Red Hat SummitChapter 1. Remediations overview
After identifying the highest remediation priorities in your Red Hat Enterprise Linux (RHEL) infrastructure, you can create and execute remediation plans to fix those issues.
Remediations enables you to address the following on your connected RHEL systems:
- Advisor recommendations
- Content advisories
- Vulnerability CVEs
- Failed compliance rules found by Red Hat Lightspeed
You can remediate a single issue or a related group of issues by using a pathway in Red Hat Lightspeed. Pathways group multiple advisor recommendations under common actions for better efficiency. For more information, see Remediating pathways in Assessing RHEL configuration issues using the Red Hat Lightspeed advisor service.
For some issues, Red Hat Lightspeed provides several different remediation paths.
When you create a remediation plan, Red Hat Lightspeed generates an Ansible Playbook to implement the required remediation actions and apply any required patches on affected systems in your RHEL infrastructure.
Some issues require a manual fix and cannot be resolved by executing a remediation plan in Red Hat Lightspeed. You can determine whether it’s possible to remediate a problem within Red Hat Lightspeed by checking the Resolution type value of the issue or recommendation.
Resolution types
In Red Hat Lightspeed, an issue or recommendation for remediation can be one of two types:
- Manual: Red Hat Lightspeed provides the manual remediation steps needed to fix or address all issues and recommendations, including whether the system requires a reboot for the remediation to take effect.
Playbook: For many issues, Red Hat Lightspeed also provides a pre-built remediation playbook automating the required resolution steps, which you can either:
- Run on your systems from within Red Hat Lightspeed
- Download and run externally in your Ansible Playbooks environment
Red Hat Lightspeed remediations workflow
Choose an issue or recommendation
- The first step to creating a remediation plan is to choose an issue or recommendation that Red Hat Lightspeed has detected on one or more of your RHEL systems.
Review the recommended resolution path
- Determine which versions of RHEL are affected and whether or not a playbook is available. You can only create a remediation plan in Red Hat Lightspeed if a pre-built playbook exists.
Decide which RHEL systems to remediate
When you have reviewed the recommended resolution steps and determined whether a playbook is available to remediate the issue, choose which systems to include in the plan.
ImportantTo create a remediation plan for a group of systems, you must ensure that all systems in the group are running the same RHEL major and minor versions to ensure that the resolution applied by the Red Hat Lightspeed-generated playbook is compatible.
Create a remediation plan
- The Red Hat Lightspeed UI provides a wizard to help you create a remediation plan, which is accessible from the advisor, compliance, vulnerability, and patch service pages. You can start the wizard for creating a remediation plan by clicking Plan remediation after you have selected at least one system and an issue or recommendation for remediation. You can also create a remediation plan from the details page of a system, provided Red Hat Lightspeed has detected issues that impact the system.
Decide how you want to execute your remediation plan
- You can execute a remediation plan from within Red Hat Lightspeed on directly connected Red Hat Enterprise Linux systems without additional subscriptions or tools. You can also download and run the associated playbook on your organization’s Ansible Automation Platform (AAP) workflow.
Subscription requirements
- Red Hat Lightspeed is included with every RHEL subscription. No additional subscriptions are required to use Red Hat Lightspeed remediation features.
User requirements
- By default, all Red Hat Lightspeed users automatically have access to read, create, and manage remediation plans.
To remediate your Red Hat Enterprise Linux systems from Red Hat Lightspeed, you also need:
- Access to Red Hat Lightspeed on the Red Hat Hybrid Cloud Console (Hybrid Cloud Console).
- If using Red Hat Satellite, access to Satellite-managed systems on the console or in the Satellite application UI.
- The required Hybrid Cloud Console User Access roles for managing and executing remediation plans.
While all Red Hat Lightspeed users automatically have access to read, create, and manage remediation plans, to execute a remediation plan in Red Hat Lightspeed, you need the Remediations administrator predefined User Access role. User Access roles can be granted by your Organization Administrator in Identity & Access Management settings on the Hybrid Cloud Console.
Remote host connectivity
To execute remediations, you must set up and enable the remote host configuration (rhc) within Red Hat Lightspeed.
You will also need to permit Red Hat Lightspeed users to execute remediation playbooks on rhc-connected systems, which can be done by enabling the Remote Host Configuration Manager (rhc) setting in Red Hat Lightspeed, provided you have the required administrative permissions.
1.1. Getting started with remediations by using an interactive quick start
To help you get started with remediations, an interactive quick start is available in Red Hat Lightspeed on the Hybrid Cloud Console. The Creating and executing remediation plans quick start guides you through the process in under 10 minutes and provides links to additional resources.
Prerequisites
- You must have a Red Hat Hybrid Cloud Console account and be subscribed to the Red Hat Lightspeed services.
Procedure
- Log on to Red Hat Hybrid Cloud Console and then navigate to the Red Hat Lightspeed services.
To access the quick start, use one of the following steps:
- From within the Red Hat Lightspeed application: Go to Automation Toolkit > Remediation Plans, and then click Launch Quick Start in the upper right corner.
- From the Quick starts library: Go to RHEL Learning Resources.
1.2. User Access settings in the Red Hat Hybrid Cloud Console
User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):
- Control user access by organizing roles instead of assigning permissions individually to users.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
1.2.1. Predefined User Access groups and roles
To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles:
Predefined groups
The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.
NoteIf the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.
The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.
Predefined roles assigned to groups
The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.
1.2.2. Access permissions
The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.
If you try to access Red Hat Lightspeed features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.
Use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.
Additional resources
For more information about user access and permissions, see User Access configuration guide for role-based access control (RBAC).
1.3. User Access roles for creating and executing remediation plans
To fix issues on your systems by using the Red Hat Lightspeed remediation features, become familiar with the roles that provide the required access permissions for creating, managing, and executing remediation plans.
The following user access roles provide standard or enhanced access to remediation features in Red Hat Lightspeed:
Remediations user: The Remediations user role is included in the default access group. With this role, a user has permissions to:
- View existing remediation plans
- Create a remediation plan
- Delete a remediation plan
Remediations administrator: With this role, a user has permissions to:
- Do everything that a Remediations user can do
- Execute remediation plans on connected remote host systems from within Red Hat Lightspeed
For more information about user access and permissions, see User Access configuration guide for role-based access control (RBAC).
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}