Monitoring and Reacting to Configuration Changes Using Policies

Red Hat Insights 2020-10

How to create policies to detect system configuration changes and get notified by email

Red Hat Customer Content Services

Abstract

This document provides an overview of the Policies service and demonstrates how to create a policy to detect system configuration changes and get notified by email.
Providing Feedback:
If you have a suggestion to improve this document or find an error, submit a Bugzilla report at http://bugzilla.redhat.com against Cloud Software Services (cloud.redhat.com) for the Policies component.

Chapter 1. Overview

Policies evaluate system configurations in your environment and are processed on reception of uploading an insights-client payload to cloud.redhat.com. If condition(s) in your policy are met, defined action(s) are triggered. Policies are applied to all systems registered in the Insights inventory. Users can create and manage policies using the user interface or via API.

Use policies to assist operational management with simple tasks such as:

  • Raising an alert when some conditions are met on system configuration.
  • Emailing a team when security packages are out of date on a system.

Using policies to monitor configuration changes in your environment and notifying by email requires:

  1. Setting user email preferences (if not already set).
  2. Creating a policy to detect configuration changes and selecting email as the trigger action.
Note

Chapter 2. User preferences

Update your information and set email preferences for cloud.redhat.com services in user preferences.

  1. Click the user menu located on the upper-right side, then go to User preferencesEmail preferences.
  2. For Policies, you can subscribe to Instant notification emails for each system with triggered policies and/or Daily digest (summary) of all systems with triggered policies depending on your email notification preference. You can also select your preference for other https://cloud.redhat.com emails you want to receive on this page.

    Note

    Subscribing to instant notification can result in receiving a lot of emails on large inventories, that is, one email per system checking in.

  3. Click Submit.

Chapter 3. Creating a policy to detect configuration changes and get notified by email

The following workflow examples demonstrate how to create a policy to detect system configuration changes and get notified by email.

Note

If you see a warning message about email alerts not opted in when creating your policy, set your preferences to receive email from your policies as described in the Chapter 2, User preferences section.

3.1. Creating a policy to ensure public cloud providers are not over provisioned

  1. In the cloud.redhat.com platform, click Policies under Red Hat Insights.
  2. Click Create policy.
  3. On the Create Policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option will prompt you to select a policy from the list of existing policies to use as a starting point.

    policy add

  4. Click Next.
  5. Enter a Name and Description for the policy.
  6. Click Next.
  7. Enter Condition. In this case, enter: facts.cloud_provider in [alibaba, aws, azure, google] and (facts.number_of_cpus >= 8 or facts.number_of_sockets >=2). This condition will detect if an instance running on the said public cloud providers are running with CPU hardware higher than the allowed limit.
  8. Click Validate condition, then click Next.
  9. On the Trigger actions page, click Add trigger actions and select Email.
  10. Click Next.
  11. On the Review and activate page, click the toggle switch to activate the policy and review its details.
  12. Click Finish.

Your new policy is created. When the policy is evaluated on a system check-in, and if the condition in the policy is met, an email will be sent to all users on the account with access to Policies according to their email preferences.

3.2. Creating a policy to detect if systems are running an outdated version of RHEL (older than RHEL 8.1) and get notified by email

  1. In the cloud.redhat.com platform, click Policies under Red Hat Insights.
  2. Click Create policy.
  3. On the Create Policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option will prompt you to select a policy from the list of existing policies to use as a starting point.
  4. Click Next.
  5. Enter a Name and Description for the policy.
  6. Click Next.
  7. Enter Condition. In this case, enter: facts.os_release < 8.1. This condition will detect if systems still run an outdated version of our operating system based on RHEL 8.1.
  8. Click Validate condition, then click Next.
  9. On the Trigger actions page, click Add trigger actions and select Email.
  10. Click Next.
  11. On the Review and activate page, click the toggle switch to activate the policy and review its details.
  12. Click Finish.

Your new policy is created. When the policy is evaluated on a system check-in, and if the condition in the policy is met, an email will be sent to all users on the account with access to Policies according to their email preferences.

3.3. Creating a policy to detect a vulnerable package version based on recent CVE and get notified by email

  1. In the cloud.redhat.com platform, click Policies under Red Hat Insights.
  2. Click Create policy.
  3. On the Create Policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option will prompt you to select a policy from the list of existing policies to use as a starting point.
  4. Click Next.
  5. Enter a Name and Description for the policy.
  6. Click Next.
  7. Enter Condition. In this case, enter: facts.installed_packages contains [openssh-4.5]. This condition will detect if systems still run a vulnerable version of an openssh package based on recent CVE.
  8. Click Validate condition, then click Next.
  9. On the Trigger actions page, click Add trigger actions and select Email.
  10. Click Next.
  11. On the Review and activate page, click the toggle switch to activate the policy and review its details.
  12. Click Finish.

