Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Monitoring and reacting to configuration changes by using policies
How to create policies to detect inventory configuration changes and send email notifications
Abstract
Chapter 1. Red Hat Lightspeed policies service overview
Policies evaluate system configurations in your environment, and can send notifications when changes occur. Policies you create are applicable to all systems in your Red Hat Lightspeed inventory. You can create and manage policies by using the Red Hat Lightspeed user interface in the Red Hat Hybrid Cloud Console, or using the Red Hat Lightspeed API.
Policies can assist you by managing tasks such as:
- Raising an alert when particular conditions occur in your system configuration.
- Emailing a team when security packages are out of date on a system.
Using policies to monitor configuration changes in your inventory and notifying by email requires:
- Setting user email preferences (if not already set).
- Creating a policy to detect configuration changes as a trigger and selecting email as the trigger action.
- Configure User Access in Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Users.
- See User Access configuration guide for role-based access control (RBAC) for more information about this feature and example use cases.
1.1. User Access settings in the Red Hat Hybrid Cloud Console
User Access is the Red Hat implementation of role-based access control (RBAC). Your Organization Administrator uses User Access to configure what users can see and do on the Red Hat Hybrid Cloud Console (the console):
- Control user access by organizing roles instead of assigning permissions individually to users.
- Create groups that include roles and their corresponding permissions.
- Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.
1.1.1. Predefined User Access groups and roles
To make groups and roles easier to manage, Red Hat provides two predefined groups and a set of predefined roles:
Predefined groups
The Default access group contains all users in your organization. Many predefined roles are assigned to this group. It is automatically updated by Red Hat.
NoteIf the Organization Administrator makes changes to the Default access group its name changes to Custom default access group and it is no longer updated by Red Hat.
The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained and users and roles in this group cannot be changed.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Groups to see the current groups in your account. This view is limited to the Organization Administrator.
Predefined roles assigned to groups
The Default access group contains many of the predefined roles. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group.
The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their name.
On the Hybrid Cloud Console navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > Identity & Access Management > User Access > Roles to see the current roles in your account. You can see how many groups each role is assigned to. This view is limited to the Organization Administrator.
1.1.2. Access permissions
The Prerequisites for each procedure list which predefined role provides the permissions you must have. As a user, you can navigate to Red Hat Hybrid Cloud Console > the Settings icon (⚙) > My User Access to view the roles and application permissions currently inherited by you.
If you try to access Red Hat Lightspeed features and see a message that you do not have permission to perform this action, you must obtain additional permissions. The Organization Administrator or the User Access administrator for your organization configures those permissions.
Use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.
Additional resources
For more information about user access and permissions, see User Access configuration guide for role-based access control (RBAC).
1.1.3. User Access roles for the Policies service
The following predefined roles on the Red Hat Hybrid Cloud Console enable access to policies features in Red Hat Lightspeed:
- Policies administrator role. The Policies administrator role provides read and write access allowing these users to perform any available operation on policies resources. This predefined role is in the Default admin access group.
- Policies viewer role. The Policies viewer role provides read-only access. (If your organization determines that the default configuration of the Policies viewer role is inadequate, a User Access administrator can create a custom role with the specific permissions that you need.) This predefined role is in the Default access group.
If you configured groups before April 2023, any user who was not an Organization Administrator will have the Policies administrator role replaced with the Policies viewer role. Modifications made to the Default access group before April are not changed.
Additional Resources
- How to use User Access in the User Access configuration guide for role-based access control (RBAC).
- Predefined User Access roles
Chapter 2. Setting notifications and email preferences
By configuring notifications and user preferences settings in the Red Hat Hybrid Cloud Console, Red Hat Lightspeed will notify you of policy changes to your Red Hat Enterprise Linux systems.
2.1. Enabling notifications and integrations for the policies service
You can enable the notifications service on the Red Hat Hybrid Cloud Console to send notifications whenever the policy service detects an issue and generates an alert. Using the notifications service frees you from having to continually check the Red Hat Lightspeed Dashboard for alerts.
For example, you can configure the notifications service to automatically send an email message whenever the policies service detects that a server’s security software is out of date, or to send an email digest of all the alerts that the policies service generates each day.
