RH415 - ch02s07

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

SectionSection 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Automating Configuration and Remediation with Ansible

Performance Checklist

In this lab, you will ensure your workstation is prepared to use Ansible and has been configured with an appropriate configuration file and inventory, and use a provided playbook in order to ensure that several servers are in the correct configuration.

Outcomes

You should be able to:

Install and configure Ansible.
Confirm that Ansible is working correctly and can connect to managed hosts, using ad hoc commands.
Run Ansible Playbooks to configure managed hosts.

Verify that workstation, servera, and serverb are started.

Log in to workstation as student using student as the password. From workstation, run lab ansible-review setup to verify that the environment is ready.

[student@workstation ~]$ lab ansible-review setup

On workstation, install the ansible package.

On workstation as the student user, install the ansible package administratively using the sudo command.

[student@workstation ~]$ sudo yum install ansible
[sudo] password for student: student
...output omitted...
======================================================
 Package      Arch    Version         Repository  Size
======================================================
Installing:
 ansible      noarch  2.5.5-1.el7ae   ansible     9.1M

Transaction Summary
======================================================
Install  1 Package

Total download size: 9.1 M
Installed size: 46 M
Is this ok [y/d/N]: y
...output omitted...
Installed:
  ansible.noarch 0:2.5.5-1.el7ae                                                                                                        

Complete!

On workstation as ansible-testuser, create the /home/ansible-testuser/lab directory. In the lab directory, create an inventory file that defines the webservers host group. This host group includes two managed hosts, servera.lab.example.com, and serverb.lab.example.com. The password of ansible-testuser is redhat.
Switch to the ansible-testuser user. Use redhat as the password.
[student@workstation ~]$ su - ansible-testuser Password: redhat Last login: Wed Aug 1 07:53:19 IST 2018 on pts/0 [ansible-testuser@workstation ~]$
Create the /home/ansible-testuser/lab directory.
[ansible-testuser@workstation ~]$ mkdir ~/lab
Create an inventory file in the lab directory. This inventory file contains the webservers host group which includes two managed hosts, servera.lab.example.com, and serverb.lab.example.com.
[ansible-testuser@workstation ~]$ cd ~/lab [ansible-testuser@workstation lab]$ vi inventory [ansible-testuser@workstation lab]$ cat inventory [webservers] servera.lab.example.com serverb.lab.example.com
In /home/ansible-testuser/lab, create an Ansible configuration file that uses the inventory file previously created. It should use the ansible-testuser user account to log in to the remote managed hosts. Configure the privilege escalation settings such that it uses sudo to perform tasks as root on the remote managed hosts. Ansible should prompt the user for the sudo password.
In the lab directory, create an Ansible configuration file which uses the inventory file previously created. You need to define the ansible-testuser user as the remote user, and enable Ansible to ask for a password to log in to the managed host. Finally, you need to configure privilege escalation with sudo and root as the remote user, and enable Ansible to ask for a password to become root in the managed host.
[ansible-testuser@workstation lab]$ vi ansible.cfg [ansible-testuser@workstation lab]$ cat ansible.cfg [defaults] inventory = ./inventory remote_user = ansible-testuser ask_pass = True [privilege_escalation] become=True become_method=sudo become_user=root become_ask_pass=True

Use an Ansible ad hoc command to confirm that the two managed hosts in the webservers host group are available. Verify that the httpd package is yet to be installed on either host. Also, confirm that TCP port 80 is blocked by both hosts' firewall settings.

Confirm that the two managed hosts in the webservers host group are available. Use the ping Ansible module.

[ansible-testuser@workstation lab]$ ansible webservers -m ping
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
serverb.lab.example.com | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
servera.lab.example.com | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

Use the command Ansible module to confirm that the httpd package is yet to be installed in the managed hosts of the webservers host group. The following output shows that the httpd packaged is not installed on the managed hosts.

[ansible-testuser@workstation lab]$ ansible webservers -m command \
> -a "yum list installed httpd"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
...output omitted...
serverb.lab.example.com | FAILED | rc=1 >>
Loaded plugins: enabled_repos_upload, langpacks, package_upload, product-id,
              : search-disabled-repos, subscription-manager
Uploading Enabled Repositories Report
Loaded plugins: langpacks, product-id, subscription-managerError: No matching Packages to listnon-zero return code

servera.lab.example.com | FAILED | rc=1 >>
Loaded plugins: enabled_repos_upload, langpacks, package_upload, product-id,
              : search-disabled-repos, subscription-manager
Uploading Enabled Repositories Report
Loaded plugins: langpacks, product-id, subscription-managerError: No matching Packages to listnon-zero return code

Note

The ansible webservers -m yum -a "list=httpd" command is an alternative solution that in a number of ways is superior because it uses a purpose-built module instead of depending on command. However, unless you looked in ansible-doc, you might not know about that module.

