Red Hat Training

A Red Hat training course is available for Red Hat CloudForms

Appendix A. Appendix

A.1. Events

Events are triggers that cause a condition to be tested. Control provides several Events, that can be divided into functional types. Events cannot be modified.

Table A.1. Event Types

CategoryDescription

Container Operation

Events related to container analysis.

Datastore Operation

Events related to datastore analysis.

Authentication Validation

Events related to credential validation for hosts and providers.

Company Tag

Events related to assigning and removing company tags from an infrastructure object.

Compliance

Events related to checking compliance policies.

Host Operation

Events related to the connection state of a host and status of a SmartState Analysis on a host.

VM Configuration

Events associated with a change in configuration of a virtual machine. These include, but are not limited to, clone, create, template create, and settings change.

VM Lifecycle

Events such as virtual machine discovery, provisioning, and virtual machine retirement.

VM Operation

Events associated with power states or locations of virtual machines and virtual desktop machines. These include, but are not limited to, power off, power on, reset, resume, shutdown, and suspend.

Service Lifecycle

Events associated with service lifecycle. These include, but are not limited to, provisioning completed, start request, started, stop request, stopped, retirement warning, and retired.

Each type has a set of events that you can select to trigger the checking of a condition.

Table A.2. Events and Descriptions

EventDescription

Container Image Analysis Complete

Check the condition when an analysis of a container image completes.

Container Image Discovered

Check the condition when a new container image is discovered.

Container Image Compliance Check

Check the condition when a compliance check is performed on an image.

Container Image Compliance Passed

Check the condition when an image passes a compliance check.

Container Image Compliance Failed

Check the condition when an image fails a compliance check.

Container Node Failed Mount

Check the condition when a node fails to mount a volume for a pod.

Container Node Invalid Disk Capacity

Check the condition when a node’s disk capacity is invalid.

Container Node Not Ready

Check the condition when a node is not ready.

Container Node Not Schedulable

Check the condition when a node is not schedulable.

Container Node Ready

Check the condition when a node is ready.

Container Node Schedulable

Check the condition when a node is schedulable.

Container Node Rebooted

Check the condition when a node reboots.

Container Node Compliance Check

Check the condition when a compliance check is performed on a node.

Container Node Compliance Passed

Check the condition when a node passes a compliance check.

Container Node Compliance Failed

Check the condition when a node fails a compliance check.

Pod Deadline Exceeded

Check the condition when a pod with specified deadline exceeds it and is terminated.

Pod Failed Scheduling

Check the condition when scheduling a pod fails.

Pod Failed Sync

Check the condition when getting a pod to its desired state fails (a frequent reason is failure to download the image).

Pod Failed Validation

Check the condition when a pod validation fails.

Pod hostPort Conflict

Check the condition when a pod hostPort conflict occurs.

Pod Insufficient Free CPU

Check the condition when there is an insufficient free CPU in a pod.

Pod Insufficient Free Memory

Check the condition when there is an insufficient free memory in a pod.

Pod nodeSelector Mismatching

Check the condition when a pod nodeSelector mismatches.

Pod Out of Disk

Check the condition when a pod is out of disk space.

Pod Scheduled

Check the condition when a pod is scheduled onto the node.

Pod Compliance Check

Check the condition when a compliance check is performed on a pod.

Pod Compliance Passed

Check the condition when a pod passes a compliance check.

Pod Compliance Failed

Check the condition when a pod fails a compliance check.

Replicator Failed Creating Pod

Check the condition when a replicator fails creating a pod.

Replicator Successfully Created Pod

Check the condition when a replicator successfully creates a pod.

Replicator Compliance Check

Check the condition when a compliance check is performed on a replicator.

Replicator Compliance Passed

Check the condition when a replicator passes a compliance check.

Replicator Compliance Failed

Check the condition when a replicator fails a compliance check.

Datastore Analysis Complete

Check the condition when a SmartState Analysis of datastore completes.

Datastore Analysis Request

Check the condition when a SmartState Analysis for a datastore is requested from the user interface.

