×

Scheduling compliance scans and assessing profile compliance is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

You can create and manage compliance scan schedules on the schedules page that meet your operational needs. You can only have one schedule that scans the same profile on the same cluster.

By viewing and filtering the scan results on the coverage page, you can monitor the compliance status across all clusters.

Customizing and automating your compliance scans

By creating a compliance scan schedule, you can customize and automate your compliance scans to align with your operational requirements.

You can only have one schedule that scans the same profile on the same cluster. This means that you cannot create multiple scan schedules for the same profile on a single cluster.

Prerequisites
  • You have installed the Compliance Operator.

    For more information about how to install the Compliance Operator, see "Using the Compliance Operator with Red Hat Advanced Cluster Security for Kubernetes".

    • Currently, the compliance feature and the Compliance Operator evaluate only infrastructure and platform compliance.

    • The compliance feature requires the Compliance Operator to be running and does not support Amazon Elastic Kubernetes Service (EKS).

Procedure
  1. In the RHACS portal, click Compliance → Schedules.

  2. Click Create scan schedule.

  3. In the Create scan schedule page, provide the following information:

    • Name: Enter a name to identify different compliance scans.

    • Description: Specify the reason for each compliance scan.

    • Schedule: Adjust the scan schedule to fit your required schedule:

      • Frequency: From the drop-down list, select how often you want to perform the scan.

        The following values are associated with how often you want to perform the scan:

        • Daily

        • Weekly

        • Monthly

      • On day(s): From the list, select one or more days of the week on which you want to perform the scan.

        The following values are associated with the days of the week on which you want to perform the scan:

        • Monday

        • Tuesday

        • Wednesday

        • Thursday

        • Friday

        • Saturday

        • Sunday

        • The first of the month

        • The middle of the month

          These values are only applicable if you specify the frequency of scan as Weekly or Monthly.

      • Time: Start to type the time in hh:mm at which you want to run the scan. From the list that is displayed, select a time.

  4. Click Next.

  5. In the Clusters page, select one or more clusters that you want to include in the scan.

  6. Click Next.

  7. In the Profiles page, select one or more profiles that you want to include in the scan.

  8. Click Next.

  9. Optional: To configure email delivery destinations for manually triggered reports, perform the following steps:

    You can add one or more delivery destinations.

    1. Expand Add delivery destination.

    2. In the Delivery destination page, provide the following information:

      • Email notifier: Select an email notifier from the drop-down list.

        Optional: To configure the setting for a new email notifier integration, perform the following steps:

        1. From Select a notifier drop-down list, click Create email notifier.

        2. In the Create email notifier page, provide the following information:

          • Integration name: Enter a unique name for the email notifier. This name helps you identify and manage this specific email notifier configuration.

          • Email server: Specify the address of the SMTP server that you want to use to send the emails.

          • Username: Enter the username that is required for authentication with the SMTP server. This is often the email address used for sending the emails.

          • Password: Enter the password associated with the SMTP username. This password is used for authentication with the SMTP server.

          • From: This address usually represents the sender of the emails and is visible to the recipients. This is optional.

          • Sender: Enter the name of the sender, which is displayed together with the From email address. This name helps recipients identify who sent the email.

          • Default recipient: Enter the default email address that should receive the notifications if no specific recipient is specified. This ensures that there is always a recipient for the emails.

          • Annotation key for recipient: Specify the annotation key to define a recipient that you want to notify about the policy violations related to a specific deployment or namespace. This is optional.

          • Optional: Select the Enable unauthenticated SMTP checkbox, if your SMTP server does not require authentication. This is not recommended due to security reasons.

          • Optional: Select the Disable TLS certificate validation (insecure) checkbox, if you want to disable TLS certificate validation. This is not recommended due to security reasons.

          • Optional: In the Use STARTTLS (requires TLS to be disabled) field, select the type of STARTTLS for securing the connection to the SMTP server from the drop-down list.

            To use this option, you must disable TLS certificate validation.

            The following values are associated with the type of STARTTLS for securing the connection to the SMTP server:

            • Disabled

              Data is not encrypted.

            • Plain

              Encodes username and password in base64.

            • Login

              Sends username and password as separate base64-encoded strings for added security.

        3. Click Save integration.

      • Distribution list: Enter one or more comma-separated email addresses of the recipients who should receive the report.

      • Email template: The default template is automatically applied.