Your new policy is created. When the policy is evaluated on a system check-in, and if the condition in the policy is met, an email will be sent to all users on the account with access to Policies according to their email preferences.

Chapter 4. Reviewing and managing policies

You can review and manage all created policies (enabled and disabled) by clicking Policies on the left-side menu in Red Hat Insights.

policies ui all

You can filter the list of policies by name and by active state. You can click the options menu options menu next to a policy to perform the following operations:

  • Enable and disable
  • Edit
  • Duplicate
  • Delete

Additionally, you can perform the following operations in bulk by selecting multiple policies from the list of policies and clicking the options menu options menu located next to the Create policy button at the top:

  • Delete policies
  • Enable policies
  • Disable policies
Note

If you see a warning message about email alerts not opted in, set your preferences to receive email from your policies as described in the Chapter 2, User preferences section.

Chapter 5. Appendix

This Appendix contains tables of the available system facts and their functions as well as operators.

5.1. System Facts

Table 5.1. System Facts and Their Functions

Fact NameDescriptionExample Value

arch

System architecture

x86_64

bios_release_date

BIOS release date; typically MM/DD/YYYY

01/01/2011

bios_vendor

BIOS vendor name

LENOVO

bios_version

BIOS version

1.17.0

cloud_provider

Cloud vendor. Values are google, azure, aws, alibaba, or empty

google

cores_per_socket

Number of CPU cores per socket

2

cpu_flags

Category with a list of CPU flags. Each name is the CPU flag (ex: vmx), and the value is always enabled.

vmx, with a value of enabled.

enabled_services

Category with a list of enabled services. Each name in the category is the service name (ex: crond), and the value is always enabled .

crond, with a value of enabled.

fqdn

System Fully Qualified Domain Name

system1.example.com

infrastructure_type

System infrastructure; common values are virtual or physical

virtual

infrastructure_vendor

Infrastructure vendor; common values are kvm, vmware, baremetal, etc.

kvm

installed_packages

List of installed RPM packages. This is a category.

bash, with a value of 4.2.46-33.el7.x86_64.

installed_services

Category with a list of installed services. Each name in the category is the service name (ex: crond), and the value is always installed.

crond, with a value of installed.

kernel_modules

List of kernel modules. Each name in the category is the kernel module (ex: nfs), and the value is enabled.

nfs, with a value of enabled.

last_boot_time

The boot time in YYYY-MM-DDTHH:MM:SS format. Informational only; we do not compare boot times across systems.

2019-09-18T16:54:56

network_interfaces

List of facts related to network interfaces.

 
 

There are six facts for each interface: ipv6_addresses, ipv4_addresses, mac_address, mtu, state and type. The two address fields are comma-separated lists of IP addresses. The state field is either UP or DOWN. The type field is the interface type (ex: ether, loopback, bridge, etc.).

 
 

Each interface (ex: lo, em1, etc) is prefixed to the fact name. For example, em1’s mac address would be the fact named em1.mac_address.

 
 

Most network interface facts are compared to ensure they are equal across systems. However, ipv4_addresses, ipv6_addresses, and mac_address are checked to ensure they are different across systems. A subexception for lo should always have the same IP and mac address on all systems.

 

number_of_cpus

Total number of CPUs

1

number_of_sockets

Total number of sockets

1

os_kernel_version

Kernel version

4.18.0

os_release

Kernel release

8.1

running_processes

List of running processes. The fact name is the name of the process, and the value is the instance count.

crond, with a value of 1.

sap_instance_number

SAP instance number

42

sap_sids

SAP system ID (SID)

A42

sap_system

Boolean field that indicates if SAP is installed on the system

True

sap_version

SAP version number

2.00.052.00.1599235305

satellite_managed

Boolean field that indicates is a system is registered to a Satellite server.

FALSE

selinux_current_mode

Current SELinux mode

enforcing

selinux_config_file

SELinux mode set in the config file

enforcing

system_memory

Total system memory in human-readable form

3.45 GiB

tuned_profile

Current profile resulting from the command tuned-adm active

desktop

yum_repos

List of yum repositories. The repository name is added to the beginning of the fact. Each repository has the associated facts base_url,enabled, and gpgcheck.

Red Hat Enterprise Linux 7 Server (RPMs).base_url would have the value https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os

5.2. Operators

Table 5.2. Available Operators in Conditions

OperatorsValue

Logical Operators

AND

 

OR

Boolean Operators

EQUAL

 

NOTEQUAL

Numeric Compare Operators

GT

 

GTE

 

LT

 

LTE

String Compare Operator

CONTAINS

Array Operators

IN

 

CONTAINS

Parser Operators

OR

 

AND

 

NOT

 

EQUAL

 

NOTEQUAL

 

CONTAINS

 

NEG

Legal Notice

Copyright © 2020 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.