Host Added to Cluster

Check the condition when a host is added to a cluster.

Host Analysis Complete

Check the condition when a SmartState Analysis of host completes.

Host Analysis Request

Check the condition when a SmartState Analysis is requested from the Red Hat CloudForms console.

Host Auth Changed

Check the condition when host authentication credentials are changed in the Red Hat CloudForms console.

Host Auth Error

Check the condition if there is any other error connecting to the host such as ssh/vim handshaking problems, timeouts, or any other uncategorized error.

Host Auth Incomplete Credentials

Check the condition if host authentication credentials are not complete in the user interface.

Host Auth Invalid

Check the condition if Red Hat CloudForms is able to communicate with the host and the credentials fail.

Host Auth Unreachable

Check the condition if Red Hat CloudForms is unable to communicate with the host.

Host Auth Valid

Check the condition when the host authentication credentials entered in the Red Hat CloudForms console are valid.

Host C & U Processing Complete

Check the condition when the processing of capacity and utilization data has finished.

Host Compliance Check

Check the condition when a compliance check is performed on a host.

Host Compliance Failed

Check the condition when a host fails a compliance check.

Host Compliance Passed

Check the condition when a host passes a compliance check.

Host Connect

Check the condition when a host connects to a provider.

Host Disconnect

Check the condition when a host disconnects from a provider.

Host Removed from Cluster

Check the condition when a host is removed from a cluster.

Provider Auth Changed

For use only with Red Hat CloudForms automate, for future use in policies. Check the condition when provider authentication credentials are changed in the user interface.

Provider Auth Error

For use only with Red Hat CloudForms automate, for future use in policies. Check the condition if there is any other error connecting to the provider such as ssh/vim handshaking problems, timeouts, or any other uncategorized error.

Provider Auth Incomplete Credentials

For use only with automate, for future use in policies. Check the condition if provider authentication credentials are not complete in the Red Hat CloudForms console.

Provider Auth Invalid

For use only with Red Hat CloudForms automate, for future use in policies. Check the condition if Red Hat CloudForms is able to communicate with the provider and the credentials fail.

Provider Auth Unreachable

For use only with automate, for future use in policies. Check the condition if Red Hat CloudForms is unable to communicate with the provider.

Provider Auth Valid

For use only with Red Hat CloudForms automate, for future use in policies. Check the condition when the provider authentication credentials entered in the user interface are valid.

Provider Compliance Check

Check the condition when a compliance check is performed on a provider.

Provider Compliance Failed

Check the condition when a provider fails a compliance check.

Provider Compliance Passed

Check the condition when a provider passes a compliance check.

Service Provision Complete

Check the condition when the service provision is complete.

Service Retired

Check the condition when the service has been retired.

Service Retirement Warning

Check the condition when the service is about to retire.

Service Start Request

Check the condition when the service has been requested to start.

Service Started

Check the condition when the service has started.

Service Stop Request

Check the condition when the service has been requested to stop.

Service Stopped

Check the condition when the service has stopped.

Tag Complete

Check the condition after a company tag is assigned.

Tag Parent Cluster Complete

Check the condition after a company tag is assigned to a virtual machine’s parent cluster.

Tag Parent Datastore Complete

Check the condition after a company tag is assigned to a virtual machine’s parent datastore.

Tag Parent Host Complete

Check the condition after a company tag is assigned to a virtual machine’s parent host.

Tag Parent Resource Pool Complete

Check the condition after a company tag is assigned to a virtual machine’s parent resource pool.

Tag Request

Check the condition when assignment of a company tag is attempted.

Un-Tag Complete

Check the condition when a company tag is removed.

Un-Tag Parent Cluster Complete

Check the condition after a company tag is removed from a virtual machine’s parent cluster.

Un-Tag Parent Datastore Complete

Check the condition after a company tag is removed from a virtual machine’s parent datastore.

Un-Tag Parent Host Complete

Check the condition after a company tag is removed from a virtual machine’s parent host.

