RH342 - ch02s09

Bookmark this page

Lab: Configuring Baseline Data

Configure terminal session recording by using the web console. Configure systems for monitoring, remote logging, and auditing with Ansible Automation Platform as the configuration manager.

Outcomes

You should be able to configure the terminal session recording by using the web console. You should also be able to configure servers as an Ansible Automation Platform control node and managed nodes. Configure the servers as a central and a remote log server with a file access audit system.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

[student@workstation ~]$ lab start baseline-review

This command confirms that the required hosts for this exercise are accessible and creates the workdir directory to contain the basic minimum configuration files for the activities to perform.

Instructions

Use the web console to configure terminal session recording for the consultant user. Configure workstation as a control node, and verify communication with servera and serverb as managed nodes. Use Ansible Playbooks to configure the managed nodes:

servera

Configure terminal session recording for the consultant user by using the web console.
Configure the rsyslog service to serve as a central log host.
Create a rule that writes the syslog messages that each host generates to separate files under the /var/log/loghost directory.
Use the rsyslog.conf.j2 template file to configure syslog to create subdirectories that are based on the originating host name of each syslog message.
The template file configures syslog to create subdirectories, and to maintain a separate log file for each syslog facility.
Add the new log files to the log rotation schedule for size management.

serverb

Install AIDE to report file and directory changes.
Configure serverb to send log messages to the central log host.

Configure terminal session recording for the consultant user.
On workstation, open a web browser and navigate to https://servera:9090. Log in with user name student and password student.
From the left menu, click Session Recording, and then click the gear icon.
Navigate to SSSD Config and select Scope → Some. Define consultant as Users and Groups.
Click Save, and then at the top of the page click Session Recording.
On workstation, open another terminal and log in to servera as the consultant user.
[student@workstation ~]$ ssh consultant@servera [consultant@servera ~]$
Run some commands as the consultant user, such as ps auxf, top, and df -h.
[consultant@servera ~]$ ps auxf ...output omitted... [consultant@servera ~]$ top ...output omitted... [consultant@servera ~]$ df -h ...output omitted...
Return to workstation as student.
[consultant@servera ~]$ exit [student@workstation ~]$
Confirm the terminal session recording. In the web console of servera, click Session Recording. Refresh the page if necessary.
Click the consultant user's recorded terminal session.
Play back the recorded session by clicking Play.

Configure workstation as a control node and servera and serverb as managed nodes. Verify that the control node can reach both.

On workstation, change to the workdir directory and review the configuration files.

[student@workstation ~]$ cd workdir
[student@workstation workdir]$ cat ansible.cfg
[defaults]
inventory = inventory
remote_user = root
host_key_checking = False
deprecation_warnings = False
[student@workstation workdir]$ cat inventory
[servers]
central_loghost ansible_host=servera

Add serverb as remote_loghost in the inventory file.

[servers]
central_loghost ansible_host=servera
remote_loghost ansible_host=serverb

Confirm that the managed nodes are reached.

[student@workstation workdir]$ ansible all -m ping
central_loghost | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
remote_loghost | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

Use an Ansible Playbook to configure servera as a central log host. Use the provided configuration template.

Inside the workdir directory, create the mybaseline.yaml Ansible Playbook for the rsyslog service configuration on servera.
```
- name: Configure central loghost
  hosts: central_loghost
  gather_facts: False
```

Confirm that the rsyslog service is active and enabled at system startup.

- name: Ensure that rsyslog is active and enabled
  ansible.builtin.service:
    name: rsyslog
    state: started
    enabled: True

Use the rsyslog.conf.j2 template file as the rsyslog service configuration file to allow remote logging.

- name: Template out rsyslog configuration file
  template:
    src: rsyslog.conf.j2
    dest: /etc/rsyslog.conf
    owner: root
    group: root
    mode: '0444'

- name: Restart rsyslog service
  ansible.builtin.service:
    name: rsyslog
    state: restarted

Ensure that the firewalld service is enabled for the rsyslog service.

- name: Open rsyslog firewalld port
  firewalld:
    port: 514/tcp
    immediate: yes
    permanent: yes
    state: enabled

Add the remote logs to the configured log rotation.

- name: Add entry for that the new logs have rotation
  lineinfile:
    path: /etc/logrotate.d/syslog
    line: /var/log/loghost/*/*.log

Use an Ansible Playbook to configure serverb as a remote log server, and configure AIDE to monitor file integrity. Use the provided configuration templates for each service.

