RH415 - ch03s03

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

SectionSection 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Controlling File System Decryption with NBDE

Objectives

After completing this section, students should be able to use NBDE to manage decryption policy and automatically decrypt storage when specified conditions are met, using NBDE.

Introducing Network-bound Disk Encryption

One of the pitfalls of LUKS encryption is that you have to enter a passphrase manually to decrypt a disk at boot time. With a large number of servers, this requirement becomes a problem. Network-bound Disk Encryption (NBDE) automates the decryption of those encrypted disks without manually entering any passphrase at boot time in a secure way, by ensuring certain criteria are met. You can use NBDE to automatically decrypt LUKS storage devices containing root and non-root file systems.

Persistently Mounting LUKS File Systems

You must edit the /etc/crypttab file to specify the encrypted block devices to open (decrypted and mapped) at boot time. This file contains an entry for each encrypted block device. Two entries in /etc/crypttab might appear as follows:

[root@demo ~]# cat /etc/crypttab
decrypted1  /dev/vdb1  none  _netdev
decrypted2  UUID=43d8995e-b876-4385-b124-7e402446d6c7  none  _netdev

The first field contains the name to use for the decrypted block device. This name is mapped to a device file, /dev/mapper/name. In the example, the name for the first mapped and decrypted block device is /dev/mapper/decrypted1.

The second field includes either the device name or LUKS UUID (from cryptsetup luksUUID device) for the encrypted LUKS device. In this example, the encrypted block device /dev/vdb1 maps to the decrypted device /dev/mapper/decrypted1, and the encrypted block device labeled with the LUKS UUID 43d8995e-b876-4385-b124-7e402446d6c7 maps to the decrypted block device /dev/mapper/decrypted2.

The third field specifies the absolute path to a file containing the encryption password. It is set to none in the example, which has special meaning. In this case, either the boot process will pause to prompt for manual entry of the encryption password on the machine's console, or it will trigger block device decryption with NBDE.

Finally, the last field includes a comma-separated list of options, in this case only specifying the _netdev option. At boot time, NBDE attempts to unlock all block devices with the _netdev option.

Important

The _netdev option is needed if you are using NBDE Tang servers as a condition to decrypt the devices. This is because NBDE needs to use the network to contact those servers, and so decryption cannot occur until the network is available.

If you are not using NBDE and the device does not need the network to be available to be decrypted, you might omit the fourth field or use other options here such as discard.

When the LUKS-encrypted block device maps to /dev/mapper/name, you can use the latter to mount this device to a specific mount point with the /etc/fstab file.

The following example mounts the file system of the decrypted block device /dev/mapper/decrypted1 on the /encrypted directory. This example assumes that the underlying file system on the device is XFS.

[root@demo ~]# vi /etc/fstab
...output omitted...
/dev/mapper/decrypted1   /encrypted       xfs    _netdev        1 2

Unattended Device Decryption at Boot Time

You can use /etc/crypttab on its own to configure LUKS to decrypt devices at boot time, but this requires either that passwords be entered manually on the console, or that they are stored in plain text on a decrypted device on the system. This is inadequate for use cases where servers need to boot unattended and still keep the decryption password secure.

NBDE provides a mechanism to automatically decrypt LUKS devices at boot time in a secure manner. This mechanism is based on two key components. Clevis runs on the system and decrypts devices and defines the policy whose conditions must be met for the data to be decrypted. Tang is a very simple server which Clevis clients contact to determine if they are booting with access to a secure network and therefore decrypt their LUKS devices. You can use this to stop automatic decryption of a device that has been removed from the data center.

Configuring Clevis and Tang

The architecture of NBDE uses two key components: the Clevis framework, and the Tang server. The Clevis framework is a pluggable framework that supports NBDE on the client side and automates the unlocking of LUKS-encrypted block devices. The Tang server supports NBDE on the server side, and makes data available on a system when that system can reach the Tang server over a specific secure network. The Clevis framework supports plug-ins to interact with Tang servers (PINs). Both the Clevis framework and the Tang server use the JOSE framework as their back end for encryption and decryption.

