Red Hat ACS Integration for exporting vulnerability Information from RHACS into Kenna KDE Format.
Repo provides an example python application that will recieve a Red Hat Advanced Cluster Security Policy Violation for Vulnerabilities via Webhook and convert it to my closest approximation of the Kenna Json Format. Output will be written to a json file which can be imported by Kenna.
Application is written with the FastApi framework.Application will run as an async non-blocking loop, receiving violations from RHACS and converting to KDE Json Files(Example uses one file per cluster).Please see config file to see settings that change application behaviour. At present application has to maintain vulnerability state in memory so a restart can lead to temporary inconsistencies until new alerts are recieved from RHACS.
- Important Configuration Options
-
Alert Overwrite - Since there is no guaranty that all the information about a deployment will come in a single alert by default app will merge alert information for a given deployment. To make sure that we don't keep merging information from outdated alerts you can set
acs_auto_overwrite_enabledin the config.When enabled alerts recieved within theacs_auto_overwrite_timertime window in seconds will be merged and if not the new alert will overwrite all info from the older alert. -
Poll RHACS API - I do not belive ACS sends updates when an alert violation is closed. To that end it might be necessary to poll the ACS API to get information on alerts. When
rox_api_polling_enabledis enabled the app will poll the ACS API from information on alerts it has. Androx_api_polling_timercontrols how often it the app will try to poll for updates on all the alerts it has recieved.rox_api_polling_spacer_timeris used to insert a spacer between conseccutive calls to the API so as not to overwhelm it.
-
- Application does not handle horizontal scaling at the moment.
- Python 3.10
- A file location that the Kenna Platform can read from
-
git clone this repo
-
Build Container Image
podman build -t rhacs-kenna-tool -f Dockerfile -
Run Pod
podman run \ --name rhacs -it -p 8080:8080 \ localhost/rhacs-kenna-tool -
Point ACS WebHook to use Configured Ip/Port in run.py
-
Run deployment command.
oc apply -k ./deploy-ocp/
-
Set Environment Variables as required. See config file.
Example Confiuguration
oc set env deploy/rhacs-kenna-tool \ ROX_API_URL=https://central-rhacs-operator.apps.cluster2.tide.lan \ ROX_API_SECRET=${ROX_API_SECRET} \ ROX_API_URL_INSECURE="true" \ -n rhacs-kenna-tool
-
Configure Webhook Notifier in RHACS
-
Under Platform Configuration -> Integrations -> Notifier Integrations -> Generic Webhook
-
Select New Integration
-
Configure Integration, see example below
Endpint Address: http://rhacs-kenna-tool.rhacs-kenna-tool.svc.cluster.local:8080/receive_acs_vuln_alert -
Testing the integration might generate - "Received error response from webhook: 422. Check central logs for full error.: invalid arguments". This is expected and is because the application cannot parse the test message.
-
-
Configure RHACS Policy with
-
Under Platform Configuration -> Policy Management -> Create Policy
-
Create Policy and enable notification to our RHACS notifier. See example below:
-
Add Policy Stages.Choose stages that will work for your requirements. See example below:
-
Add Policy Vulnerability Requirements that match your requirements. Example below will capture based on vulnerability CVSS:
-
Complete policy creation.
-
-
We can confirm policy information being passed to our application from the logs.
- Get Application logs
oc logs -f $(oc get pod -n rhacs-kenna-tool -l app=rhacs-kenna-tool -o name) -n rhacs-kenna-tool - We should start seeing alerts recieved from RHACS in our logs.
- Get Application logs
-
Copy the KDE Output files locally
- Use Rsync
oc rsync -n rhacs-kenna-tool $(oc get pod -n rhacs-kenna-tool -l app=rhacs-kenna-tool -o name):/app/kde_output_json/ ./kenna_rsync
- Use Rsync
- pytest