Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 2. Getting started using the compliance service
This section describes how to configure your RHEL systems to report compliance data to the Red Hat Lightspeed application. This installs necessary additional components such as the SCAP Security Guide (SSG), which is used to perform the compliance scan.
Prerequisites
- The Red Hat Lightspeed client is deployed on the system.
- You must have root privileges on the system.
Procedure
Check the version of RHEL on the system:
cat /etc/redhat-release
[user@rhlightspeed]$ cat /etc/redhat-releaseCopy to Clipboard Copied! Toggle word wrap Toggle overflow Review the Red Hat Lightspeed Compliance - Supported configurations article and make note of the supported SSG version for the RHEL minor version on the system.
NoteSome minor versions of RHEL support more than one version of SSG. The Red Hat Lightspeed compliance service will always show results for the latest supported version.
Check if the supported version of the SSG package is installed on the system:
Example - for RHEL 8.4 run:
[root@rhlightspeed# dnf info scap-security-guide-0.1.57-3.el8_4
[root@rhlightspeed# dnf info scap-security-guide-0.1.57-3.el8_4Copy to Clipboard Copied! Toggle word wrap Toggle overflow If it is not already installed, install the supported version of SSG on the system.
Example - for RHEL 8.4 run:
dnf install scap-security-guide-0.1.57-3.el8_4
[root@rhlightspeed]# dnf install scap-security-guide-0.1.57-3.el8_4Copy to Clipboard Copied! Toggle word wrap Toggle overflow Assign systems to policies using the Red Hat Lightspeed compliance service UI, or using
insights-clientcommands in the CLI:Use the compliance service UI to navigate to Security > Compliance > SCAP policies and use one of the following methods to add systems:
You can also add systems by using the following
insights-clientcommands on the CLI:-
insights-client --compliance-policiesto list available policies and their associated ID insights-client --compliance-assign <ID>For more information about using
insights-clientcommands to add systems, see- Managing SCAP security policies in the Red Hat Lightspeed compliance service in Assessing and monitoring security policy compliance of RHEL systems.
- Options for the Red Hat Lightspeed client in Client configuration guide for Red Hat Lightspeed.
-
After adding each system to the needed security policy, return to the system and run the compliance scan using:
insights-client --compliance
[root@rhlightspeed]# insights-client --complianceCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteThe scan can take 1-5 minutes to complete.
- Navigate to Security > Compliance > Reports to view results.
-
Optional: Schedule the compliance jobs to run with
cron.
2.1. Setting up recurring scans for Red Hat Lightspeed services
To get the most accurate recommendations from Red Hat Lightspeed services such as compliance and malware detection, you might need to manually scan and upload data collection reports to the services on a regular schedule.
Use the following insights-client commands to run the commands manually:
insights-client --compliance insights-client --collector malware-detection
# insights-client --compliance
# insights-client --collector malware-detection
Currently, Red Hat Lightspeed does not have an automated scheduler to perform the scans for you, but you can configure a cron job to schedule automatic scans.
Before you create a cron job, make sure that the commands work properly when you run them manually.
Prerequisites
- The services you want to use (Compliance and Malware Detection) are configured and running on your system.
Procedure
At the system prompt, issue the
crontab -ecommand to edit thecrontabfile. This command opens your default text editor.crontab -e
$ crontab -eCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add a
crontabentry for the service you want to run. For example:10 20 * * * /bin/insights-client --compliance 10 21 * * * /bin/insights-client --collector malware-detection
10 20 * * * /bin/insights-client --compliance 10 21 * * * /bin/insights-client --collector malware-detectionCopy to Clipboard Copied! Toggle word wrap Toggle overflow In this example, the first command uploads a Compliance report to Red Hat Lightspeed every day at 20:10 local time. The second command uploads a malware detection report to Red Hat Lightspeed every day at 21:10 local time.
- Save the file and exit the text editor.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}