Chapter 3. Creating policies

The following workflow examples explain how to create several types of policies that detect system configuration changes and send notification of the changes by email.

Note

When creating a policy, if you see a warning message that you have not opted in for email alerts, set your User preferences to receive email from your policies.

3.1. Creating a policy to ensure public cloud providers are not over provisioned

Create a policy using the following procedure.

Procedure

  1. In Red Hat Hybrid Cloud Console, go to Operations > Policies.
  2. Click Create policy.
  3. On the Create a policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option will prompt you to select a policy from the list of existing policies to use as a starting point.
  4. Click Next.

  5. Enter Condition. In this case, enter: facts.cloud_provider in ['alibaba', 'aws', 'azure', 'google'] and (facts.number_of_cpus >= 8 or facts.number_of_sockets >=2). This condition will detect if an instance running on the specified public cloud providers are running with CPU hardware higher than the allowed limit.

    Note

    You can expand What condition can I define? and/or Review available system facts to view an explanation of conditions you can use, and see the available system facts, respectively. In this section are examples of syntax you can use.

  6. Click Validate condition.
  7. Once the condition is validated, click Next.
  8. On the Trigger actions page, click Add trigger actions. If notifications is greyed out, select Notification settings in the notifications box. Here you can customize notificaitons and their behaviors.

  9. Click Next.

    Note

    On the Trigger actions page, you can also enable email alerts as well as open email preferences.

  10. On the Review and enable page, click the toggle switch to activate the policy and review its details.
  11. Click Finish.

Your new policy is created. When the policy is evaluated on a system check-in, if the condition in the policy is met, Policies automatically sends an email to all users on the account with access to Policies, depending on their email preferences.

3.2. Creating a policy to detect if systems are running an outdated version of RHEL

You can create a policy that detects if systems are running outdated versions of RHEL and notifies you by email about what it finds.

Procedure

  1. In Red Hat Hybrid Cloud Console, go to Operations > Policies.
  2. Click Create policy.
  3. On the Create policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option prompts you to select a policy from the list of existing policies to use as a starting point.
  4. Click Next.
  5. Enter a Name and Description for the policy.
  6. Click Next.
  7. Enter Condition. In this case, enter facts.os_release < 8.1. This condition will detect if systems still run an outdated version of our operating system based on RHEL 8.1.
  8. Click Validate condition, then click Next.
  9. On the Trigger actions page, click Add trigger actions and select Email.
  10. Click Next.
  11. On the Review and activate page, click the toggle switch to activate the policy and review its details.
  12. Click Finish.

Your new policy is created. When the policy is evaluated on a system check-in, if the condition in the policy is triggered, the policies service automatically sends an email to all users on the account with access to Policies, depending on their email preferences.

3.3. Creating a policy to detect a vulnerable package version based on recent CVE

You can create a policy that detects vulnerable package versions based on recent CVE and notifies you by email about what it finds.

Procedure

  1. In Red Hat Hybrid Cloud Console, go to Operations > Policies.
  2. Click Create policy.
  3. On the Create Policy page, click From scratch or As a copy of existing Policy as required. Note that the As a copy of existing Policy option will prompt you to select a policy from the list of existing policies to use as a starting point.
  4. Click Next.
  5. Enter a Name and Description for the policy.
  6. Click Next.
  7. Enter Condition. In this case, enter facts.installed_packages contains ['openssh-4.5']. This condition will detect if systems still run a vulnerable version of an openssh package based on recent CVE.
  8. Click Validate condition, then click Next.
  9. On the Trigger actions page, click Add trigger actions and select Email.
  10. Click Next.
  11. On the Review and activate page, click the toggle switch to activate the policy and review its details.
  12. Click Finish.

Your new policy is created. When the policy is evaluated on a system check-in, if the condition in the policy is met, Policies automatically sends an email to all users on the account with access to Policies, depending on their email preferences.