        Optional: To customize the email subject and body as needed, perform the following steps:

        1. Click the pencil icon.

        2. In the Edit email template page, provide the following information:

          • Email subject: Enter the desired subject line for the email. This subject is displayed in the recipient’s inbox and should clearly indicate the purpose of the email.

          • Email body: Compose the text of the email. This is the main content of the email and can include text, placeholders for dynamic content and any formatting necessary to get your message across effectively.

        3. Click Apply.

  10. Click Next.

  11. Review your scan configuration, and then click Save.

Verification
  1. In the RHACS portal, click Compliance → Schedules.

  2. Select the compliance scan you have created.

  3. In the Clusters section, verify that the operator status is healthy.

  4. Optional: To edit the scan schedule, perform the following steps:

    1. From the Actions drop-down list, which is in the upper right of the page, select Edit scan schedule.

    2. Make your changes.

    3. Click Save.

  5. Optional: To manually send a scan report:

    • You can only send a scan report manually if you have configured an email delivery destination.

    • Compliance reporting is only available for clusters running Compliance Operator version 1.6 or later.

    • From the Actions drop-down list, which is in the upper right of the page, select Send report.

      You receive a confirmation that you have requested to send a report.

  6. Optional: To download a scan report, perform the following steps:

    Compliance reporting is only available for clusters running Compliance Operator version 1.6 or later.

    1. From the Actions drop-down list, which is in the upper right of the page, select Generate download.

      You receive a confirmation that the report generation has started.

    2. Click the All report jobs tab.

    3. Optional: Set View only my jobs to on.

    4. Locate the report job that you created.

    5. Wait until the download is complete, and then click Ready for download.

    6. Optional: To delete the report job, click the overflow menu kebab and then select Delete download.

Analyzing compliance scan schedules

By viewing the Schedules page, you can analyze the various attributes of the compliance scan schedule that you created.

Prerequisites
  • You have created a compliance scan schedule.

    For more information about how to create a compliance scan schedule, see "Customizing and automating your compliance scans".

Procedure
  1. In the RHACS portal, click Compliance → Schedules.

  2. Optional: To sort the compliance scan schedules in ascending or descending order, select the Name column heading.

  3. Select the compliance scan you created.

  4. Optional: To sort the cluster health information in ascending or descending order, select a column heading in the Clusters section.

  5. Optional: To view the status of the one or more requested jobs from different users:

    1. Click the All report jobs tab.

    2. You can find the status of the one or more report jobs in the Status column.

    3. Optional: Choose the appropriate method to re-organize the information in the All report jobs section:

      • To sort the jobs in ascending or descending order, select the Completed column heading.

      • To filter based on the report run states, select one or more states from the Filter by report run states drop-down list.

      • To view only the jobs that you created, set View only my jobs to on.

    4. Optional: To view the job details associated with a report job, perform the following steps:

      1. Locate the report job for which you want to view the job details.

      2. To view the job details, expand the report job.

Schedules page overview

The Schedules page lists all the scan schedules and organizes information into the following groups:

  • Name: The unique identifier or title given to each scan schedule.

  • Schedule: Indicates the frequency and timing of the scan.

  • Last scanned: Indicates the date and time of the most recent scan for that schedule.

  • Clusters: Lists the clusters included in the scan schedule.

  • Profiles: Identifies the one or more profiles applied in the compliance scan.

  • My last job status: Shows the status of your job.

    The following values are associated with the job status:

    • Waiting

      The report job is in the queue.

    • Preparing

      The report job is being processed.

    • Ready for download

      The report is ready and available for download.

    • Successfully sent

      The report has been successfully emailed.

    • Error

      There was an issue with the report job.

    • None

      There are no recent jobs available.

To view the configuration details and report job status associated with a compliance scan, select the compliance scan you created.

Configuration details tab

The Configuration details tab displays information about the scan schedule information such as the essential parameters, cluster status, associated profiles, and email delivery destinations.

Parameters section

The Parameters section organizes information into the following groups:

  • Name: The unique identifier for the compliance scan.

  • Description: Specifies additional information about the compliance scan.

  • Schedule: Specifies when the compliance scans should run.

  • Last scanned: The timestamp of the last compliance scan performed.

  • Last updated: The last date and time that the compliance scan data was modified.

Clusters section

The Clusters section organizes information into the following groups:

  • Cluster: Lists the one or more clusters associated with a compliance scan.

  • Operator status: Indicates the current health or operational status of the Operator.

Profiles section

The Profiles section lists the one or more profiles associated with a compliance scan.

