RH415 - ch02s02

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

SectionSection 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Configuring Ansible for Security Automation

In this exercise, you will install Ansible on a control node, set up an inventory file, and run a single task to ensure multiple systems are in the same state.

Outcomes

You should be able to:

Install ansible.
Create a basic configuration file.
Create an inventory file.
Confirm managed host configuration on multiple hosts.
Run an ad hoc command to test Ansible.
Run an ad hoc command to ensure a security configuration update has been made on multiple machines.

Confirm that the workstation, servera, and serverb machines are started. Log in to the workstation machine as the student user with student as the password. Run the lab ansible-security setup command to prepare the classroom environment for the guided exercise.

[student@workstation ~]$ lab ansible-security setup

This command performs the following steps:

Uninstalls the ansible package from workstation.
Creates the ansible-testuser user on workstation, servera, and serverb.
Backs up the configuration and confirms the sshd service is running on all three machines
Verifies the required version of python is installed on all three machines
Enables ansible-testuser as a sudoer on all three machines
Configures SSH to allow ansible-testuser to connect to servera and serverb from workstation using an SSH key-pair

On the workstation machine, which is your control node, install the ansible package. If you are prompted for the password of the student user, use student.

[student@workstation ~]$ sudo yum install ansible
[sudo] password for student: student
...output omitted...
===========================================================
 Package            Arch    Version        Repository  Size
===========================================================
Installing:
 ansible            noarch  2.5.5-1.el7ae  ansible    9.1 M

Transaction Summary
===========================================================
Install  1 Package

Total download size: 9.1 M
Installed size: 46 M
Is this ok [y/d/N]: y
...output omitted...
Installed:
  ansible.noarch 0:2.5.5-1.el7ae                                                                                                        

Complete!

Switch to the ansible-testuser user using redhat as the password.

[student@workstation ~]$ su - ansible-testuser
Password: redhat
[ansible-testuser@workstation ~]$

Create the /home/ansible-testuser/security-ansible directory.

[ansible-testuser@workstation ~]$ mkdir ~ansible-testuser/security-ansible

Navigate to the /home/ansible-testuser/security-ansible directory.

[ansible-testuser@workstation ~]$ cd ~ansible-testuser/security-ansible
[ansible-testuser@workstation security-ansible]$

In the /home/ansible-testuser/security-ansible directory, create an Ansible configuration file named ansible.cfg.
Edit it so that Ansible commands run in this directory use /home/ansible-testuser/security-ansible/inventory as the inventory file, ansible-testuser as the remote user to connect to on the managed hosts, and prompt for the SSH password of the remote user (assumed to be the same on all managed hosts).
```
[ansible-testuser@workstation security-ansible]$ vi ansible.cfg
[ansible-testuser@workstation security-ansible]$ cat ansible.cfg
[defaults]
inventory       = ./inventory
remote_user     = ansible-testuser
ask_pass        = True
```
Continue to edit /home/ansible-testuser/security-ansible/ansible.cfg. Configure Ansible to automatically use sudo to switch the remote user (ansible-testuser) to the remote root user. Have Ansible prompt you for the remote user's sudo password when you run it.
```
[ansible-testuser@workstation security-ansible]$ vi ansible.cfg
[ansible-testuser@workstation security-ansible]$ cat ansible.cfg
...output omitted...
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=True
```
Note
In this classroom environment, you do not need to configure sudo privileges for ansible-testuser on each of your managed hosts. That has already been done for you.
Create the inventory file /home/ansible-testuser/security-ansible/inventory to group the servera and serverb nodes into the SERVERS group. Also, create a group LOCAL to include the localhost (workstation) into it. Additionally, create a group EVERYONE to include all of the nodes from the defined SERVERS and LOCAL groups.
```
[ansible-testuser@workstation security-ansible]$ vi inventory
[ansible-testuser@workstation security-ansible]$ cat inventory
[LOCAL]
workstation

[SERVERS]
servera
serverb

[EVERYONE:children]
LOCAL
SERVERS
```

Verify the inventory settings, as configured in the last step using the --list-hosts option with the ansible command.

[ansible-testuser@workstation security-ansible]$ ansible EVERYONE \
> --list-hosts
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
  hosts (3):
    serverb
    servera.
    workstation

Use the Ansible ping module to verify that you can run Ansible tasks on the managed nodes servera and serverb.

