Chapter 1. Policies

Policies are used to manage your virtual environment. There are two types of policies available: compliance and control. Compliance policies are used to harden your virtual infrastructure, making sure that your security requirements are adhered to. Control policies are used to check for a specific condition and perform an action based on the outcome. For example:

  • Prevent virtual machines from running without an administrator account.
  • Prevent virtual machines from starting if certain patches are not applied.
  • Configure the behavior of a production virtual machine to only start if it is running on a production host.
  • Force a SmartState Analysis when a host is added or removed from a cluster.

1.1. Control Policies

A control policy is a combination of an event, a condition, and an action. This combination provides management capabilities in your virtual environment.

  • An event is a trigger to check a condition.
  • A condition is a test triggered by an event.
  • An action is an execution that occurs if a condition is met.

1.1.1. Creating Control Policies

Create control policies by combining an event, a condition, and an action. Plan carefully the purpose of your policy before creating it. You can also use a scope expression that is tested immediately when the policy is triggered by an event. If the item is out of scope, then the policy does not continue on to the conditions, and none of the associated actions run.

The procedure below describes how to create a control policy, its underlying conditions, and assign its events and actions in one process. Conditions and custom actions can be created separately as well. Those procedures are described in later sections in conditions and actions. Also, a description of all events is provided in events.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select Control Policies.
  3. Select either Host Control Policies or VM Control Policies or Replicator Control Policies or Pod Control Policies or Container Node Control Policies or Container Image Control Policies.
  4. Click image (Configuration), image (Add a New Host / VM / Replicator / Pod / Node / Image Control Policy).
  5. Type in a Description.

    image
  6. Uncheck Active if you do not want this policy processed even when assigned to a resource.
  7. You can enter a Scope here (You can also create a scope as part of a condition, or not use one at all). If the host or virtual machine is not included in the scope, no actions will be run.
  8. In the Notes area, add a detailed explanation of the policy.
  9. Click Add. You are brought to the page where you add conditions and events to your new policy.

    image
  10. Click image (Configuration) to associate conditions, events, and actions with the policy.

1.1.2. Editing Basic Information, Scope, and Notes for a Policy

As your enterprise’s needs change, you can change the name of a policy or its scope. If the items being evaluated are out of scope, policy processing stops and no actions run.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select the policy to edit.
  3. Click image (Configuration), image (Edit Basic Info, Scope, and Notes).
  4. In the Scope area, create a general condition based on a simple attribute. Or, click on an existing expression to edit it. Based on what you choose, different options appear. Configuring a Scope is optional for a policy.

    image

    • Click Field to create criteria based on field values.

      image

    • Click Count of to create criteria based on the count of something, such as the number of snapshots for a virtual machine, or the number of virtual machines on a host.

      image

    • Click Tag to create criteria based on tags assigned to your resources. For example, you can check the power state of a virtual machine or see if it is tagged as production.

      image

    • Click Find to seek a particular value, and then check a property. For example, finding the Admin account and checking that it is enabled. Use the following check commands:

      • Check Any: The result is true if one or more of the find results satisfy the check condition.
      • Check All: All of the find results must match for a true result.
      • Check Count: If the result satisfies the expression in check count, the result is true.

        image

    • Click Registry to create criteria based on registry values. For example, you can check if DCOM is enabled on a Windows System. Note that this applies only to Windows operating systems. Registry will only be available if you are editing a VM Control Policy.

      image

  5. Click image (Commit Expression Element Changes) to add the scope.
  6. In the Notes area, make the required changes.
  7. Click Save.

1.1.3. Copying a Policy

You can copy a policy if its contents are similar to a new one that you want to create, then change the condition or event associated with it. This enables you to make new policies efficiently.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select the policy you want to copy.
  3. Click image (Configuration), and an option to copy the policy should appear; for example, image (Copy this Image Policy).

    image

  4. Click OK to confirm.

The new policy is created with a prefix of Copy of in its description, and it can be viewed in the Policy accordion.

image

1.1.4. Deleting a Policy

You can remove policies that you no longer need. You can only remove policies that are not assigned to a policy profile.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select the policy you want to remove.
  3. Click image (Configuration), image (Delete this Host/VM and Instance/Replicator/Pod/Node/Image Policy).
  4. Click OK to confirm.

