RH415 - ch02s06

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

SectionSection 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

In this exercise, you will run a provided playbook using a preconfigured Red Hat Ansible Tower server.

Outcomes

You should be able to:

Log in to an existing Tower as a non-admin user.
Run an Ansible Playbook using Red Hat Ansible Tower.
Confirm that the user can use but cannot access the authentication credentials used.

Confirm that the workstation, servera, serverb and tower machines are started.

Log in to the workstation machine as the student user with student as the password. From workstation, run the lab ansible-tower setup command to prepare the classroom environment for the guided exercise. This command:

On workstation,servera and serverb, creates the user ansible-testuser and configures sudo to allow that user to become root.
On workstation, generates an SSH key pair for ansible-testuser, and installs the public key in ~/.ssh/authorized_keys in that user's account on the servera and the serverb machines.
On your Ansible Tower server (tower), creates the Ansible Tower user ansible-testuser to allow access to its web-based user interface as a user with lower privileges than admin.
On your Ansible Tower server, creates the machine credential ansible-testuser-credential to authenticate access to the servera and the serverb machines.
On your Ansible Tower server, creates the project RH415_project, which is configured with access to an existing Ansible Playbook.

[student@workstation ~]$ lab ansible-tower setup

On workstation, open Firefox to access https://tower.lab.example.com. If you encounter a warning that the Ansible Tower server's TLS certificate can not be authenticated in this classroom, ignore the warning and add the certificate to your browser as an exception.
Login as admin user in the Ansible Tower dashboard with the password redhat.
Verify that the user ansible-testuser exists in the Ansible Tower.
1. From the top right corner in the home page of the Ansible Tower dashboard, click the Settings button that appears as the gear symbol.
2. From the SETTINGS page, click the USERS box. You should see the ansible-testuser user in the list that appears.
Add the ansible-testuser to the Default organization with the Member role.
1. From the top right corner in the home page of the Ansible Tower dashboard, click the Settings button that appears as the gear symbol.
2. From the SETTINGS page, click the ORGANIZATIONS box. In the ORGANIZATIONS page, click the USERS link that appears under the Default section.
3. In the page that appears, click the ADD button within the Default section. Select the checkbox beside the ansible-testuser username in the DEFAULT | ADD USERS dialog box that appears and assign the Member role from the SELECT ROLES menu box. Once the Member role is selected, click the SAVE button.
Verify that the machine credential ansible-testuser-credential exists. Also, grant the Use role to ansible-testuser for the machine credential so that the user can authenticate to managed hosts while executing the Ansible playbook.
1. From the top right corner in the home page of the Ansible Tower dashboard, click the Settings button (the gear icon).
2. From the SETTINGS page, click the CREDENTIALS box. In the CREDENTIALS page, verify that the ansible-testuser-credential item appears in the displayed list of available credentials.
3. Click the ansible-testuser-credential link.
4. In the page that appears, click the PERMISSIONS tab under the ansible-testuser-credential section.
5. Click the ADD button under the CREDENTIALS PERMISSIONS section and select the checkbox that appears beside the ansible-testuser username in the ANSIBLE-TESTUSER-CREDENTIAL | ADD USERS/TEAMS dialog box to associate the credential with the user. Now, assign the Use role from the SELECT ROLES menu box. Once the Use role is selected, click the SAVE button.
Verify that the RH415_project exists in the Ansible Tower. Also, grant Use role to ansible-testuser user on this project.
1. In the Ansible Tower dashboard, click the PROJECTS tab at the top left corner. Verify that the project RH415_project appears in the list that is displayed.
2. Click the RH415_project link. Navigate to the PERMISSIONS tab that appears under the RH415_project section.
