Event-Driven Ansible for Red Hat Insights
This collection contains the event source plugin for receiving events out of
Red Hat Insights.
Requirements
Install dependencies required by the collection (adjust path to collection if necessary):
pip3 install -r ~/.ansible/collections/ansible_collections/redhat/insights_eda/requirements.txt
Usage
To set up an integration with Red Hat Insights please follow
official documentation.
Use integration type "Event-Driven Ansible" from the dropdown.
# rulebook
sources:
- redhat.insights_eda.insights:
host: # hostname to listen to. (default: 0.0.0.0)
port: # TCP port to listen to. (default: 5000)
token: # secret token.
certfile: # (optional) path to a certificate file to enable TLS support
keyfile: # (optional) path to a key file to be used together with certfile
password: # (optional) path to a key file to be used together with certfile
Examples
To run an example execute:
SECRET=mysecret ansible-rulebook -r example_rulebook.yaml -v -E="SECRET" -i inventory.yaml
and set the SECRET value to your secret token value.
Use the secret value when setting up Ansible integration on
Red Hat Hybrid Console.
For inventory, you might create a file inventory.yaml containing:
all:
Integration with ServiceNow Incidents
Rulebook example of creating ServiceNow Incidents out of selected Insights events, including:
* Advisor recommendations
* newly detected vulnerabilities
* detected vulnerabilites with a known exploit
* system compliance below threshold
Prerequisites:
* servicenow.itsm collection installed
# example_rulebook.yaml
- name: ServiceNow Incidents out of Red Hat Insights
hosts: localhost
sources:
- redhat.insights_eda.insights:
token: "{{ SECRET }}"
rules:
- name: match advisor recommendation event
condition:
event.payload.application == "advisor"
and event.payload.event_type == "new-recommendation"
action:
run_playbook:
name: snow_advisor_playbook.yaml
- name: match vulnerability event
condition: |-
event.payload.application == "vulnerability"
and event.payload.event_type in [
"new-recommendation",
"any-cve-known-exploit",
"new-cve-cvss",
"new-cve-severity",
"new-cve-security-rule"
]
action:
run_playbook:
name: snow_vulnerability_playbook.yaml
- name: match compliance below threshold
condition:
event.payload.application == "compliance"
and event.payload.event_type == "compliance-below-threshold"
action:
run_playbook:
name: snow_compliance_playbook.yaml
Playbooks:
# snow_advisor_playbook.yaml
---
- hosts: localhost
gather_facts: no
tasks:
- name: Create an Advisor incident
servicenow.itsm.incident:
instance:
host: https://instance_id.service-now.com
username: user
password: pass
state: new
short_description: "{{ ansible_eda.event.payload.application | upper }}: {{ item.payload.rule_description | default('Recommendation') }}"
description: |-
Account id: {{ ansible_eda.event.payload.account_id | default("") }}
Affected system: {{ ansible_eda.event.payload.context.display_name | default("") }}
Event type: {{ ansible_eda.event.payload.event_type | default("") }}
Policy: {{ item.payload.policy_name | default("") }} [{{ item.payload.policy_id | default("") }}]
Policy threshold: {{ item.payload.policy_threshold | default("") }}
Compliance score: {{ item.payload.compliance_score | default("") }}
Bundle: {{ ansible_eda.event.payload.bundle | default("") }}
Created at: {{ ansible_eda.event.payload.timestamp | default("") }}
loop: "{{ ansible_eda.event.payload.events | default([]) }}"
# snow_vulnerability_playbook.yaml
---
- hosts: localhost
gather_facts: no
tasks:
- name: Create a Vulnerability incident
servicenow.itsm.incident:
instance:
host: https://instance_id.service-now.com
username: user
password: pass
state: new
short_description: "{{ ansible_eda.event.payload.application | upper }}: Reported {{ item.payload.reported_cve | default('') }}"
description: |-
Account id: {{ ansible_eda.event.payload.account_id | default("") }}
Affected system: {{ ansible_eda.event.payload.context.display_name | default("") }}
Event type: {{ ansible_eda.event.payload.event_type | default("") }}
CVSS scroe : {{ item.payload.cvss_score | default("") }}
Known exploit: {{ item.payload.known_exploit | default("false") }}
Has rule: {{ item.payload.has_rule | default("false") }}
Impact id: {{ item.payload.impact_id | default("") }}
Publish date: {{ item.payload.publish_date | default("") }}
CVE url: https://access.redhat.com/security/cve/{{ item.payload.reported_cve | default('') }}
Bundle: {{ ansible_eda.event.payload.bundle | default("") }}
Created at: {{ ansible_eda.event.payload.timestamp | default("") }}
loop: "{{ ansible_eda.event.payload.events | default([]) }}"
# snow_compliance_playbook.yaml
---
- hosts: localhost
gather_facts: no
tasks:
- name: Create a Compliance incident
servicenow.itsm.incident:
instance:
host: https://instance_id.service-now.com
username: user
password: pass
state: new
short_description: "{{ ansible_eda.event.payload.application | upper }}: System is non compliant to SCAP policy"
description: |-
Account id: {{ ansible_eda.event.payload.account_id | default("") }}
Affected system: {{ ansible_eda.event.payload.context.display_name | default("") }}
Event type: {{ ansible_eda.event.payload.event_type | default("") }}
Policy: {{ ansible_eda.event.payload.policy_name | default("") }} [{{ ansible_eda.event.payload.policy_name | default("id") }}]
Policy threshold: {{ ansible_eda.event.payload.policy_threshold | default("") }}
Compliance score: {{ ansible_eda.event.payload.compliance_score | default("") }}
Bundle: {{ ansible_eda.event.payload.bundle | default("") }}
Created at: {{ ansible_eda.event.payload.timestamp | default("") }}
loop: "{{ ansible_eda.event.payload.events | default([]) }}"
Contributing
See CONTRIBUTING document.
License
Apache 2.0
See LICENSE to see the full text.
Changelog
See CHANGELOG for changes in the source code repository.
