Red Hat SummitChapter 2. Getting started using the compliance service
This section describes how to configure your RHEL systems to report compliance data to the Insights for RHEL application. This installs necessary additional components such as the SCAP Security Guide (SSG), which is used to perform the compliance scan.
Prerequisites
- The Insights client is deployed on the system.
- You must have root privileges on the system.
Procedure
Check the version of RHEL on the system:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow cat /etc/redhat-release
[user@insights]$ cat /etc/redhat-releaseReview the Insights Compliance - Supported configurations article and make note of the supported SSG version for the RHEL minor version on the system.
NoteSome minor versions of RHEL support more than one version of SSG. The Insights compliance service will always show results for the latest supported version.
Check if the supported version of the SSG package is installed on the system:
Example - for RHEL 8.4 run:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow dnf info scap-security-guide-0.1.57-3.el8_4
[root@insights]# dnf info scap-security-guide-0.1.57-3.el8_4If it is not already installed, install the supported version of SSG on the system.
Example - for RHEL 8.4 run:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow dnf install scap-security-guide-0.1.57-3.el8_4
[root@insights]# dnf install scap-security-guide-0.1.57-3.el8_4Assign systems to policies using the Insights compliance service UI, or using
insights-clientcommands in the CLI:Use the compliance service UI to navigate to Security > Compliance > SCAP policies and use one of the following methods to add systems:
You can also add systems by using the following
insights-clientcommands on the CLI:-
insights-client --compliance-policiesto list available policies and their associated ID insights-client --compliance-assign <ID>For more information about using
insights-clientcommands to add systems, see- Managing SCAP security policies in the Insights for RHEL compliance service in Assessing and Monitoring Security Policy Compliance of RHEL Systems with FedRAMP.
- Options for the Insights client in Client Configuration Guide for Red Hat Insights with FedRAMP.
-
After adding each system to the needed security policy, return to the system and run the compliance scan using:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow insights-client --compliance
[root@insights]# insights-client --complianceNoteThe scan can take 1-5 minutes to complete.
- Navigate to Security > Compliance > Reports to view results.
-
Optional: Schedule the compliance jobs to run with
cron.
Additional Resources
- To learn which versions of the SCAP Security Guide are supported for Red Hat Enterprise Linux minor versions, see Insights Compliance - Supported configurations.
2.1. Setting up recurring scans for Insights services
To get the most accurate recommendations from Red Hat Insights services such as compliance and malware detection, you might need to manually scan and upload data collection reports to the services on a regular schedule.
Use the following insights-client commands to run the commands manually:
insights-client --compliance insights-client --collector malware-detection
# insights-client --compliance
# insights-client --collector malware-detection
Currently, Insights does not have an automated scheduler to perform the scans for you, but you can configure a cron job to schedule automatic scans.
Before you create a cron job, make sure that the commands work properly when you run them manually.
Prerequisites
- The services you want to use (Compliance and Malware Detection) are configured and running on your system.
Procedure
At the system prompt, issue the
crontab -ecommand to edit thecrontabfile. This command opens your default text editor.Copy to Clipboard Copied! Toggle word wrap Toggle overflow crontab -e
$ crontab -eAdd a
crontabentry for the service you want to run. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 10 20 * * * /bin/insights-client --compliance 10 21 * * * /bin/insights-client --collector malware-detection
10 20 * * * /bin/insights-client --compliance 10 21 * * * /bin/insights-client --collector malware-detectionIn this example, the first command uploads a Compliance report to Insights every day at 20:10 local time. The second command uploads a malware detection report to Insights every day at 21:10 local time.
- Save the file and exit the text editor.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}