[ansible-testuser@workstation security-ansible]$ ansible SERVERS \
> -m ping
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
serverb | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

The next command is an example of a sophisticated ad hoc command. It uses the authorized_key module to make sure the local SSH public key belonging to ansible-testuser is in the ~/.ssh/authorized_keys file for ansible-testuser on all hosts in group EVERYONE.
This ensures that ansible-testuser can log in from workstation to the ansible-testuser account on any of the hosts in that host group with SSH public key authentication.
Note
Do not worry too much about the exact syntax of the authorized_key module's arguments here. The key argument is taking advantage of an advanced Ansible feature to use a Jinja2 template to use the contents of /home/ansible-testuser/.ssh/id_rsa.pub as the value for its argument, which should be the text of the line to check for in the remote authorized_keys file. You can use the command ansible-doc authorized_key to get more information about its arguments.
The important lesson here is that even single-task ad hoc commands can be useful for managing systems.
```
[ansible-testuser@workstation security-ansible]$ ansible EVERYONE \
> -m authorized_key \
> -a "user=ansible-testuser state=present \
> key={{ lookup('file', '/home/ansible-testuser/.ssh/id_rsa.pub') }}"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
...output omitted...
```
The Ansible lineinfile module checks to see if a line exists in a file or not. It can be used to ensure that line exists, or remove it if it exists.
The next example command uses the Ansible lineinfile module to adjust the settings in the /etc/ssh/sshd_config file on managed hosts in group EVERYONE. It ensures that the directive PasswordAuthentication no is set to disable password-based authentication to SSH on those hosts.
```
[ansible-testuser@workstation security-ansible]$ ansible EVERYONE \
> -m lineinfile \
> -a "path=/etc/ssh/sshd_config \
> regexp='PasswordAuthentication yes' \
> backrefs=yes line='PasswordAuthentication no'"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
workstation | SUCCESS => {
    "backup": "", 
    "changed": true, 
    "msg": "line replaced"
}
servera | SUCCESS => {
    "backup": "", 
    "changed": true, 
    "msg": "line replaced"
}
serverb | SUCCESS => {
    "backup": "", 
    "changed": true, 
    "msg": "line replaced"
}
```
Important
In case the SSH service breaks due to an accidental misconfiguration, preventing you to connect to the servera system, you can use the GUI to access the virtual systems of the classroom environment. To do so, navigate to the same page from where you accessed the console of the workstation machine. Click on the OPEN CONSOLE button that appears at the same row as the servera machine, which opens up the system console in a new tab of the same browser window.

Try logging in from the workstation machine to the servera and serverb machines using the public key-based authentication system of SSH explicitly. This should succeed.

[ansible-testuser@workstation security-ansible]$ ssh \
> -o PasswordAuthentication=no \
> -o PubkeyAuthentication=yes \
> ansible-testuser@servera
Last login: Wed Aug  1 09:24:40 2018 from workstation.lab.example.com
[ansible-testuser@servera ~]$ logout
Connection to servera closed.
[ansible-testuser@workstation security-ansible]$ ssh \
> -o PasswordAuthentication=no \
> -o PubkeyAuthentication=yes \
> ansible-testuser@serverb
Last login: Wed Aug  1 09:24:45 2018 from workstation.lab.example.com
[ansible-testuser@serverb ~]$ logout
Connection to serverb closed.
[ansible-testuser@workstation security-ansible]$ logout
[student@workstation ~]$

Important

Follow the clean up instructions at the end of this exercise after completing it. If you do not, you may encounter issues with other guided exercises in this course.

Cleanup

From the workstation machine, run the lab ansible-security cleanup command as student to clean up this exercise.

[student@workstation ~]$ lab ansible-security cleanup

This command deletes all of the work done as a part of this guided exercise. It performs the following steps:

Installs ansible back to the workstation machine.
Deletes the ansible-testuser user and revokes the sudo policy configured for the ansible-testuser user.
Restores the original settings of SSH service.

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c

Red Hat Security: Linux in Physical, Virtual, and Cloud

This course is now legacy content

Guided Exercise: Configuring Ansible for Security Automation

Note

Note

Important

Important