0.1.43; the release is 13 and architecture is el7. The release number can differ from the version number shown in the table; however, the version number must match as indicated below for it to be a supported configuration.
What if Red Hat supports more than one SSG for my RHEL minor version?
When more than one SSG version is supported for a RHELminor version, as is the case with RHEL 7.9 and RHEL 8.1, the compliance service will use the latest available version.
Why is my old policy no longer supported by SSG?
As RHEL minor versions get older, fewer SCAP profiles are supported. To view which SCAP profiles are supported, refer to Insights Compliance - Supported configurations.
More about limitations of unsupported configurations
The following conditions apply to the results for unsupported configurations:
These results are a “best-guess” effort because using any SSG version other than what is supported by Red Hat can lead to inaccurate results.
ImportantAlthough you can still see results for a system with an unsupported version of SSG installed, those results may be considered inaccurate for compliance reporting purposes.
- Results for systems using an unsupported version of SSG are not included in the overall compliance assessment for the policy.
- Remediations are not available for rules on systems with an unsupported version of SSG installed.
1.3. Best practices
To benefit from the best user experience and receive the most accurate results in the compliance service, Red Hat recommends that you follow some best practices.
Ensure that the RHEL OS system minor version is visible to the Insights client
If the compliance service cannot see your RHEL OS minor version, then the supported SCAP Security Guide version cannot be validated and your reporting may not be accurate. The Insights client allows users to redact certain data, including Red Hat Enterprise Linux OS minor version, from the data payload that is uploaded to Red Hat Insights for Red Hat Enterprise Linux. This will prohibit accurate compliance service reporting.
To learn more about data redaction, see the following documentation: Red Hat Insights client data redaction.
Create security policies within the compliance service
Creating your organization’s security policies within the compliance service allows you to:
- Associate many systems with the policy.
- Use the supported SCAP Security Guide for your RHEL minor version.
- Edit which rules are included, based on your organization’s requirements.
1.4. User Access settings in the Red Hat Hybrid Cloud Console
User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):
- Control user access by organizing roles instead of assigning permissions individually to users.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
1.4.1. Predefined User Access groups and roles
To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles.
1.4.1.1. Predefined groups
The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.
If the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.
The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.
1.4.1.2. Predefined roles assigned to groups
The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.
See User Access Configuration Guide for Role-based Access Control (RBAC) for additional information.
1.4.2. Access permissions
The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.
If you try to access Insights for Red Hat Enterprise Linux features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.
Use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.
1.4.3. User Access roles for compliance-service users
The following roles enable standard or enhanced access to remediations features in Insights for Red Hat Enterprise Linux:
- Compliance viewer. A compliance-service role that grants read access to any compliance resource.
- Compliance administrator. A compliance-service role that grants full access to any compliance resource. If a procedure requires that you be granted the Compliance administrator role or other enhanced permissions, it will be noted in the Prerequisites for that procedure.