Un-Tag Parent Resource Pool Complete

Check the condition after a company tag is removed from a virtual machine’s parent resource pool.

Un-Tag Request

Check the condition when an attempt is made to remove a company tag.

VDI Connecting to Session

Check the condition when a VDI session is started.

VDI Disconnected from Session

Check the condition when a VDI session is disconnected.

VDI Login Session

Check the condition when a user logs on to a VDI session.

VDI Logoff Session

Check the condition when a user logs off from a VDI session.

VM Analysis Complete

Check the condition when a SmartState Analysis of virtual machine completes.

VM Analysis Failure

Check the condition when a SmartState Analysis of virtual machine fails.

VM Analysis Request

Check the condition when a SmartState Analysis is requested from the Red Hat CloudForms console.

VM Analysis Start

Check the condition when a SmartState Analysis of virtual machine is started.

VM C & U Processing Complete

Check the condition when the processing of capacity and utilization data has finished.

VM Clone Complete

Check the condition when a virtual machine is cloned.

VM Clone Start

Check the condition when a virtual machine clone is started.

VM Compliance Check

Check the condition when a compliance check is performed on a virtual machine.

VM Compliance Failed

Check the condition when a virtual machine fails a compliance check.

VM Compliance Passed

Check the condition when a virtual machine passes a compliance check.

VM Create Complete

Check the condition when a virtual machine is created.

VM Delete (from Disk) Request

Check the condition when someone tries to delete a virtual machine from disk from the user interface.

VM Guest Reboot

Check the condition when a virtual machine is rebooted.

VM Guest Reboot Request

Check the condition when someone tries to reboot a virtual machine from the Red Hat CloudForms console.

VM Guest Shutdown

Check the condition when the operating system of a virtual machine shuts down.

VM Guest Shutdown Request

Check the condition when someone tries to shut down the operating system of a virtual machine from the user interface.

VM Live Migration (VMOTION)

Check the condition when a VMOTION is performed.

VM Power Off

Check the condition when a virtual machine is turned off.

VM Power Off Request

Check the condition when someone tries to power off a virtual machine from the Red Hat CloudForms console.

VM Power On

Check the condition when a virtual machine is turned on.

VM Power On Request

Check the condition when someone tries to turn on a virtual machine from the Red Hat CloudForms console.

VM Provision Complete

Check the condition when a virtual machine is provisioned.

VM Remote Console Connected

Check the condition when a virtual machine is connected to a remote console.

VM Removal from Inventory

Check the condition when a virtual machine is unregistered.

VM Removal from Inventory Request

Check the condition when a request is sent from the Red Hat CloudForms console to unregister a virtual machine.

VM Renamed Event

Check the condition when a virtual machine is renamed on its provider.

VM Reset

Check the condition when a virtual machine is restarted.

VM Reset Request

Check the condition when a virtual machine is restarted from the Red Hat CloudForms console.

VM Retire Request

Check the condition when a virtual machine retirement request is created from Red Hat CloudForms.

VM Retired

Check the condition when a virtual machine is retired.

VM Retirement Warning

Check the condition when a warning threshold is reached for retirement.

VM Settings Change

Check the condition when the settings of virtual machine are changed.

VM Snapshot Create Complete

Check the condition when a snapshot is completed.

VM Snapshot Create Request

Check the condition when someone tries to create a snapshot of a virtual machine from the user interface.

VM Snapshot Create Started

Check the condition when a snapshot creation is started.

VM Standby of Guest

Check the condition when the operating system of a virtual machine goes to standby.

VM Standby of Guest Request

Check the condition when someone tries to put the operating system of a virtual machine in standby from the Red Hat CloudForms console.

VM Suspend

Check the condition when a virtual machine is suspended.

VM Suspend Request

Check the condition when someone tries to suspend a virtual machine from the Red Hat CloudForms console.

VM Template Create Complete

Check the condition when a virtual machine template is created.