1.1.5. Creating a New Policy Condition

If you have not already created a condition to use with this policy, you can create one directly from inside the policy. A condition can contain two elements: a scope, and an expression. The expression is mandatory, but the scope is optional. A scope is a general attribute that is quickly checked before evaluating a more complex expression. You can create a scope at either the policy or condition level.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select the policy you want to create a new condition for.
  3. Click image (Configuration), image (Create a new Condition assigned to this Policy).
  4. Type in a Description for the condition. It must be unique to all the conditions.

    image

  5. Click image (Edit this Scope) in the Scope area to create a general expression based on a simple attribute, such as operating system version. Based on what you choose, different options display. Scope is optional.

    • Click Field to create criteria based on field values.

      image

    • Click Count of to create criteria based on the count of something, such as the number of snapshots for a virtual machine, or the number of virtual machines on a host.

      image

    • Click Tag to create criteria based on tags assigned to your resources. For example, you can check the power state of a virtual machine or see if it is tagged as production.

      image

    • Click Find to seek a particular value, and then check a property. For example, finding the Admin account and checking that it is enabled. Use the following check commands:

      • Check Any: The result is true if one or more of the find results satisfy the check condition.
      • Check All: All of the find results must match for a true result.
      • Check Count: If the result satisfies the expression in check count, the result is true.

        image

    • Click Registry to create criteria based on registry values. For example, you can check if DCOM is enabled on a Windows System. Note that this applies only to Windows operating systems. Registry is only available if you are creating a VM Control Policy.

      image

  6. Click image (Commit expression element changes) to add the scope.
  7. Click image (Edit this Expression) in the Expression area. Based on what you choose, options display as per the choices presented in the Scope area detailed above.
  8. Click image (Commit Expression Element Changes) to add the expression.
  9. In Notes, type in a detailed explanation of the condition.
  10. Click Add.

The condition is created and is assigned directly to the policy. Note that the condition can be assigned to other policies.

1.1.6. Editing Policy Condition Assignments

Use this procedure to use a condition that has already been created either separately or as part of another policy. You can also remove a condition from a policy that no longer applies.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select the policy you want to assign conditions to.
  3. Click image (Configuration), image (Edit this Policy’s Condition assignments).
  4. From the Condition Selection area, you can assign conditions to the policy, remove all conditions from the policy, or remove specific conditions from the policy.

    image

    • To add one or several conditions, select all the conditions you want to apply from the Available Conditions box. Use Ctrl to add multiple conditions to a policy. Then, click image (Move selected Conditions into this Policy).
    • Click image (Remove all Conditions from this Policy) to unassign any conditions from this policy.
    • To remove one or some conditions, select all the conditions you want to remove from the Policy Conditions box. Use Ctrl to select multiple conditions. Then, click image (Remove selected Conditions from this Policy)
  5. Click Save.

1.1.7. Editing Policy Event Assignments

The policy evaluates its scopes and conditions when specified events occur in your virtual infrastructure. This procedure enables you to select those events and the actions that should occur based on the evaluation of the scopes and conditions for the policy.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion and select the control policy you want to assign events to.
  3. Click image (Configuration), image (Edit this Policy’s Event assignments).
  4. Check all the events you want to assign to this policy. For a description of the events, see Section A.1, “Events” .
  5. Click Save.

1.1.8. Assigning an Action to an Event

This procedure describes how to assign an action to an event.

  1. Navigate to ControlExplorer.
  2. Click the Policies accordion, and select the policy you want to assign actions to.
  3. From the Events area, click on the description of the event you want to assign an action to.
  4. Click image (Configuration), image (Edit Actions for this Policy Event).
  5. Select all the appropriate actions from the Available Actions box, inside the Order of Actions if ALL Conditions are True. These are the actions that will take place if the resources meet the Condition of the Policy.

    image

    Note

    Each selected action can be executed synchronously or asynchronously; synchronous actions will not start until the previous synchronous action is completed, and asynchronous action allows the next action to start whether or not the first action has completed. Also, at least one Red Hat CloudForms server in the Red Hat CloudForms zone must have the notifier server role enabled for the trap to be sent.

  6. Click the add button ( image ), then:

    • Click the action, then click image (Set selected Actions to Asynchronous) to make it asynchronous.
    • Click the action, then click image (Set selected Actions to Synchronous) to make it synchronous. If creating a synchronous action, use the up and down arrows to identify in what order you want the actions to run.
  7. Select all the actions from the appropriate Available Actions box, inside of the Order of Actions if ANY Conditions are False. These are the actions that take place if the resources do not meet the condition of the policy.
  8. Click Save.