Delivery destinations section

The Delivery destinations section organizes information into the following groups:

  • Email notifier: Specifies the email notification system or tool set up to distribute reports or alerts.

  • Distribution list: Lists the recipients who should receive the notifications or reports.

  • Email template: Specifies the email format used for the notifications. You can use the default or customize the email subject and body as needed.

All report jobs tab

The All report jobs tab shows the current status and requester for each report job, with completed jobs indicated in the row expansion section.

The report jobs are organized into the following groups:

  • Completed: Indicates which report jobs have been finished.

  • Status: Displays the current state of each report job.

    The following values are associated with the report job status:

    • Waiting

      The report job is in the queue.

    • Preparing

      The report job is being processed.

    • Ready for download

      The report is ready and available for download.

    • Successfully sent

      The report has been successfully emailed.

    • Error

      There was an issue with the report job.

    • None

      No recent jobs are available.

  • Requester: Identifies the user or system account that initiated the report job.

Assessing the profile compliance across clusters

By viewing the coverage page, you can assess the profile compliance for nodes and platform resources across clusters.

Prerequisites
  • You have installed the Compliance Operator.

    For more information about how to install the Compliance Operator, see "Using the Compliance Operator with Red Hat Advanced Cluster Security for Kubernetes".

    • Currently, the compliance feature and the Compliance Operator evaluate only infrastructure and platform compliance.

    • The compliance feature requires the Compliance Operator to be running and does not support Amazon Elastic Kubernetes Service (EKS).

  • You have created a compliance scan schedule.

    For more information about how to create a compliance scan schedule, see "Customizing and automating your compliance scans".

Procedure
  • In the RHACS portal, click Compliance → Coverage.

Coverage page overview

When you view the coverage page and apply a filter to a schedule, all results are filtered accordingly. This filter remains active for all coverage pages until you delete it. You can always view the results based on a single profile.

You can select profiles grouped according to their associated benchmarks by using the toggle group. You calculate the compliance percentage based on the number of passed checks in relation to the total number of checks.

The Checks view lists the profile checks and enables you to easily navigate and understand your compliance status.

The profile check information is organized into the following groups:

  • Check: The name of the profile check.

  • Controls: Shows the various controls associated with each check.

  • Fail status: Shows the checks that have failed and require your attention.

  • Pass status: Shows the checks that have been successfully passed.

  • Manual status: Shows the checks that require a manual review because additional organizational or technical knowledge is required that you cannot automate.

  • Other status: Shows the checks with a status other than pass or fail, such as warnings or informational statuses.

  • Compliance: Shows the overall compliance status and helps you to ensure that your environment meets the required standards.

The Clusters view lists the clusters and enables you to effectively monitor and manage your clusters.

The cluster information is organized into the following groups:

  • Cluster: The name of the cluster.

  • Last scanned: Indicates when the individual clusters were last scanned.

  • Fail status: Shows the clusters whose scan has failed and which require your attention.

  • Pass status: Shows the clusters that have successfully passed all checks.

  • Manual status: Shows the checks that require a manual review because additional organizational or technical knowledge is required that you cannot automate.

  • Other status: Shows the clusters that have a status other than pass or fail, such as warnings or informational alerts.

  • Compliance: Shows the overall compliance status of your clusters and helps you to ensure that they meet the required standards.

Monitoring and analyzing the health of your clusters

By viewing the status of a profile check, you can efficiently monitor and analyze the health of your clusters.

Wait until the Compliance Operator returns the scan results. It might take a few minutes.

Procedure
  1. In the RHACS portal, click Compliance → Coverage.

  2. Select a cluster to view the details of the individual scans.

  3. Optional: Enter the name of the profile check in the Filter by keyword box to view the status.

  4. Optional: From the Compliance status drop-down list, select one or more statuses by using which you want to filter the scan details.

    The following values are associated with how you want to filter the scan details:

    • Pass

    • Fail

    • Error

    • Info

    • Manual

    • Not Applicable

    • Inconsistent

Compliance scan status overview

By understanding the compliance scan status, you can manage the overall security posture of your environment.

Status Description

Fail

The compliance check failed.

Pass

The compliance check passed.

Not Applicable

Skipped the compliance check because it was not applicable.

Info

The compliance check gathered data, but RHACS could not make a pass or fail determination.

Error

The compliance check failed due to a technical issue.

Manual

Manual intervention is required to ensure compliance.

Inconsistent

The compliance scan data is inconsistent, and requires closer inspection and targeted resolution.