RH415 - ch02s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

SectionSection 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Remediating Issues with Ansible Playbooks

In this exercise, you will be provided with an Ansible Playbook in order to examine and determine what it does, and which you will then run against multiple hosts using your inventory file.

Outcomes

You should be able to:

Evaluate an Ansible playbook having multiple tasks to accomplish a certain procedure.
Run the playbook on one or more systems.
Review the output of a playbook run.
Examine those systems manually to observe the changes.
Run the playbook again to confirm that no further changes are applied.

Confirm that workstation, servera and serverb machines are started.

Log in to the workstation machine as the student user with student as the password. From the workstation, run the lab ansible-remediate setup command to prepare the classroom environment for the guided exercise. This command:

Uninstalls the ansible from the workstation machine
Creates the ansible-testuser user
Generates the SSH key-pair for the ansible-testuser user on the workstation machine
Exports the public key of the SSH key-pair to the same user of the servera and the serverb machines
Verifies the public key-based authentication from the workstation host to the servera and serverb hosts
Configures the sudo privileges for the ansible-testuser on the workstation, servera and serverb machines
Downloads the lab files that include a custom web page and the pre-created Ansible playbook and saves it under the home directory of the ansible-testuser user
Verifies the installed version of the python package on the workstation, servera and serverb machines

[student@workstation ~]$ lab ansible-remediate setup

Switch to the ansible-testuser using redhat as the password.

[student@workstation ~]$ su - ansible-testuser
Password: redhat
Last login: Wed Aug  1 07:53:19 IST 2018 on pts/0
[ansible-testuser@workstation ~]$

Navigate to the ~ansible-testuser/ansible-remediate/ directory.

[ansible-testuser@workstation ~]$ cd ansible-remediate
[ansible-testuser@workstation ansible-remediate]

Update the existing webservers.yml file to mention that the playbook applies to the hosts in the SERVERS group as defined in the inventory. Also, specify ansible-testuser as the remote user to use while executing the tasks from the given playbook.

[ansible-testuser@workstation ansible-remediate]$ vi webservers.yml
[ansible-testuser@workstation ansible-remediate]$ cat webservers.yml
---
- name: installs, configures and starts apache
  hosts: SERVERS
  remote_user: ansible-testuser
...output omitted...

Verify the package module and its parameters in webservers.yml file that installs Apache httpd package as part of the task.
```
[ansible-testuser@workstation ansible-remediate]$ cat webservers.yml
...output omitted...
  tasks:
    - name: installs apache package
      package:
        name: httpd
        state: present
...output omitted...
```
Notice the name of the task that appears as installs apache package. The following line to that mentions the module name as package to install the httpd utility. The name attribute as defined under the package line specifies the package httpd. The state attribute set to present triggers an installation of the httpd package if it is not already installed.
Verify the lineinfile module and its parameters in webservers.yml file that modifies the configuration file of Apache httpd service to use custom.html as the DirectoryIndex of the Apache web server rather than the default index.html.
```
[ansible-testuser@workstation ansible-remediate]$ cat webservers.yml
...output omitted...
  tasks:
...output omitted...
    - name: configures apache to use custom.html as the DirectoryIndex 
      lineinfile:
        path: /etc/httpd/conf/httpd.conf
        regexp: 'DirectoryIndex index.html'
        backrefs: yes
        line: 'DirectoryIndex custom.html'
      notify:
      - restart apache
...output omitted...
```
Notice the name of the task that appears as configures Apache to use custom.html as the DirectoryIndex. The following line to that mentions the module name as lineinfile to replace an existing line in the configuration file of the httpd service. The path attribute as defined under the lineinfile line specifies the configuration file of the httpd service to modify. The regexp attribute searches for the line that appears as DirectoryIndex index.html. The backrefs attribute, set to yes, causes the lineinfile module to avoid appending the replacement line in case it does not find any occurrence of the search target. This is the default behavior of the module. The line attribute specifies the replacement line to overwrite the line being searched for. The notify line calls another handler task to only restart the httpd service if there is a change in the configuration of file httpd service.
Verify that the firewalld module and its parameters in webservers.yml file that opens the 80/tcp port so that the Apache web service is accessible from the network.
```
[ansible-testuser@workstation ansible-remediate]$ cat webservers.yml
...output omitted...
  tasks:
...output omitted...
    - name: opens TCP port 80 in firewall
      firewalld:
        port: 80/tcp
        state: enabled
        permanent: true
        immediate: yes
...output omitted...
```
Notice the name of the task that appears as opens TCP port 80 in firewall. The following line to that mentions the module name as firewalld to adjust the firewall settings on the system. The port attribute as defined under the firewalld line specifies the TCP port 80, the default port of web services. The state attribute, set to enabled, causes firewalld to allow any HTTP connection request to 80/tcp port. The permanent attribute, set to true, saves the firewall settings to persist across reboot. The immediate attribute, set to yes, causes the firewall settings to come to effect immediately.
Verify the copy module and its parameters in webservers.yml file that implements the custom web content.
```
[ansible-testuser@workstation ansible-remediate]$ cat webservers.yml
...output omitted...
  tasks:
...output omitted...
    - name: copies custom web content
      copy:
        src: files/custom.html
        dest: /var/www/html/custom.html
...output omitted...
```
Notice the name of the task that appears as copies custom web content. The following line to that mentions the module name as copy to implement the custom web content. The src attribute as defined under the copy line specifies the file (files/custom.html) that has the custom web content. This file gets into the default document root (/var/www/html) of the httpd service as specified against the dest attribute.
Verify the service module and its parameters in webservers.yml file that restarts the httpd service to reload the changes from the configuration file of the Apache web service.
```
[ansible-testuser@workstation ansible-remediate]$ cat webservers.yml
...output omitted...
  tasks:
...output omitted...
    - name: starts apache
      service:
        name: httpd
        state: started
        enabled: true
...output omitted...
```
Notice the name of the task that appears as starts apache. The following line to that mentions the module name as service to start, stop, or restart the httpd service. The name attribute as defined under the service line specifies the service (httpd) that the task targets to start, stop, or restart. The state attribute, set to started, causes to the httpd service to be running. The enabled attribute, set to true, causes the httpd service to persistently run across reboot.