1.2. Compliance Policies

Compliance policies are specifically designed to secure your environment by checking conditions that you create. These conditions can include the same conditions that you would use in a control policy, and most of the procedures are the same. However, a compliance policy automatically assigns the mark as a compliant action when the entity type (virtual machine or host, for example) to which the policy applies passes all of the conditions. If any of the conditions are not met, then the virtual machine or host is marked as non-compliant. The compliance status is shown in the summary screen for the entity type and on the compare and drift screens.

1.2.1. Creating a Compliance Policy

Create compliance policies by assigning or creating a condition. Red Hat CloudForms automatically assigns the events and actions to the compliance policy as opposed to a control policy where you must define this yourself. The entity type (VM or host, for example) compliance check event is assigned to the compliance policy. A compliance policy runs the mark as compliant action when the virtual machine or host passes all of the conditions. If any of the conditions are not met, then the virtual machine or host is marked as non-compliant.

To create a condition, see Section 1.1.5, “Creating a New Policy Condition”. Carefully plan the purpose of your policy before creating it. You can also use a scope expression that is tested immediately when the compliance check event triggers the policy. If the item is out of scope, then the policy does not continue on to the conditions, and none of the associated actions run.

  1. Navigate to ControlExplorer.
  2. Click on the Policies accordion, and select Compliance Policies.
  3. Select either Host Compliance Policies or VM Compliance Policies or Replicator Compliance Policies or Pod Compliance Policies or Container Node Compliance Policies or Container Image Compliance Policies.
  4. Click image (Configuration), image (Add a new Compliance Policy).
  5. Type in a Description for the policy.

    image

  6. Uncheck Active if you do not want this policy processed even when assigned to a resource.
  7. You can enter a scope here. (You can also create a scope as part of a condition, or not use one at all.) If the host or virtual machine is not included in the scope, no actions run.
  8. In the Notes area, add a detailed explanation of the policy.
  9. Click Add.

You should add one or several conditions:

By default, if any of the conditions are false, the virtual machine is marked as non-compliant. To add other actions, such as sending an email if the virtual machine fails the compliance test:

  1. Click the Compliance Check event under the policy (exact name depends on entity type, for example VM Compliance Check).
  2. Click image (Configuration), image (Edit Actions for this Policy Event).
  3. Select Stop Virtual Machine and Send Email from the Available Actions area in Order of Actions if ANY conditions are False. (Mark as Non-Compliant should already be selected.)

    image

  4. Click image (Move selected Actions into this Event).
  5. Click Add.

You can now make this part of a policy profile. After assigning the policy profile to the virtual machine, you can check it for its compliance status either on a schedule or on demand.

1.2.2. Creating a Compliance Condition to Check Host File Contents

Red Hat CloudForms Control provides the ability to create a compliance condition that checks file contents. Use this to be sure that internal operating system settings meet your security criteria. Regular expressions are used to create the search pattern. Test your regular expressions thoroughly before using them in a production environment.

Note that to search file contents you will need to have collected the file using a host analysis profile. See Hosts in Managing Infrastructure and Inventory for instructions.

  1. Navigate to ControlExplorer.
  2. Click the Conditions accordion, and select Host Conditions.
  3. Click image (Configuration), image (Add a New Host Condition).
  4. In Basic Information, type in a Description for the condition.

    image

  5. Editing the Scope area is not necessary for this procedure. Skip editing any Scope conditions.
  6. If the Expression area is not automatically opened, click image (Edit this Expression), then edit the condition area to create a general condition based on a simple attribute. Based on what you choose, different options appear.

    • Click Find, then Host.Files : Name, and the parameters to select the file that you want to check.
    • Click Check Any, Contents, Regular Expression Matches, and type the expression. For example, if you want to make sure that permit root login is set to no, type ^\s*PermitRootLogin\s+no.

      image

  7. Click image (Commit expression element changes) to add the expression.
  8. In Notes area, type in a detailed explanation of the condition.
  9. Click Add.

1.2.3. Checking for Compliance

After you have created your compliance policies and assigned them to a policy profile, you can check compliance in two ways. You can either schedule the compliance check or perform the check directly from the summary screen.

The compliance check runs all compliance policies that are assigned to the host or virtual machine. If the item fails any of the checks, it is marked as non-compliant in the item’s summary screen.

