Red Hat SummitChapter 7. Monitoring compliance
Using information from the compliance dashboard and compliance reports, you can evaluate the risks presented by each host and manage the resources required to bring hosts into compliance. By monitoring compliance with SCAP, you can verify policy compliance and detect changes in compliance.
7.1. Searching compliance reports
Compliance reports provide a detailed analysis of compliance of each host with the applicable policy. In the Satellite web UI, you can use the search function to filter the list of available reports on any subset of hosts.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Reports.
- Optional: To see a list of available search parameters, click the empty Search field.
Enter the search query in the Search field and click Search. The search query is case insensitive.
-
You can create complex queries with the following logical operators:
and,notandhas. For more information about logical operators, see Supported Operators for Granular Search in Administering Red Hat Satellite. - You cannot use regular expressions in a search query. However, you can use multiple fields in a single search expression. For more information about all available search operators, see Supported Operators for Granular Search in Administering Red Hat Satellite.
- You can bookmark a search to reuse the same search query. For more information, see Creating Bookmarks in Administering Red Hat Satellite.
-
You can create complex queries with the following logical operators:
Example 7.1. Search query examples
Find all compliance reports for which more than five rules failed:
failed > 5
Find all compliance reports created after January 1, 2023, for hosts with hostnames that contain prod-:
host ~ prod- AND date > "Jan 1, 2023"
Find all reports generated by the rhel7_audit compliance policy from an hour ago:
"1 hour ago" AND compliance_policy = date = "1 hour ago" AND compliance_policy = rhel7_auditFind reports that pass an XCCDF rule:
xccdf_rule_passed = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actionsFind reports that fail an XCCDF rule:
xccdf_rule_failed = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actionsFind reports that have a result different than fail or pass for an XCCDF rule:
xccdf_rule_othered = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions7.2. Compliance email notifications
You can configure email notifications on your Satellite Server to stay informed about compliance policy changes.
Satellite Server sends an OpenSCAP Summary email to all users who subscribe to the Compliance policy summary email notifications. For more information on subscribing to email notifications, see Configuring Email Notification Preferences in Administering Red Hat Satellite.
Each time a policy is run, Satellite checks the results against the previous run, noting any changes between them. The email is sent according to the frequency requested by each subscriber, providing a summary of each policy and its most recent result.
7.3. Viewing compliance policy statistics
You can view a compliance policy dashboard to verify compliance reports of a particular policy. The compliance policy dashboard provides a statistical summary of compliance of hosts and the ability to view report details for each host within the scope of that policy.
Consider prioritizing the following hosts when viewing compliance reports:
-
Hosts which were evaluated as
Failed -
Hosts labelled as
Never auditedbecause their status is unknown
Prerequisites
-
Your user account has a role assigned that has the
view_policiespermission.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Policies.
- In the row of the required policy, navigate to the Actions column and click Dashboard.
7.4. Remediating compliance failures
With Satellite, you can examine compliance reports and, in some cases, remediate cases of non-compliance. You can remediate compliance failures by using a remediation wizard or by applying remediation snippets manually.
Always test the recommended remedial actions or scripts in a non-production environment before implementing them in production. Remediation might render the system non-functional.
You can use the Run OpenSCAP remediation - Ansible Default and Run OpenSCAP remediation - Script Default job templates to apply the remediation snippet. For more information about running remote jobs based on templates, see Configuring and setting up remote jobs in Managing hosts.
Prerequisites
-
Your user account has a role assigned that has the following permissions:
view_arf_reports,view_hosts,create_job_invocations
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Reports.
- In the Reported At column, click the time link of the report you want to examine. Satellite displays a list of log messages describing the results of the scan.
Locate a log message that describes a failed compliance check. In the Actions column, select Remediation to open the compliance remediation wizard. Follow the wizard to remediate the compliance failure.
NoteThe remediation wizard might not be available for all compliance failures.
7.5. Deleting a compliance report
Deleting a compliance report removes it from your Satellite Server. You can also delete multiple compliance policies simultaneously.
Prerequisites
-
Your user account has a role assigned that has the
view_arf_reportsanddestroy_arf_reportspermissions.
Procedure
- In the Satellite web UI, navigate to Hosts > Compliance > Reports.
If you want to delete a single report:
- In the Compliance Reports window, identify the policy that you want to delete and, on the right of the name of the policy, select Delete.
- Click OK.
If you want to delete multiple reports:
- In the Compliance Reports window, select the compliance reports that you want to delete.
- In the upper right of the list, select Delete reports.
Repeat these steps for as many pages as you want to delete.
NoteIn the Satellite web UI, compliance policies are paginated, so you must delete one page of reports at a time. If you want to delete all OpenSCAP reports, use the script in Deleting OpenSCAP reports in Using the Satellite REST API.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}