A.2. OpenSCAP Integration

OpenSCAP is an auditing tool used for hardening the security of your enterprise. This tool is built upon the knowledge and resources provided by the many experienced security experts active in the upstream OpenSCAP ecosystem. For more information about OpenSCAP, see https://www.open-scap.org/.

Red Hat CloudForms now supports OpenSCAP. By default, Red Hat CloudForms provides a built-in OpenSCAP policy profile which provides policies for managing the security of your container images.

These policies ensure that new container images from any provider within Red Hat CloudForms are scanned against the latest CVE content from Red Hat. See Red Hat’s Security Data page for more details about this content. In particular, the SCAP source data stream files index provides examples of security advisories used by the built-in OpenSCAP policy profile.

Each of these security advisories have a severity ranging from Low to Critical. With the built-in OpenSCAP policy profile, any image that fails a security check against an advisory with at least a High severity is marked as non-compliant.

The built-in OpenSCAP policy profile cannot be edited. You can, however, edit copies of its policies and assign those copies to a new profile. See Section A.3, “Creating a Customized OpenSCAP Policy Profile” for more information.

A.2.1. Assigning the Built-In OpenSCAP Policy Profile

The OpenSCAP policy profile included with Red Hat CloudForms is not automatically assigned. You still need to assign it to a container provider. The method for doing so is similar to that of any normal policy profile (as in Section 4.4, “Assigning Policy Profiles”):

  1. Navigate to ComputeContainersProviders, check the providers you need to assign the OpenSCAP policy profile to.
  2. Click image (Policy), and then click image (Manage Policies).
  3. From the Select Policy Profiles area, click on the triangle next to OpenSCAP profile to expand it and see its member policies.
  4. Check OpenSCAP profile. It turns blue to show its assignment state has changed.
  5. Click Save.

A.2.2. Scheduling an OpenSCAP Compliance Check on Container Images

Once you have assigned the built-in OpenSCAP policy profile to a container provider, you can schedule a compliance check against the policy profile. The method for doing is similar to that of scheduling a normal compliance check (Section 1.2.3.1, “Scheduling a Compliance Check”):

  1. From the settings menu, select Configuration.
  2. Click the Settings accordion, and select Schedules.
  3. Click image (Configuration), image (Add a new Schedule).
  4. In the Adding a new Schedule area, type in a name and description for the schedule.

    image

  5. Select Active if you want to enable this scan.
  6. From the Action dropdown, select Container Image Analysis.
  7. From the Filter dropdown, select All Container Images for Containers Provider, a new dropdown will appear. From this dropdown, choose the provider where you enabled the OpenSCAP policy profile.
  8. From the Run dropdown, select how often you want the analysis to run. Your options after that depend on which run option you choose.

    image

    • Select Once to have the analysis run just one time.
    • Select Daily to run the analysis on a daily basis. You are prompted to select how many days you want between each analysis.
    • Select Hourly to run the analysis hourly. You are prompted to select how many hours you want between each analysis.
  9. Select the time zone for the schedule.
  10. Type or select a date to begin the schedule in Starting Date.
  11. Select a starting time based on a 24-hour clock in the selected time zone.
  12. Click Add.

A.3. Creating a Customized OpenSCAP Policy Profile

The built-in OpenSCAP policy profile cannot be edited. You can, however, assign edited copies of its policies to a new policy profile. This will allow you to create a customized version of the built-in OpenSCAP policy profile.

To do so, you will first have to copy the policy you want to customize:

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select the policy you want to copy.
  3. Click image (Configuration), and an option to copy the policy should appear; for example, image (Copy this Image Policy).

    image

  4. Click OK to confirm.

The new policy is created with a prefix of Copy of in its description, and it can be viewed in the Policy accordion.

image

You can now edit the copied policy. For instructions on how to edit policies, see:

After editing copied policies, you can now add them to a new policy profile. For instructions on how to create a new policy profile (and add policies to it), see Section 4.1, “Creating Policy Profiles”.

Once you have a customized policy profile, you can assign it to a container provider. See Section 4.4, “Assigning Policy Profiles” for instructions.