3. Click the ADD button under the RH415_project section and select the checkbox beside the ansible-testuser username in the RH415_PROJECT | ADD USERS/TEAMS dialog box. Assign the Use role from the SELECT ROLES menu box. Once the Use role is selected, click the SAVE button.
Create the static inventory RH415_inventory.
1. In the Ansible Tower dashboard, click the INVENTORIES tab at the top left of the page.
2. Navigate to ADD → Inventory. Specify the value of NAME as RH415_inventory under the DETAILS tab of the RH415_inventory section and click the SAVE button.
Grant Use and Ad Hoc permissions to ansible-testuser user for the RH415_inventory inventory.
1. Click the PERMISSIONS tab under the RH415_inventory section.
2. Click the ADD button under the same RH415_inventory section and select the checkbox beside the ansible-testuser username in the RH415_INVENTORY | ADD USERS/TEAMS dialog box. Now, assign the Use and Ad Hoc roles from the SELECT ROLES menu box. Once the roles are added, click the SAVE button.
Create the webservers group within the RH415_inventory to include servera and serverb managed hosts.
1. Click the GROUPS tab under the RH415_inventory section.
2. Click the ADD GROUP button under the same RH415_inventory section.
3. Specify the value of NAME as webservers under the DETAILS tab of the CREATE GROUP section and click the SAVE button.
4. On the same page, click the HOSTS tab under the webservers section. Navigate to ADD → New Host. In the page that appears, specify the value of HOST NAME as servera under the DETAILS tab and click the SAVE button.
  Important
  Be very cautious about the hierarchy while you are adding hosts to the host groups of a specific inventory. The hierarchy is displayed near the top of the page right below the quick navigation links. In this example, while adding the host group to the inventory, your hierarchy should be INVENTORIES / RH415_inventory / GROUPS. And, while adding hosts to the host group, your hierarchy should be INVENTORIES / RH415_inventory / GROUPS / webservers / ASSOCIATED HOSTS
5. Repeat the same to add serverb as well.
6. Logout from the Ansible Tower dashboard. At the top right corner of the page, the button that appears as power button allows you to logout.
As ansible-testuser Tower user, verify that the ansible-testuser-credential machine credential exists.
1. Log in as ansible-testuser with the password redhat in the Ansible Tower dashboard.
2. Navigate to Settings → CREDENTIALS → ansible-testuser-credential. Notice that you are not able to modify the properties of the credential as the only role you have is USE on this credential for ansible-testuser. The USE role allows you to use this credential to authenticate to the managed hosts while executing the Ansible playbook but it does not grant you the privileges to modify the properties of the credential.
Create the job template RH415_job in the RH415_project. Enable the privilege escalation for the ansible-testuser user such that the user can execute the Ansible playbook on the managed hosts via the sudo command to accomplish the tasks that require administrative rights for the user.
1. In the Ansible Tower dashboard, click the TEMPLATES tab at the top left.
2. Navigate to ADD → Job Template under the TEMPLATES section. In the page that appears, specify the value of NAME as RH415_job under the DETAILS tab of the NEW JOB TEMPLATE section. Under the DETAILS tab of the NEW JOB TEMPLATE section, click the search button of the INVENTORY field and select the radio button beside the RH415_inventory item and click the SELECT button.
3. Ensure that RH415_project is selected in the PROJECT field.
4. Select webservers.yml from the drop-down menu in the PLAYBOOK field.
5. Click the search button of the CREDENTIAL field and select the radio button beside the ansible-testuser-credential item and click the SELECT button.
6. Select the checkbox that appears right beside the Enable Privilege Escalation option under the OPTIONS section of the page and click the SAVE button.
Launch the job template RH415_job.
Click the TEMPLATES tab and use the button with the rocket icon to run the RH415_job job template on the managed hosts.

Verify the accessibility of the custom web content that the RH415_job job template deploys.

[student@workstation ~]$ curl http://servera
Custom content for Ansible remediation guided exercise.
[student@workstation ~]$ curl http://serverb
Custom content for Ansible remediation guided exercise.

Logout from the Ansible Tower dashboard.