Add a task to the mybaseline.yaml playbook to configure serverb as the remote log server.
```
- name: Configure remote logging
  hosts: remote_loghost
  gather_facts: False
```

Verify that the rsyslog service is active and enabled at system startup.

- name: Ensure that rsyslog is active and enabled
  ansible.builtin.service:
    name: rsyslog
    state: started
    enabled: True

Add an entry in the /etc/rsyslog.conf file to redirect logs to the central log host.

- name: Add entry for redirecting logs
  lineinfile:
    path: /etc/rsyslog.conf
    line: '*.* action(type="omfwd" target="servera" port="514" protocol="tcp")'

- name: Restart rsyslog service
  ansible.builtin.service:
    name: rsyslog
    state: restarted

Add a task to the mybaseline.yaml playbook to configure AIDE on serverb.
```
- name: Install AIDE
  hosts: remote_loghost
  gather_facts: False
```

Ensure that the aide package is installed. Use the aide.conf.j2 template file as the aide service configuration file.

- name: Ensure that AIDE package is installed
  ansible.builtin.yum:
    name: aide
    state: present

- name: Template out AIDE configuration file
  template:
    src: aide.conf.j2
    dest: /etc/aide.conf
    owner: root
    group: root
    mode: '0444'

Initialize the aide database to start monitoring configured files.

- name: Init AIDE database
  command: aide --init

- name: Enable AIDE database
  command: mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  tags: enable_aidedb

Run the playbook, and then view remote logging and file integrity on serverb.

Verify that the final Ansible Playbook mybaseline.yaml contains this content:

- name: Configure central loghost
  hosts: central_loghost
  gather_facts: False

  tasks:
    - name: Ensure that rsyslog is active and enabled
      ansible.builtin.service:
        name: rsyslog
        state: started
        enabled: True

    - name: Template out rsyslog configuration file
      template:
        src: rsyslog.conf.j2
        dest: /etc/rsyslog.conf
        owner: root
        group: root
        mode: '0444'

    - name: Restart rsyslog service
      ansible.builtin.service:
        name: rsyslog
        state: restarted

    - name: Open rsyslog firewalld port
      firewalld:
        port: 514/tcp
        immediate: yes
        permanent: yes
        state: enabled

    - name: Add entry for that the new logs have rotation
      lineinfile:
        path: /etc/logrotate.d/syslog
        line: /var/log/loghost/*/*.log


- name: Configure remote logging
  hosts: remote_loghost
  gather_facts: False

  tasks:
    - name: Ensure that rsyslog is active and enabled
      ansible.builtin.service:
        name: rsyslog
        state: started
        enabled: True

    - name: Add entry for redirecting logs
      lineinfile:
        path: /etc/rsyslog.conf
        line: '*.* action(type="omfwd" target="servera" port="514" protocol="tcp")'

    - name: Restart rsyslog service
      ansible.builtin.service:
        name: rsyslog
        state: restarted

- name: Install AIDE
  hosts: remote_loghost
  gather_facts: False

  tasks:
    - name: Ensure that AIDE package is installed
      ansible.builtin.yum:
        name: aide
        state: present

    - name: Template out AIDE configuration file
      template:
        src: aide.conf.j2
        dest: /etc/aide.conf
        owner: root
        group: root
        mode: '0444'

    - name: Init AIDE database
      command: aide --init

    - name: Enable AIDE database
      command: mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
      tags: enable_aidedb

Run the playbook and verify that it finishes successfully.

[student@workstation workdir]$ ansible-playbook mybaseline.yaml
PLAY [Configure central loghost] *********************************************

TASK [Ensure that rsyslog is active and enabled] *****************************
ok: [central_loghost]

TASK [Template out rsyslog configuration file] *******************************
changed: [central_loghost]

TASK [Restart rsyslog service] ***********************************************
changed: [central_loghost]

TASK [Open rsyslog firewalld port] *******************************************
ok: [central_loghost]

TASK [Add entry for that the new logs have rotation] *************************
ok: [central_loghost]

PLAY [Configure remote logging] **********************************************

TASK [Ensure that rsyslog is active and enabled] *****************************
ok: [remote_loghost]

TASK [Add entry for redirecting logs] ****************************************
changed: [remote_loghost]

TASK [Restart rsyslog service] ***********************************************
changed: [remote_loghost]

PLAY [Install AIDE] **********************************************************

TASK [Ensure that AIDE package is installed] *********************************
changed: [remote_loghost]

TASK [Template out AIDE configuration file] **********************************
changed: [remote_loghost]

TASK [Init AIDE database] ****************************************************
changed: [remote_loghost]

TASK [Enable AIDE database] **************************************************
changed: [remote_loghost]

PLAY RECAP ****************************************************************
central_loghost            : ok=5    changed=2    unreachable=0    failed=0
remote_loghost             : ok=7    changed=6    unreachable=0    failed=0

Note

Output may vary depending on changes or re-run of the Ansible Playbook.

