Red Hat Security: Linux in Physical, Virtual, and Cloud
Use the compliance service in Red Hat Insights to configure OpenSCAP policies and review the resulting reports.
The Red Hat Insights compliance service enables security and compliance administrators to monitor, assess, and report the compliance of RHEL systems. The compliance service enables the creation, configuration, and management of SCAP policies in a simple interface that includes filtering and context-adding features. You can also use the compliance service to create Ansible Playbooks to resolve compliance issues.
You can create reports to communicate the compliance status to other stakeholders in your organization.
For Red Hat Insights to be able to access or create security policies, the compliance service requires that the scap-security-guide package is installed on your RHEL systems.
To access the policies that are available to the compliance service, navigate to → → . On the page, you can create or edit security policies, and list the systems that are registered to each policy.
If your Red Hat Insights organization does not have any policies, then you are prompted to create a policy.
After you create one or more policies, the policy list appears on the page.
The process of creating a policy requires several steps, which include selecting the RHEL version, adding details (such as name and other attributes), selecting systems, and customizing the policy rules.
After you select the operating system, you can filter for a policy type by using the search field.
After customizing the policy details, you select which systems to include in the policy from a list of available systems.
During the creation process, you can customize your policy for your environment's needs.
Customizing your policy is useful because there are some rules that do not apply to all situations.
In the following example, only the Sudo and Updating Software rules are selected.
In the final step, you review the new policy before creating it.
To create a compliance report, run the insights-client --compliance command as a user with root privileges.
This command runs the scan for the configured policies and uploads the results to the compliance service databases.
To view the reports, navigate to → → .
Red Hat Insights does not display any reports until you run the insights-client --compliance command.
To make compliance reports available in the console, run the insights-client --compliance command:
[root@host ~]# insights-client --compliance
System uses SSG version 0.1.66
Saved tailoring file for xccdf_org.ssgproject.content_profile_cis_server_l1 to /var/tmp/oscap_tailoring_file-xccdf_org.ssgproject.content_profile_cis_server_l1.fruiolnu.xml
Running scan for xccdf_org.ssgproject.content_profile_cis_server_l1... this may take a while
Uploading Insights data.
Successfully uploaded report for demo.lab.example.com.After running the insights-client command, reload the page.
The page now shows the available reports:
Click a report to see the policy details:
The page displays a list of servers that use this policy. Click a server link to see the report details:
To download the report, click . In the dialog that displays, choose which system data to include.
To generate periodic reports, you might use an automation controller provided by Red Hat Ansible Automation Platform to schedule Ansible Playbooks to periodically run the redhat.insights.compliance role on managed hosts that you must monitor.
References
For more information, refer to the Getting Started Using the Compliance Service chapter in the Assessing and Monitoring Security Policy Compliance of RHEL Systems guide at https://access.redhat.com/documentation/en-us/red_hat_insights/2023/html-single/assessing_and_monitoring_security_policy_compliance_of_rhel_systems/index#compliance-getting-started_intro-compliance
Getting Started with Red Hat Insights and OpenSCAP for Compliance Reporting
