Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 

Sebastian Baszcyj - 26.06.202420240626

Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 

Join our community of 1,000+ IT professionals, and receive tech tips and updates once a week.

100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 

Essential 8 Compliance for RHEL: How to Get 100%

This blog takes you on a short (relatively speaking) journey to achieve the unthinkable —nailing a flawless 100% in Essential 8 Compliance.  

We achieve this feat with the help of one tool, Red Hat Insights. 

What is Red Hat Insights? 

Red Hat Insights is a predictive analytics and management tool designed to proactively identify and address potential issues in IT environments. It’s part of the broader suite of Red Hat management tools, focusing on maintaining system health, performance and security.  

Key Features of Red Hat Insights 

Here are some key features and benefits of Red Hat Insights. 

  • Proactive Identification of Issues – Insights utilises advanced analytics to predict and identify potential issues before they become critical 
  • Actionable Insights – Provides specific recommendations and actions to resolve identified issues 
  • Vulnerability Detection – Identifies security vulnerabilities and provides steps to mitigate them 
  • Compliance Management – Ensures systems comply with industry standards and internal policies 
  • Performance Optimisation – Monitors and optimises resource usage to improve system performance and efficiency 
  • Configuration Analysis – Checks system configurations against best practices to enhance performance 

ACSC Essential Eight Recommendations 

The ACSC Essential Eight is a set of baseline mitigation strategies recommended by the Australian Cyber Security Centre to help organisations improve their cybersecurity posture. It is particularly relevant for managing Linux servers in environments where security and compliance are critical. 

Look, I am not going to lie to you. This is what the ASCS suggests for Linux:  
 
Given the difficulty in implementing application control in Linux environments, the following mitigation strategies can be implemented to assist with reducing the residual risk of the exploitation of Linux workstations and servers. 

Note: This list is not exhaustive and does not take into account specific use cases or differences between Linux distributions. 

  • Use unique restricted users for key at-risk services (e.g. Apache software runs under a restricted “apache” user role) 
  • Disable unrequired operating system functionality, including disabling unrequired network services 
  • Apply additional forms of security policy enforcement such as SELinux or AppArmor 
  • Implement appropriately hardened security configurations and permissions of key configuration files (e.g. /etc/security/access.conf, /etc/hosts, /etc/nsswitch.conf) 
  • Use the “noexec” parameter to mount partitions which users have write access to 
  • Perform an inventory of binaries, determine which ones users need to run. For all others, either uninstall them or remove the setuid permission 
  • Implement software-based firewalls for both internal and external network interfaces, for IPv4 and IPv6 (or disable IPv6 support) 
  • Perform tasks with least privileges 
  • Implement specific configurations based on server roles (e.g. if running Apache HTTP Server, harden as per Apache hardening guidance) 
  • As far as practical, implement vendor security guidance for specific Linux distributions 

In short, what this means is a good CIS hardening will be more than enough to meet the requirements. 

Comprehensive Recommendations for CIS Hardening 

If you’re interested in a more comprehensive guide, here are the actual recommendations: 

  1. Application Whitelisting: Implemented through tools like SELinux or fapolicyd (They actually talk about AppArmor which is primarily used on Debian-based distros, but fapolicyd has been around for at least 5 years… Well SELinux will do) 
  1. Patching: Regularly updating Linux packages using tools like yum, dnf 
  1. Cryptography: Ensure system-wide crypto policies are configured as expected, disabling legacy encryption algorithms and ensuring that dependent services (like SSH) are using recommended algorithms 
  1. Software Integrity Checking: Implemented using the RPM package management system, which can check the hashes of installed software packages, including many that are important to system security 
  1. User Application Hardening: Configuring software policies and firewall settings to secure user applications 
  1. Restricting Administrative Privileges: Using sudo (or other solutions) to control access to administrative commands and reducing root access 
  1. System Accounting with auditd: Crucial for security and compliance, as it provides detailed records of user actions, system events and configuration changes 
  1. System Logging: Essential for monitoring system health, diagnosing issues and ensuring security. Logs can include information on user actions, system errors, access attempts and more 
  1. Daily Backups: Automate regular backups 
  1. Authentication: This is crucial to securing systems and ensuring only authorised users can access sensitive information and resources 

And here you have it. If you still want to know more, you may check out Australian Cyber Security Centre’s documentation on Hardening Linux Workstations and Servers.  

