Hello and welcome to this showcase of using Event Driven Ansible to remediate detected changes in a Linux security baseline. This this repository shows how you can build a standardized automated IT operations, using two main blueprints:
- Event Driven Ansible + ServiceNow
- Event Driven Ansible + Kafka
For details, read below.
- Auditd detects an unauthorized change and tags it as a violation to the security baseline.
- Auditd provides information about what has happened to rsyslog
- Rsyslog sends audit trail of what happened to a central log server.
- Vector reads information from the central log server and processes the information.
- Vector sends select information about the violation to a security-baseline topic on a central Kafka cluster.
- AAP Event Driven Ansible (EDA) listens to the Kafka security-baseline topic and gets information that there has been a violation.
- The EDA rulebook in question fires off an action (running a job template), which is to re-apply the security baseline on the server in question. EDA sends information such as what system was impacted and auditd log information to the template, allowing it to execute against the impacted system.
- A job template run on the AAP Controller receives information remediates the authorized change by re-apply the security baseline.
- Auditd detects an unauthorized change and tags it as a violation to the security baseline.
- Auditd provides information about what has happened to rsyslog
- Rsyslog sends audit trail of what happened to a central log server.
- Vector reads information from the central log server and processes the information.
- Vector sends select information about the violation to an incident queue in ServiceNow.
- AAP Event Driven Ansible (EDA) polls for new incidents created in ServiceNow - and gets information that there has been a violation.
- The EDA rulebook in question fires off an action (running a job template), which is to re-apply the security baseline on the server in question. EDA sends information such as what system was impacted and auditd log information to the template, allowing it to execute against the impacted system.
- A job template run on the AAP Controller receives information remediates the authorized change by re-apply the security baseline - and updates ServiceNow / closes the incident.
I've just set this up myself. I'll try to get to creating this environment automatically later.
- To setup a demo environment you need 3 servers + AAP 2.5:
- A RHEL 9 system to protect
- A RHEL 9 system to host rsyslog server and vector
- If you use the Kafka integration pattern: A RHEL 9 system to host Kafka
- If you use the ServiceNow integration pattern: ServiceNow instance
- AAP 2.5 or later
Put in place the audit.rules and rsyslog.conf configuration found in the audit/rsyslog folders.
Install and configure vector and rsyslog as described in the rsyslog/vector folders.
Install and configure Kafka as described in the kafka folder.
- Identify a standard incident you want to target.
- Build a custom ServiceNow Decision Environment by following the instructions here.
- Upload the custom ServiceNow Decision Environment to AAP
Configure what's required following instructions in the aap folder.
- Magnus Glantz, sudo@redhat.com, 2026
- Many thanks to Mina George, Red Hat, who came up with the idea of using Vector and a normal Rsyslog server to feed into EDA actions. Without you Mina, I would have never set this up.
- Much thanks to Alexander Rydekull, Red Hat, who on a shared flight from LA to Copenhagen, co-authored the idea of using EDA to resolve capacity related issues in large scale security baseline implementation.