Note

To schedule, you must have EvmRole-administrator access to the Red Hat CloudForms server.

1.2.3.1. Scheduling a Compliance Check

  1. From the settings menu, select Configuration.
  2. Click the Settings accordion, and select Schedules.
  3. Click image (Configuration), image (Add a new Schedule).
  4. In the Adding a new Schedule area, type in a name and description for the schedule.

    image

  5. Select Active if you want to enable this scan.
  6. From the Action dropdown, select the type of compliance check you want to schedule. Depending on the type of analysis you choose, you are presented with one of the following group boxes:

    • If you choose VM Compliance Check, you are presented with VM Selection where you can choose to check all VMs, all VMs for a specific provider, all VMs for a cluster, all VMs for a specific host, a single VM, or you can select VMs using a global filter.

      image

    • If you choose Host Compliance Check, you are presented with Host Selection where you can choose to analyze all hosts, all hosts for a specific provider, all hosts for a cluster, a single host, or you can select hosts using a global filter.
    • If you choose Container Image Compliance Check, you are presented with Image Selection where you can choose to analyze all images, all images for a specific provider, or a single image.
Note

You can only schedule a host analysis for connected virtual machines, not repository virtual machines that were discovered through that host. Since repository virtual machines do not retain a relationship with the host that discovered them, there is no current way to scan them through the scheduling feature. The host is shown because it may have connected virtual machines in the future when the schedule is set to run.

  1. From the Run dropdown, select how often you want the analysis to run. Your options after that depend on which run option you choose.

    image

    • Select Once to have the analysis run just one time.
    • Select Daily to run the analysis on a daily basis. You are prompted to select how many days you want between each analysis.
    • Select Hourly to run the analysis hourly. You are prompted to select how many hours you want between each analysis.
  2. Select the time zone for the schedule.
  3. Type or select a date to begin the schedule in Starting Date.
  4. Select a starting time based on a 24-hour clock in the selected time zone.
  5. Click Add.

1.2.3.2. Checking a Virtual Machine for Compliance from the Summary Screen

  1. Navigate to ComputeInfrastructureVirtual Machines, select the virtual machine you want to check for compliance.
  2. Click image (Policy), and then image (Check Compliance of Last Known Configuration).
  3. A confirmation message appears. Click OK.
  4. To view the compliance history, click on the virtual machine. Under Compliance, if History is Available, click on it to see its compliance history.

    image

1.2.3.3. Checking a Host for Compliance from the Summary Screen

  1. Navigate to ComputeInfrastructureHosts, click the host you want to check for compliance.
  2. Click image (Policy), and then image (Check Compliance of Last Known Configuration) or image (Analyze then Check Compliance).
  3. To view the compliance history, click Available next to History.

    image

1.2.3.4. Checking a Replicator for Compliance from the Summary Screen

  1. Navigate to ComputeContainersReplicators, select the replicator you want to check for compliance.
  2. Click image (Policy), and then image (Check Compliance of Last Known Configuration).
  3. A confirmation message appears. Click OK.
  4. . To view the compliance history, click on the replicator. Under Compliance, if History is Available, click to see its compliance history.

    image

1.2.3.5. Checking a Pod for Compliance from the Summary Screen

  1. Navigate to ComputeContainersPods, select the pod you want to check for compliance.
  2. Click image (Policy), and then image (Check Compliance of Last Known Configuration).
  3. A confirmation message appears. Click OK.
  4. To view the compliance history, click on the pod. Under Compliance, if History is Available, click to see its compliance history.

    image

1.2.3.6. Checking a Container Node for Compliance from the Summary Screen

  1. Navigate to ComputeContainersContainer Nodes, click the node you want to check for compliance.
  2. Click image (Policy), and then image (Check Compliance of Last Known Configuration).
  3. A confirmation message appears. Click OK.
  4. To view the compliance history, click on the node. Under Compliance, if History is Available, click to see its compliance history.

    image

1.2.3.7. Checking a Container Image for Compliance from the Summary Screen

  1. Navigate to ComputeInfrastructureContainer Images, select the container image you want to check for compliance.
  2. Click image (Policy), and then image (Check Compliance of Last Known Configuration).
  3. A confirmation message appears. Click OK.
  4. To view the compliance history, click on the container image. Under Compliance, if History is Available, click to see its compliance history.

    image