RH415 - ch02s05

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

SectionSection 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Managing Playbooks with Red Hat Ansible Tower

Objectives

After completing this section, students should be able to run playbooks and manage access to authentication credentials using Red Hat Ansible Tower.

Red Hat Ansible Tower and Security Management

Managing Ansible for IT automation at scale across an enterprise can present some challenges. You can have multiple administrators use the same Ansible Playbooks, but Ansible itself does not provide a facility to help you ensure that they have the latest version of the playbook, or who is running what playbook from where. It also does not provide a way for you to easily allow administrators to run Ansible Playbooks but limit them from needing to know the administrative credentials for your hosts.

Red Hat Ansible Tower is an additional service that you can run on-site to address these issues. It provides a way for you to centrally control and manage Ansible in your IT infrastructure, with a web-based user interface and visual dashboard, role-based access control, job scheduling, logging, integrated notifications and graphical inventory management. It also provides a REST API that you can use to integrate Ansible into your existing tools and processes. It can help you scale automation with Ansible, manage complex deployments, and speed productivity.

From a security perspective, Red Hat Ansible Tower helps you control, secure, and manage your Ansible automation at scale. You can use it to control who has access to run particular playbooks and which inventories they can use or manage. You can allow users of the Ansible Tower server to use machine credentials and control who can manage them, without allowing users to transfer them or see their contents. It logs who ran what Ansible jobs on what hosts when, and what the results of those jobs were. It provides a way for you to centrally manage your Ansible inventories, to make sure no hosts are missed.

Users typically interact with Red Hat Ansible Tower through the server's web-based user interface or by using its REST API. The server's web-based user interface performs its actions by executing calls against the server's API. Therefore, any action that you can perform through the web-based interface can also be performed by directly using the server's API.

The following diagram illustrates the architecture of Red Hat Ansible Tower.

Figure 2.1: Ansible Tower architecture

Operating Red Hat Ansible Tower

To better understand how Red Hat Ansible Tower can help you manage credentials, to run Ansible Playbooks, and to log the results of those runs, you need to understand the basics of how it it works. The following is a quick overview of how to use the Ansible Tower web-based user interface to launch a job with an example Ansible playbook, an inventory, and some access credentials for the machines in the inventory.

The basic idea is that you start playbook runs by "launching" a job from a job template. You configure Ansible Tower with a number of projects that can access playbooks. You also configure Tower with a number of inventories and the necessary machine credentials to log in to inventory hosts and escalate privileges. The job template is set up by an administrator. It specifies which playbook from which project should be run on the hosts in a particular inventory using particular machine credentials when you use the job template to launch a job.

Navigating the Ansible Tower Web Interface

When you log in to Ansible Tower, you are presented with a dashboard providing summary information about recent activity on the server and navigational links to configure resources and launch jobs.

Across the top of the interface, on the left side, are quick links to configure projects, inventories, job templates, and to the logs of the jobs that have been run.

Figure 2.2: Quick navigation links

On the right side are quick links to access your user account, the Settings interface for users and credentials, documentation, and to log out of Ansible Tower.

Figure 2.3: Administrative tool links

The dashboard itself presents four sections:

Across the top, a summary report of the status of hosts, inventories, and projects, with links to detailed information
A Job Status graph reporting on successful and failed runs of playbooks made by Ansible Tower
A list of Recently Used Templates with colored dots indicating whether its recent launches succeeded or failed and links to edit or relaunch the job template
A list of Recent Job Runs by time and date of execution

Figure 2.4: Ansible Tower dashboard

Launching a Job from a Job Template

A job template can be used to launch jobs (run playbooks) repeatedly using the same parameters. A job template is somewhat like a prepared ansible-playbook command complete with options and arguments that you can run at the click of a button.

This is an example of how to launch a job from a job template, using the Demo Job Template included with Ansible Tower.

Under TEMPLATES, the Demo Job Template should be listed. Across from the name of the job template is a rocket icon (Start a job using this template). Clicking that icon launches the job using the settings in the job template.
Figure 2.5: Launching a job
As the job runs, a new status page opens that provides real-time information about the progress of the job. The DETAILS pane provides basic information about the job being run: when it was launched, who launched it, what job template, project, and inventory were used, and so on. While running, the job status is Pending.
As the job executes, the status page also includes the output from the job run in a job output pane. The job run output resembles the output generated when the ansible-playbook command is executed on an Ansible playbook. In the example screenshot that follows, the play and tasks in the playbook ran successfully.
Figure 2.6: Example job output
After the job completes, the Tower dashboard (reachable by clicking the TOWER link at the upper left corner of the web interface) has a link to the status page for the job run under RECENT JOB RUNS. The other statistics on the Tower dashboard are also updated.
Under JOBS, all the jobs that have run on the Tower are listed. Clicking on the name of a job listed on this page also displays the status page logged for that job.
Figure 2.7: Example JOBS screen

Note

The JOBS screen provides useful information about what jobs were run when, and whether they succeeded or failed. By clicking the link for a particular job, you can get more detailed information about who launched it and the output from the ansible-playbook command run by Ansible Tower.