On workstation, open another terminal and log in to serverb as the consultant user.

[student@workstation workdir]$ ssh consultant@serverb
[consultant@serverb ~]$

Generate some syslog messages with different log facilities and priorities. Then, return to workstation as student.

[consultant@serverb ~]$ logger -p user.info "Test user.info message from serverb"
[consultant@serverb ~]$ logger -p cron.crit "Test cron.crit message from serverb"
[consultant@serverb ~]$ exit
[student@workstation workdir]$

[student@workstation workdir]$ ssh student@servera
[student@servera ~]$ sudo grep consultant /var/log/loghost/serverb/user.log
[sudo] password for student: student
Sep 22 00:09:37 serverb consultant[39113]: Test user.info message from serverb
[student@servera ~]$ sudo grep consultant /var/log/loghost/serverb/cron.log
Sep 22 00:09:56 serverb consultant[39202]: Test cron.crit message from serverb

Return to workstation as student.

[student@servera ~]$ exit
[student@workstation workdir]$

ssh to serverb. Use sudo to verify the integrity of the monitored files. Enter student as password.

[student@workstation workdir]$ ssh student@serverb
[student@serverb ~]$ sudo aide --check
[sudo] password for student: student
Start timestamp: 2021-09-22 00:15:27 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	5

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : Q6Ba4uEAWnVokSR5IoGcGA==
  SHA1     : gtNsnq9mM5ljKC0tsjdyJRVIobw=
  RMD160   : DhFPdM+jfYw7uHqnNRmwbEwQbxY=
  TIGER    : IvUi93X18F+O/nkkHBhgrpc0/EobIvVc
  SHA256   : 0a6zINluSdksWHL4jFLkqT7XI6waQgrS
             xt+TmWcl61w=
  SHA512   : 65bpzDil3IYXMOjzb4zepETkfW9r9O6k
             hmiBKGXoE3aPjS2F8eOc/smbUiU9sc9/
             NFyNOKhXZtNC65WN6fDxdQ==


End timestamp: 2021-09-22 00:15:27 -0400 (run time: 0m 0s)

Return to workstation as the student user and change to its home directory.

[student@serverb ~]$ exit
[student@workstation workdir]$ cd ~
[student@workstation ~]$

Evaluation

On the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the script until you receive a passing grade.

[student@workstation ~]$ lab grade baseline-review

Finish

On the workstation machine, use the lab command to complete this exercise. This is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish baseline-review

Discuss Red Hat Enterprise Linux Diagnostics and Troubleshooting

Go to community

Welcome to the Red Hat Enterprise Linux Diagnostics and Troubleshooting (RH342) group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux Diagnostics and Troubleshooting! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH342.Read more about Red Hat Enterprise Linux Diagnostics and Troubleshooting here.

445

Revision: rh342-8.4-6dd89bd

Click Create to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
When a lab is created, click Start to run all of the virtual machines in the classroom.
Click Stop to stop all the virtual machines from running. This will not delete your lab.
If you Delete your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.

Virtual machine actions

Click Start to power on the virtual machine.
Click Shutdown to gracefully shut down the virtual machine, preserving disk contents.
Click Power off to forcefully shut down the virtual machine, while still preserving disk contents.
Click Open console to connect to the system console of the virtual machine in a new browser.

Auto-stop timer

The Red Hat Learning Subscription entitles you to set allotment of lab time.
To help conserving your allotted time, the lab environment uses automatic timers to stop or destroy your lab environment when the timer expires.

Click the Auto-stop button [+] to extend the time you would like to spend with the labs.
Click the Auto-destroy button [+] to add day(s) to the auto-destroy timer.

Auto-stop has a maximum of 11 hours, and auto-destroy has a maximum of 14 days.
Be careful to keep the timers set while you are working, so that your environment doesn't shut down unexpectedly.
We also suggest not to set the auto-timers unnecessarily high, which could waste your lab time allotment