RH415 - ch01s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

SectionSection 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Reviewing Recommended Security Practices

In this exercise, you will review simple recommended practices to improve the security of a server system.

Outcomes

You should be able to:

Configure a system to use SSH key-based authentication.
Disable root login to a system.

Verify that the workstation, servera, and serverb systems are started.

Log in to workstation as student using student as the password. On workstation, run lab securityrisk-recommend setup to verify that the environment is ready.

[student@workstation ~]$ lab securityrisk-recommend setup

Configure serverb to allow SSH key-based authentication. Configuration is successful when the student user on servera can log in to serverb using SSH key-based authentication.

From workstation, log in to servera as the student user.

[student@workstation ~]$ ssh student@servera
[student@servera ~]$

On servera as the student user, create an SSH key pair with no passphrase.

[student@servera ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/student/.ssh/id_rsa): Enter
Created directory '/home/student/.ssh'.
Enter passphrase (empty for no passphrase): Enter
Enter same passphrase again: Enter
Your identification has been saved in /home/student/.ssh/id_rsa.
Your public key has been saved in /home/student/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:8CttStESwlNmmGot+dXN9cR9x4Hw46gdRmVM5XFj+TQ student@servera.lab.example.com
The key's randomart image is:
+---[RSA 2048]----+
|     o+    .+=oO+|
|   .o+      =o=EX|
|   ++ o. o o = o=|
|  = .o.=. + o o .|
| . o .o S  + .   |
|    .  + .+ .    |
|      o +. .     |
|     . +         |
|      .          |
+----[SHA256]-----+
[student@servera ~]$

On servera, copy the SSH public key to the student account on serverb.

[student@servera ~]$ ssh-copy-id student@serverb
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/student/.ssh/id_rsa.pub"
The authenticity of host 'serverb (172.25.250.11)' can't be established.
ECDSA key fingerprint is SHA256:BMdnasLF5CBGg42Dx77nuXodXdI9dKoEBQGFK5O0HRI.
ECDSA key fingerprint is MD5:9e:a8:ec:0c:86:d2:70:34:ef:5a:94:15:6d:48:73:db.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
student@serverb's password: student

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'student@serverb'"
and check to make sure that only the key(s) you wanted were added.

[student@servera ~]$

On servera, test the ability to use key-based authentication by using the ssh command to connect to serverb and remotely execute the hostname command. No password is required. The results are returned to the terminal on servera.
```
[student@servera ~]$ ssh serverb 'hostname'
serverb.lab.example.com
[student@servera ~]$ 
```

On serverb, modify the OpenSSH server configuration file to prohibit logging in by the root user.

Confirm that the current configuration on serverb allows root user to log in using ssh. On servera, log in to serverb as the root user.

[student@servera ~]$ ssh root@serverb
root@serverb's password: redhat       
[root@serverb ~]#

Logout of serverb.

[root@serverb ~]# logout
[student@servera ~]$

On servera, log in to serverb as the student user.

[student@servera ~]$ ssh student@serverb
[student@serverb ~]$

Use the sudo -i command to change to the root user. If prompted, use student as the password.

[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

As the root user, edit /etc/ssh/sshd_config on serverb so that PermitRootLogin is set to no and uncommented. When finished, save your changes and exit the text editor.
```
[root@serverb ~]# vim /etc/ssh/sshd_config
...output omitted...
PermitRootLogin no
...output omitted...
```

Reload the SSH service on serverb. When finished, log out from serverb.

[root@serverb ~]# systemctl reload sshd
[root@serverb ~]# logout
[student@serverb ~]$ logout
Connection to serverb closed.
[student@servera ~]$

On servera, use SSH to confirm that the root user is not permitted to log in to serverb, but the student user is permitted to log in. When finished, log out from serverb.

[student@servera ~]$ ssh root@serverb
Password: redhat
Permission denied, please try again.
Password: redhat
Permission denied, please try again.
Password: redhat
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
[student@servera ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$ logout
Connection to serverb closed.
[student@servera ~]$

Configure SSH on serverb to prevent password authentication.

Confirm that the current configuration on serverb allows users to log in using ssh password authentication. On servera, log in to serverb as the visitor user.
```
[student@servera ~]$ ssh visitor@serverb
visitor@serverb's password: redhat       
visitor@serverb ~]$ 
```
Logout of serverb.
```
[visitor@serverb ~]$ logout
[student@servera ~]$ 
```

From servera, log in to serverb as the student user.

[student@servera ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

As the student user on serverb use the sudo -i command to change to the root user. If prompted, use student as the password.
```
[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]# 
```
As the root user, edit the configuration file /etc/ssh/sshd_config so that the PasswordAuthentication entry is set to no. When finished, save your changes and exit the text editor.
```
[root@serverb ~]# vim /etc/ssh/sshd_config
...output omitted...
PasswordAuthentication no
...output omitted...
```

Reload the SSH service on serverb. When finished, log out from serverb.

[root@serverb ~]# systemctl reload sshd
[root@serverb ~]# logout
[student@serverb ~]$ logout
Connection to serverb closed.
[student@servera ~]$

On servera, verify that the visitor user cannot log in to serverb. Then, verify that the student user can log in using the SSH keys created earlier.

[student@servera ~]$ ssh visitor@serverb
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[student@servera ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

Log out from serverb and servera.

[student@serverb ~]$ logout
Connection to serverb closed.
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$

Cleanup

On workstation, run the lab securityrisk-recommend cleanup script to clean up this exercise.

[student@workstation ~]$ lab securityrisk-recommend cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c