Run the Ansible playbook webservers.yml.

[ansible-testuser@workstation ansible-remediate]$ ansible-playbook \
> webservers.yml

PLAY [installs, configures and starts apache] ********************************

TASK [Gathering Facts] *******************************************************
dhatok: [serverb]
ok: [servera]

TASK [installs apache package] ***********************************************
changed: [servera]
changed: [serverb]

TASK [configures apache to use custom.html as the DirectoryIndex]*************
changed: [servera]
changed: [serverb]

TASK [opens TCP port 80 in firewall] *****************************************
changed: [serverb]
changed: [servera]

TASK [copies custom web content] *********************************************
changed: [servera]
changed: [serverb]

TASK [ensure apache is running] **********************************************
changed: [servera]
changed: [serverb]

RUNNING HANDLER [restart apache] *********************************************
changed: [servera]
changed: [serverb]

PLAY RECAP *******************************************************************
servera                    : ok=7    changed=6    unreachable=0    failed=0
serverb                    : ok=7    changed=6    unreachable=0    failed=0

Execute the playbook again as a repetition of the last step and notice that the play is successful without making any change in the system state as the systems are already in the desired end state.
```
[ansible-testuser@workstation ansible-remediate]$ ansible-playbook \
> webservers.yml
...output omitted..
PLAY RECAP ******************************************
servera    : ok=6  changed=0  unreachable=0  failed=0
serverb    : ok=6  changed=0  unreachable=0  failed=0
```
As you may notice from the command output, the value of ok is 6 indicating that six tasks are executed without any error, the value of changed is 0 which means no change is made in the system.

Access the web content to confirm that the playbook webservers.yml has successfully configured both the servera.lab.example.com and serverb.lab.example.com systems.

[ansible-testuser@workstation ansible-remediate]$ curl \
> http://servera.lab.example.com
Custom content for Ansible remediation guided exercise.
[ansible-testuser@workstation ansible-remediate]$ curl \
> http://serverb.lab.example.com
Custom content for Ansible remediation guided exercise.

Remove the /var/www/html/custom.html file from both servera.lab.example.com and serverb.lab.example.com systems. Confirm that you are seeing the default Apache test page instead of the custom web content.

[ansible-testuser@workstation ansible-remediate]$ ssh \
> ansible-testuser@servera 'sudo rm -f /var/www/html/custom.html'
[ansible-testuser@workstation ansible-remediate]$  ssh \
> ansible-testuser@serverb 'sudo rm -f /var/www/html/custom.html'
[ansible-testuser@workstation ansible-remediate]$ curl \
> http://servera.lab.example.com
...output omitted...
[ansible-testuser@workstation ansible-remediate]$ curl \
> http://servera.lab.example.com
...output omitted...

Notice the default Apache web page which is being displayed. This is not the custom web content.

Run the Ansible playbook webservers.yml to remediate this deviation. Confirm that you are able to access the custom web content rather than the default Apache test page. Notice the change in the system state to restore the web content back to the systems. This is the only change in the state of the servera and serverb systems.

[ansible-testuser@workstation ansible-remediate]$ ansible-playbook \
> webservers.yml
...output omitted...
PLAY RECAP *****************************************
servera    : ok=6  changed=1 unreachable=0  failed=0
serverb    : ok=6  changed=1 unreachable=0  failed=0
[ansible-testuser@workstation ansible-remediate]$ curl \
> http://servera.lab.example.com
Custom content for Ansible remediation guided exercise.
[ansible-testuser@workstation ansible-remediate]$ curl \
> http://serverb.lab.example.com
Custom content for Ansible remediation guided exercise.
[ansible-testuser@workstation ansible-remediate]$ logout
[student@workstation ~]$

Important

You must follow the clean up instructions at the end of this exercise after completing it. If you do not, you will encounter issues with subsequent guided exercises in this course.

Cleanup

From the workstation machine, as student user, run the lab ansible-remediate cleanup command to clean up this exercise. This command:

Installs ansible back to the workstation machine
Deletes the ansible-testuser user and revokes the sudo policy configured for the ansible-testuser user
Uninstalls the Apache web service from the managed nodes

[student@workstation ~]$ lab ansible-remediate cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c