In addition to sending email messages, you can configure the notifications service to send policies event data in other ways:
- Using an authenticated client to query Red Hat Lightspeed APIs for event data
- Using webhooks to send events to third-party applications that accept inbound requests
- Integrating notifications with applications such as Splunk to route policies events to the application dashboard
Enabling the notifications service requires three main steps:
- First, an Organization Administrator creates a User access group with the Notifications administrator role, and then adds account members to the group.
- Next, a Notifications administrator sets up behavior groups for events in the notifications service. Behavior groups specify the delivery method for each notification. For example, a behavior group can specify whether email notifications are sent to all users, or just to Organization administrators.
- Finally, users who receive email notifications from events must set their user preferences so that they receive individual emails for each event.
2.2. Setting user preferences
To receive email notifications, you can set or update your email preferences using the following procedure.
Procedure
- Navigate to Operations > Policies.
- Click Open user preferences. The My Notifications page appears.
- Select Red Hat Enterprise Linux > Policies from the left menu.
- Check the appropriate boxes to define your policies notification preferences.
Depending on your email notification preferences, you can subscribe to Instant notification emails for each system with triggered policies or a Daily digest summarizing triggered application events in a 24-hour time frame. To unsubscribe from all notifications, select Unsubscribe from all.
NoteSubscribing to instant notifications can result in receiving many emails on large inventories. To reduce the volume of emails, consider selecting the Daily digest option.
- Click Submit.
Chapter 3. Creating policies
The following workflow examples explain how to create several types of policies that detect system configuration changes and send notification of the changes by email.
When creating a policy, if you see a warning message that you have not opted in for email alerts, set your User preferences to receive email from your policies.
3.1. Creating a policy to ensure public cloud providers are not over provisioned
Create a policy using the following procedure.
Procedure
- In Red Hat Hybrid Cloud Console, go to Operations > Policies.
- Click Create policy.
- On the Create a policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option will prompt you to select a policy from the list of existing policies to use as a starting point.
- Click Next.
Enter Condition. In this case, enter: facts.cloud_provider in ['alibaba', 'aws', 'azure', 'google'] and (facts.number_of_cpus >= 8 or facts.number_of_sockets >=2). This condition will detect if an instance running on the specified public cloud providers is running with CPU hardware higher than the allowed limit.
NoteYou can expand What condition can I define? and/or Review available system facts to view an explanation of conditions you can use, and see the available system facts, respectively. In this section are examples of syntax you can use.
- Click Validate condition.
- Once the condition is validated, click Next.
- On the Trigger actions page, click Add trigger actions. If notifications are greyed out, select Notification settings in the notifications box. Here you can customize notifications and their behaviors.
Click Next.
NoteOn the Trigger actions page, you can also enable email alerts and set other available email preferences.
- On the Review and enable page, click the toggle switch to activate the policy and review its details.
- Click Finish.
Your new policy is created. When the policy is evaluated on a system check-in, if the condition in the policy is met, Policies automatically sends an email to all users on the account with access to Policies, depending on their email preferences.
3.2. Creating a policy to detect if systems are running an outdated version of RHEL
You can create a policy that detects if systems are running outdated versions of RHEL and notifies you by email about what it finds.
Procedure
- In Red Hat Hybrid Cloud Console, go to Operations > Policies.
- Click Create policy.
- On the Create policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option prompts you to select a policy from the list of existing policies to use as a starting point.
- Click Next.
- Enter a Name and Description for the policy.
- Click Next.
- Enter Condition. In this case, enter facts.os_release < 8.1. This condition will detect if systems still run an outdated version of our operating system based on RHEL 8.1.
- Click Validate condition, then click Next.
- On the Trigger actions page, click Add trigger actions and select Email.
- Click Next.
- On the Review and activate page, click the toggle switch to activate the policy and review its details.
- Click Finish.
Your new policy is created. When the policy is evaluated on a system check-in, if the condition in the policy is triggered, the policies service automatically sends an email to all users on the account with access to Policies, depending on their email preferences.
3.3. Creating a policy to detect a vulnerable package version based on recent CVE
You can create a policy that detects vulnerable package versions based on recent CVE and notifies you by email about what it finds.
Procedure
- In Red Hat Hybrid Cloud Console, go to Operations > Policies.
- Click Create policy.
- On the Create Policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option will prompt you to select a policy from the list of existing policies to use as a starting point.
- Click Next.
- Enter a Name and Description for the policy.
- Click Next.
