Skip to main content
Glama
konstruktoid

prescryb

by konstruktoid

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
CCE_REPONoGitHub owner/repo queried for CCE JSON exports by lookup_cce/list_cce_targets.konstruktoid/cce-web
NVD_API_KEYNoRaises NVD API rate limits for fetch_advisory.
GITHUB_TOKENNoRaises GitHub API rate limits for map_compliance, lookup_cce, and list_cce_targets.
HARDENING_COLLECTION_REPONoGitHub owner/repo queried for compliance-mapped Ansible roles.konstruktoid/ansible-collection-hardening

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
inventory_hostA

SSH into host and inventory installed packages.

Auth uses ~/.ssh/config, an SSH agent, and default identity files - the
same as running `ssh host` yourself. No password argument is accepted:
credentials must never flow through MCP tool-call arguments. Unknown
host keys are rejected unless trust_unknown_host=True; prefer connecting
with `ssh host` once yourself to pin the key instead.

`hostname`/`identity_file` override the resolved address and key path
without editing ~/.ssh/config - handy for e.g. a local molecule/vagrant
instance. Only a path is passed, never key contents.
check_cvesA

Match installed package versions against known CVEs via OSV.dev.

`system` and `packages` are the objects returned by inventory_host (or a
filtered subset of `packages` if you only want to check specific ones).
Uses OSV's server-side ecosystem-aware version comparison rather than
name-only matching, so results reflect the exact installed version.
fetch_advisoryA

Fetch the current, authoritative NVD record for a specific CVE ID.

Use this to get an up-to-date description, CVSS score/severity, CWE
weakness classification, and reference links for a CVE surfaced by
check_cves (or one you already know about), rather than relying on
potentially stale training data.
map_complianceA

Map a free-text topic to CIS Benchmark / DISA STIG topic areas and ATT&CK.

`area` examples: 'ssh', 'sudo', 'kernel modules', 'password policy'. If a
matching role is found in the konstruktoid.hardening GitHub repo, it is
returned too. Also returns the MITRE ATT&CK techniques (and, where
defined, the ATT&CK mitigation) that hardening this area addresses.

Only topic-area mapping is returned for CIS/DISA STIG, never fabricated
specific rule IDs (e.g. "CIS 5.2.1") - those require the licensed
benchmark text. Consult the referenced role's own docs/tags for exactly
what it covers. ATT&CK technique/mitigation IDs, by contrast, are
MITRE's own public catalog (attack.mitre.org), so they're cited directly.
list_cce_targetsA

List platform names lookup_cce can query (e.g. 'rhel8', 'firefox').

Sourced live from https://github.com/konstruktoid/cce-web, the community
JSON conversion of NIST's CCE spreadsheets. Coverage of this project's
target distros is thin: only RHEL-family ('rhel6'/'rhel7'/'rhel8') and
SUSE ('SLES12-DISA-STIG'/'SLES15-DISA-STIG'/'SLES15-PCI-DSS') are
usable - Debian, Ubuntu, Alpine, and Arch have no CCE data upstream.
lookup_cceA

Look up NIST Common Configuration Enumeration entries for a platform.

`target`: free text naming a platform, resolved against the export
names published by https://github.com/konstruktoid/cce-web (NIST itself
only publishes CCE as spreadsheets). For a host from inventory_host, use
'rhel<major version>' for any RHEL-family distro_id (rhel, almalinux,
rocky - CCE only tracks the upstream RHEL number) or
'SLES<major version>-DISA-STIG' for suse; Debian, Ubuntu, Alpine, and
Arch have no CCE coverage upstream at all. Call list_cce_targets to see
every published platform (also covers e.g. 'firefox', 'apache-httpd2.2',
'win2k8r2').

Pass `keyword` (matched against title/description/rationale/config
group) or `cce_id` (exact ID, e.g. 'CCE-80876-6') to filter results.
Without either, only the platform's config-group categories and entry
count are returned - dumping an entire platform (hundreds of entries)
isn't useful; narrow with a keyword first.
generate_playbookA

Generate a suggest-only Ansible playbook from findings. Does NOT run it.

`system`: object from inventory_host. `cve_matches`: entries from
check_cves you want remediated (each becomes a package-upgrade task
citing the CVE). `compliance_areas`: topic hints (e.g. ["ssh", "sudo"])
- each resolved via map_compliance and, where a matching
konstruktoid.hardening role exists, referenced in the playbook's
`roles:` list instead of reimplemented. The header also cites the MITRE
ATT&CK techniques/mitigations each area addresses. Always review the
output with `ansible-playbook --check --diff` before applying.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/konstruktoid/prescryb'

If you have feedback or need assistance with the MCP directory API, please join our Discord server