Ensure that TCP port 80 is blocked by firewalld on the managed hosts in the webservers host group. Use the firewalld Ansible module to check the port and the http service definition, and disable access if it is open.

The output shows that neither the port nor the service definition was enabled in firewalld on the managed hosts, since no changes were made.

[ansible-testuser@workstation lab]$ ansible webservers -m firewalld \
> -a "port=80/tcp state=disabled immediate=true permanent=true"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera.lab.example.com | SUCCESS => {
    "changed": false, 
    "msg": "Permanent and Non-Permanent(immediate) operation"
}
serverb.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "Permanent and Non-Permanent(immediate) operation"
}
[ansible-testuser@workstation lab]$ ansible webservers -m firewalld \
> -a "service=http state=disabled immediate=true permanent=true"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera.lab.example.com | SUCCESS => {
    "changed": false, 
    "msg": "Permanent and Non-Permanent(immediate) operation"
}
serverb.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "Permanent and Non-Permanent(immediate) operation"
}

Run the http://materials.example.com/labs/deploy-httpd.yml Ansible Playbook to install, and configure the httpd service on the managed hosts. When done, verify that the httpd package is installed, and that TCP port 80 is open on those managed hosts.

Download the deploy-httpd.yml Ansible Playbook from http://materials.example.com/labs/deploy-httpd.yml.

[ansible-testuser@workstation lab]$ wget \
> http://materials.example.com/labs/deploy-httpd.yml
...output omitted...

Run the deploy-httpd.yml playbook to deploy the httpd service, and open TCP port 80 on the managed hosts.

[ansible-testuser@workstation lab]$ ansible-playbook deploy-httpd.yml
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
...output omitted...
servera.lab.example.com    : ok=3    changed=1    unreachable=0    failed=0   
serverb.lab.example.com    : ok=3    changed=1    unreachable=0    failed=0
[ansible-testuser@workstation lab]$

Use the command Ansible module to verify that the httpd package is installed on the managed hosts of the webservers host group. The output shows that the httpd package is installed on the managed hosts.

[ansible-testuser@workstation lab]$ ansible webservers -m command \
> -a "yum list installed httpd"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
 [WARNING]: Consider using the yum module rather than running yum.  If you need to use command because yum is insufficient you can add
warn=False to this command task or set command_warnings=False in ansible.cfg to get rid of this message.

servera.lab.example.com | SUCCESS | rc=0 >>
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
              : manager
This system is not registered with an entitlement server.
You can use subscription-manager to register.

Installed Packages
httpd.x86_64      2.4.6-80.el7   @rhel--server-dvd

serverb.lab.example.com | SUCCESS | rc=0 >>
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
              : manager
This system is not registered with an entitlement server.
You can use subscription-manager to register.

Installed Packages
httpd.x86_64      2.4.6-80.el7   @rhel--server-dvd

Note

Again, the ansible webservers -m yum -a "list=httpd" command is an alternative solution that you could also use to determine this.

Verify that TCP port 80 is open in the firewall settings of the managed hosts of the webservers host group with the command Ansible module. The output shows that 80/TCP is open in the firewall settings of the managed hosts.
```
[ansible-testuser@workstation lab]$ ansible webservers -m command \
> -a "firewall-cmd --list-ports --zone=public"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera.lab.example.com | SUCCESS | rc=0 >>
80/tcp

serverb.lab.example.com | SUCCESS | rc=0 >>
80/tcp
```
Note
You could simply run an ad hoc command with the firewalld module to check the configuration and correct it automatically if it was incorrect. However, this approach might more clearly show you that the port is already configured on both hosts due to the playbook, without disturbing the systems' current configuration.

Log out as ansible-testuser from workstation.

[ansible-testuser@workstation lab]$ logout
[student@workstation ~]$

Navigate in a web browser to http://servera.lab.example.com and http://serverb.lab.example.com to verify the configuration.
On workstation, open Firefox, and navigate to http://servera.lab.example.com. Verify that the default Apache homepage shows.
Navigate to http://serverb.lab.example.com. Verify that the default Apache homepage shows.

Evaluation

On workstation, run the lab ansible-review grade command to confirm success of this exercise.

[student@workstation ~]$ lab ansible-review grade

Cleanup

On workstation, run the lab ansible-review cleanup script to clean up this exercise.

[student@workstation ~]$ lab ansible-review cleanup

This concludes the lab.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c