Log in as admin in the Ansible Tower dashboard. Create another machine credential named ansible-testuser-credential2. In the next few steps, you will configure this credential to allow users to authenticate to machines with key-based SSH authentication and to use sudo to escalate privileges.
1. Log in as the admin user with the password redhat.
2. Click the gear icon in the upper right to navigate to Settings.
3. Click the CREDENTIALS box.
4. Click the ADD button to create a new credential.
For ansible-testuser-credential2, specify the appropriate properties including the SSH private key and privilege escalation attributes of the credential. This allows the credential to use the public key-based SSH authentication instead of the password-based SSH authentication.
1. In the next page that opens, specify ansible-testuser-credential2 as the value of the NAME field under the DETAILS tab of the NEW CREDENTIAL section.
2. Click the magnifying glass icon under the ORGANIZATION field and select Default as the organization for this credential. This allows the ansible-testuser user to leverage this new machine credential.
3. Click the button that appears as magnifying glass under the CREDENTIAL TYPE field and select Machine as the type of the credential.
4. On workstation access the terminal to copy the contents from /home/student/.ssh/lab_rsa and paste it in the text box under the SSH PRIVATE KEY field in the Tower dashboard.
5. Select sudo from the drop-down menu under the PRIVILEGE ESCALATION METHOD field.
6. Specify root under the PRIVILEGE ESCALATION USERNAME. This allows the ansible-testuser user to escalate as root user with sudo while the Ansible play executes.
7. Click the SAVE button to create this machine credential.
Adjust the permissions of the newly created machine credential to add the ansible-testuser user with the Use role. This allows the ansible-testuser user to leverage the newly created machine credential.
1. Click the PERMISSIONS tab that appears right next to the DETAILS under the ansible-testuser-credential2 section of the page.
2. Click the ADD button and select the checkbox that appears right besides the ansible-testuser username.
3. Once the checkbox is selected, specify Use role in the SELECT ROLES box.
4. Click the SAVE button.
Create a new job template called RH415_job2 with the new machine credential.
1. From the upper left of the Tower dashboard, click the TEMPLATES tab.
2. Navigate to ADD → Job Template.
3. In the page that opens, specify the attributes of the new job template as following.
  - NAME: RH415_job2
  - INVENTORY: RH415_Inventory
  - PROJECT: RH415_project
  - PLAYBOOK: fileservers.yml
  - CREDENTIAL: ansible-testuser-credential2
  - OPTIONS: Enable Privilege Escalation selected
  Leave all other settings as default.
4. Click the SAVE button.
Launch the new job template RH415_job2.
1. From the upper left of the Tower dashboard, click the TEMPLATES tab.
2. Use the button with the rocket symbol to run the RH415_job2 job template on the managed hosts. Notice in the dashboard that the Ansible play does not prompt for the SSH password.

Verify that the Ansible play was successful by executing the following wget command.

Note

The execution of fileservers.yml playbook configured the basic FTP server on servera to download the custom.html file.

[student@workstation ~]$ wget ftp://servera/custom.html
--2018-08-17 13:04:13--  ftp://servera/custom.html
           => ‘custom.html’
Resolving servera (servera)... 172.25.250.10
Connecting to servera (servera)|172.25.250.10|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> SIZE custom.html ... 56
==> PASV ... done.    ==> RETR custom.html ... done.
Length: 56 (unauthoritative)

100%[=======================================>] 56   --.-K/s   in 0s

2018-08-17 13:04:13 (14.1 MB/s) - ‘custom.html’ saved [56]

As the preceding command succeeds, it can be confirmed that the Ansible play using the newly created SSH private key-based machine credential is successful.

Important

It is imperative that you cleanup the system after running through this guided exercise, otherwise you may encounter issues with the other guided exercises of the course.

Cleanup

From the workstation machine, as student user, run the lab ansible-tower cleanup command to clean up this exercise. This command:

Deletes the ansible-testuser user from all the workstation, srva; and the srvb; machines. Additionally, it revokes the sudo policy configured for the ansible-testuser user from servera and serverb machines.
Removes the Tower project RH415_project created by the setup script.
Removes the ansible-testuser user from your Ansible Tower.
Removes the ansible-testuser-credential machine credential from your Ansible Tower.
Removes the RH415_inventory from your Ansible Tower.
Removes the RH415_job job template from your Ansible Tower.
Uninstalls the Apache web service from the managed nodes.

[student@workstation ~]$ lab ansible-tower cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083