Controlling User Access in Ansible Tower

Different people using an Ansible Tower installation need to have different levels of access. Some may simply need to run existing job templates against a preconfigured inventory of machines. Others need to be able to modify particular inventories, job templates, and playbooks. Still others may need access to change anything in the Tower installation.

Ansible Tower has a built-in administrative user, admin, that has superuser access to the entire Tower configuration. In order to make it easier to manage individual access to inventories, credentials, projects, and job templates, user accounts can be set up for each person who uses the Tower installation.

As an administrator, you assign roles to users that grant permissions which define whether they can can use, see, change, or delete an object in Ansible Tower. For example, you might grant a user roles that allow them to use a job template with a machine credential to run a playbook, but not to change that template or credential. Roles can also be managed collectively by granting them to a team, which is a collection of users. All users in the team inherit the team's roles.

For very large deployments, it can be helpful to categorize users, teams, projects, and inventories into different departments. An organization is a logical collection of users, teams, projects, and inventories. All users must belong to an organization, and as part of installation a Default organization is created.

Managing Access to Machine Credentials

Credentials are Ansible Tower objects that are used to authenticate to remote systems for various purposes. They may provide secrets such as passwords, SSH keys, or other supporting information needed to successfully access or use a remote resource.

Ansible Tower is responsible for maintaining secure storage for the secrets in these credential objects. Credential passwords and keys are encrypted before they are saved to the Tower database, and can not be retrieved in clear text from the Tower user interface. Users and teams can be assigned privileges to use credentials, but the secrets are not exposed to them. When a credential is needed by Tower, it decrypts the data internally and passes it to Ansible directly.

Important

Once sensitive authentication data is entered into a credential and encrypted, it can no longer be retrieved in decrypted form through the Ansible Tower web interface.

Ansible Tower has a number of different types of credentials that it can manage, including:

Machine credentials, to authenticate to inventory hosts for connections when running playbooks and for privilege escalation.
Source Control (or SCM) credentials, used by projects to clone and update Ansible project materials from a remote version control system such as Git, Subversion, or Mercurial.

Credentials are managed in the Ansible Tower dashboard by clicking the gear icon to access the Settings page, and then selecting CREDENTIALS.

Users can be assigned the following roles to control their access to a credential:

admin: Full access to the credential, including deletion, modification, and use
use: Can use the credential when running playbooks in job templates
read: Can view configuration information in the credential (but not the secrets themselves)

Protecting credentials and privilege escalation settings in the Red Hat Ansible Tower server is vital to prevent unauthorized changes or access to the systems it manages. You should limit most users that need to use the credential to use access, and not grant access at all unless a user should have it.

To check the roles users have on a credential, login to the dashboard as admin and select the gear icon to navigate to Settings. Click on CREDENTIALS and select the credential.

In the following example, the admin user has administrative rights on the credential but demo-user1 only has use.

Figure 2.8: An Ansible Tower machine credential's roles

Managing Static Inventories in Ansible Tower

Inventories are also configured as Ansible Tower objects. To create an empty inventory, click the INVENTORIES quick navigation link at the top of the Ansible Tower web interface, and then on the Inventories screen, click ADD. On the NEW INVENTORY screen, enter a name for your inventory and assign it to an organization, then click SAVE.

To add individual hosts to the inventory, click on the inventory name to open its detail screen, and then click ADD HOST. Enter the host name of the host to add, then click SAVE. You can also use the web interface to add host groups and to statically add hosts to those host groups.

To control access to an inventory, as an administrator you assign roles on it to users. These roles include:

admin: Full access to the inventory, including deletion, modification, and use
use: Can use the inventory when running playbooks in job templates
ad hoc: Can use the inventory when running ad hoc commands in Ansible Tower
read: Can view the contents of an inventory

Creating a Job Template

Without spending a great deal of time covering the topic, this is a high-level overview of the process you would use to create a job template in Red Hat Ansible Tower.

Create an inventory containing the machines your job template will target, assuming one does not already exist. Grant use (and possibly ad hoc) access to the users of the job template.
Create a machine credential for the machines in your inventory, containing authentication information for the connection and for privilege escalation. Make sure that the right users have use role on the credential.
Create a project that specifies where to get the Ansible Playbook. This is typically from a remote Git repository, in which case you may also need to create an SCM credential that the project can use to authenticate to the repository. Make sure that the users of the job template have use (and possibly update) access to the project.
Create a job template that uses the project, and specifies a playbook from that project. Configure it to use the inventory and machine credential you created. Make sure that the users have the role execute (and possibly read) on the job template.
Launch the new job template to confirm that it works.

References

For more information refer to the Ansible Tower Administration Guide for Red Hat Ansible Tower 3.2.5 at: https://docs.ansible.com/ansible-tower/3.2.5/html/administration/index.html

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c