-
Enter Condition. In this case, enter facts.installed_packages contains ['openssh-4.5']. This condition will detect if systems still run a vulnerable version of an
opensshpackage based on recent CVE. - Click Validate condition, then click Next.
- On the Trigger actions page, click Add trigger actions and select Email.
- Click Next.
- On the Review and activate page, click the toggle switch to activate the policy and review its details.
- Click Finish.
Your new policy is created. When the policy is evaluated on a system check-in, if the condition in the policy is met, Policies automatically sends an email to all users on the account with access to Policies, depending on their email preferences.
Chapter 4. Reviewing and managing policies
You can review and manage all created policies (enabled and disabled) by navigating to Operations > Policies.
You can filter the list of policies by name and by active state. You can click the options menu next to a policy to perform the following operations:
- Enable and disable
- Edit
- Duplicate
- Delete
Additionally, you can perform the following operations in bulk by selecting multiple policies from the list of policies and clicking the options menu
located next to the Create policy button at the top:
- Delete policies
- Enable policies
- Disable policies
If you see a warning message about email alerts not opted in, set your User preferences to receive email from your policies.
Chapter 5. Appendix
This appendix contains the following reference materials:
- System Facts
- Operators
5.1. System Facts
The following table defines the system facts for use in system comparisons.
| Fact name | Description | Example value |
|---|---|---|
|
| Category with a list of Ansible-related facts |
|
|
| System architecture |
|
|
|
BIOS release date; typically | 01/01/2011 |
|
| BIOS vendor name | LENOVO |
|
| BIOS version | 1.17.0 |
|
|
Cloud vendor. Values are |
|
|
| Number of CPU cores per socket | 2 |
|
|
Category with a list of CPU flags. Each name is the CPU flag (ex: |
|
|
|
Category with a list of enabled services. Each name in the category is the service name (ex: |
|
|
| The fully qualified domain name (FQDN) of the system |
|
|
|
System infrastructure; common values are |
|
|
|
Infrastructure vendor; common values are |
|
|
| List of installed RPM packages. This is a category. |
|
|
|
Category with a list of installed services. Each name in the category is the service name (ex: |
|
|
|
List of kernel modules. Each name in the category is the kernel module (ex: |
|
|
|
The boot time in |
|
|
| Category with a list of Microsoft SQL Server-related facts |
|
|
| List of facts related to network interfaces. | |
|
There are six facts for each interface: | ||
|
Each interface is prefixed to the fact name. For example, the interface | ||
|
Most network interface facts are compared to ensure they are equal across systems. However, | ||
|
| Total number of CPUs |
|
|
| Total number of sockets |
|
|
| Kernel version |
|
|
| Kernel release |
|
|
| List of running processes. The fact name is the name of the process, and the value is the instance count. |
|
|
| SAP instance number |
|
|
| SAP system ID (SID) |
|
|
| Boolean field that indicates if SAP is installed on the system |
|
|
| SAP version number |
|
|
| Boolean field that indicates whether a system is registered to a Satellite Server |
|
|
| Current SELinux mode |
|
|
| SELinux mode set in the config file |
|
|
|
The number of failures, the number of current jobs queued, and the current state of |
|
|
| Total system memory in bytes |
|
|
|
Current profile resulting from the command |
|
|
|
List of yum repositories. The repository name is added to the beginning of the fact. Each repository has the associated facts |
|
5.2. Operators
| Operators | Value |
|---|---|
| Logical Operators | AND |
| OR | |
| Boolean Operators | NOT |
| ! | |
| = | |
| != | |
| Numeric Compare Operators | > |
| >= | |
| < | |
| <= | |
| String Compare Operators | CONTAINS |
| MATCHES | |
| Array Operators | IN |
| CONTAINS |
Providing feedback on Red Hat documentation
We appreciate and prioritize your feedback regarding our documentation. Provide as much detail as possible, so that your request can be quickly addressed.
Prerequisites
- You are logged in to the Red Hat Customer Portal.
Procedure
To provide feedback, perform the following steps:
- Click the following link: Create Issue
- Describe the issue or enhancement in the Summary text box.
- Provide details about the issue or requested enhancement in the Description text box.
- Type your name in the Reporter text box.
- Click the Create button.
This action creates a documentation ticket and routes it to the appropriate documentation team. Thank you for taking the time to provide feedback.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}