But if you really want your system to be hardened, I suggest checking Centre for Internet Security’s recommendations

Insights Configuration for ASCS Essential Eight Compliance Check 

The following section describes the steps required to enable Compliance Checks for RHEL8 servers:  

Prerequisites 

Before you proceed with the configuration, make sure you have the following requirements first: 

  • Red Hat Enterprise Linux 8+ 
  • Red Hat Insights Client installed on the device and registered to Red Hat Insights (Internet connexion required) 
  • Red Hat subscription to access cloud.redhat.com 
  • Red Hat account 

Insights Client Installation 

Make sure you have the repositories enabled and access to the internet as the insights client will require communication with the Red Hat cloud portals. 

  • Install Insights Client and other OpenScap compliance packages 
# dnf install -y insights-client   
scap-security-guide
openscap-scanner
openscap
  • After installing the Client, register your system with the Red Hat Cloud Insights using the following command. This will connect your RHEL 8 system to Red Hat Insights, and it will start uploading data for analysis 
# insights-client --register 
  • Enable the Insights client to auto-upload data daily 
systemctl enable insights-client.timer  
systemctl start insights-client.timer
  • By default, the insights-client’s timer is set to 1h. If you want to change the timer, use the following command:
# systemctl edit insights-client.timer  

[Timer]
OnCalendar=hourly
RandomizedDelaySec=14400
  • If you don’t want to wait for the daily automatic upload, you can manually upload data using this command: 
# insights-client --upload 
  • To ensure that your system is registered and is sending data, run the following command: 
# insights-client --status 
  • If everything is set up correctly, you should see a message similar to the one below: 
# insights-client --status 
System is registered locally via .registered file. Registered at 2023-02-09T16:09:54.762936
Insights API confirms registration. 
  • Log into the Red Hat Cloud Insights web console to view your system’s data. Your system should appear in the inventory. 
  • Navigate to https://console.redhat.com/insights/dashboard and enter your credentials 
  • In the left pane, click Inventory → Systems 
  • Confirm the registered server is on the list of servers 
  • On cloud.redhat.com, navigate to Security→ Compliance→  SCAP Policies 
  • Click on Create new policy 
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Select the RHEL Version and select the Policy type. In our case, we are selecting Essential Eight Policy. After selecting, click Next 
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Specify a unique name, describing the policy type and the RHEL version, specify the Compliance Threshold and click Next:
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Select the system(s) to run the compliance checks against and click Next
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Customise rules and click Next. Then, Click Finish after reviewing the configuration 
  • Connect to the host where the compliance will be checked and run the following command:  
# insights-client --compliance 
  • Navigate to Security→ Compliance→ Reports and verify the Reports
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Click on the ASD Essential 8 for RHEL8 policy link
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Review failed tests by clicking on the server name
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 

Addressing Compliance Violations 

Addressing Compliance Violations is easy.  Simply follow the instructions below. 

  • Select the violation(s): 
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Click Remediate, then Create New Playbook, then Next
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Verify the systems being remediated and click Next 
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Verify the Remediation Review and Turn off autoreboot, if necessary. Click Submit
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • If you do not have Ansible Automation Platform (AAP), click Open playbook compliance-remediate-140624 to download the Ansible playbook with the remediation tasks
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • If you have the AAP and it is already configured to authenticate with Insights (if not – check my blog “Patching RHEL Vulnerabilities with Insights” on how to do it), navigate to Projects, find the project that synchronises the content from Insight and click Synchronise
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Wait until the Project Job finishes successfully and navigate to the Templates. Find the Template you use with the Insights project, edit it and select the playbook we created in Insights section of cloud.redhat.com: 
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Note that the Playbook has the name we entered in the previous steps: “compliance-remediate-140624”
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Save and Launch the Template:  
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Keep in mind that the Job might take a while, especially at the end when the insights-agent runs the compliance verification and uploads the report to cloud.redhat.com
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 
  • Export the Report 
Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 

Sample Red Hat Insights Compliance Report

Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 

There you have it. I hope this guide helps you achieve the elusive 100% in Essential 8 Compliance. If you’d like to learn more about RHEL servers, check out my other blogs or reach out to Insentra for a consultation. 

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Australia | 100% Essential 8 Compliance for RHEL Servers: How Red Hat Insights Can Help 

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.