Figure 3.1: NBDE architecture with Clevis and Tang

Clevis gets a list of the keys for each Tang server, and uses one of those keys to generate an encryption key. The Clevis PIN then uses that encryption key to encrypt the data. The encryption generates some state information, which is stored in the LUKS header. That state information is accessible with the luksmeta show command.

Controlling file system decryption using NBDE

Configuring a Tang Server

To configure a Tang server, you need to install the tang package. This package installs the tangd service, which uses systemd socket activation, so it starts with the first connection.

Use the following command to enable socket activation for the tangd service:

[root@demo ~]# systemctl enable tangd.socket --now
Created symlink from /etc/systemd/system/multi-user.target.wants/tangd.socket to /usr/lib/systemd/system/tangd.socket.

Note

By default, the tangd service binds to the 80/TCP port. Red Hat Enterprise Linux blocks by default this port.

To stop the tangd service, disable the socket activation for that service as follows:

[root@demo ~]# systemctl disable tangd.socket ‐‐now
Removed symlink /etc/systemd/system/multi-user.target.wants/tangd.socket.

Note

You can test that a Tang server is accessible with the curl -f http://demotang.lab.example.com/adv command.

Managing Keys for Tang Servers

You need to periodically rotate the signature and exchange keys used by a Tang server. The rotation interval for those keys depends on your application, key sizes, and organizational policies. The Tang server stores those keys in the /var/db/tang directory. To rotate those keys you need to generate new keys with the jose command for the JOSE framework, as follows:

[root@demo ~]# cd /var/db/tang
[root@demo tang]# jose jwk gen -i '{"alg":"ES512"}' \
> -o signature.jwk
[root@demo tang]# jose jwk gen -i '{"alg":"ECMR"}' \
> -o exchange.jwk

You need to rename the old keys, adding a dot as a prefix to the old key name. Existing client connections use the old keys, while the Tang server uses the new keys automatically for new client bindings. When all existing client connections finish, you can safely remove the old keys.

Note

The clients need to be updated to use the new keys. To refresh the client keys usage you need to bind the encrypted device with the tang server again, using the clevis luks bind -d /dev/DEVICE tang '{"url":"http://demotang.lab.example.com"}' command.

Configuring the Clevis Framework

To configure the Clevis framework with LUKS support, you need to install the clevis, clevis-luks, and clevis-dracut packages. The clevis luks bind command binds a block device to a Tang server. This command also associates a binding policy with the device, which decrypts the device based on the Tang server availability. There are several available binding policies such as the REST HTTP escrow server policy, the Shamir's Secret Sharing policy, and the Tang binding server policy. The following example binds the /dev/vda1 device to the demotang.lab.example.com Tang server.

[root@demo ~]# clevis luks bind -d /dev/vda1 tang '{"url":"http://demotang.lab.example.com"}'

The previous command uses the -d option to specify the device which binds to the Tang server.

This command also associates a binding policy, the Tang binding policy, to bind the device to the Tang server. A Tang binding server policy definition, such as the one in the previous example, requires at least the base URL for the Tang server. Other policies are also available, such as the Shamir's Secret Sharing policy .

If the policy requirements are not met (for example, the Tang server is not available), the Clevis framework prompts for the LUKS passphrase during the boot process.

Important

If you are configuring Clevis to decrypt a block device containing the root file system, you must recreate the initramfs with the dracut -f command. For other block devices, you must enable path-based execution by clevis-luks-askpass.path as follows:

[root@demo ~]# systemctl enable clevis-luks-askpass.path
Created symlink from /etc/systemd/system/remote-fs.target.wants/clevis-luks-askpass.path to /usr/lib/systemd/system/clevis-luks-askpass.path.

Shamir's Secret Sharing

The Clevis framework supports other policies to bind LUKS-encrypted block devices to Tang servers. In the previous example, the Tang binding server policy allows you to define a unique Tang server. The Shamir's Secret Sharing (SSS) policy supports the definition of complex policies with multiple Tang servers. You can define a policy with SSS that requires a minimum number of Tang servers to be available before a LUKS-encrypted block device can be decrypted.

The following example binds the /dev/vdb1 device to an SSS policy which defines three Tang servers, and requires at least two of them to be available for automatic decryption to occur.

[root@demo ~]# cfg=$'{"t":2,"pins":{"tang":[\n
> {"url":"http://demotang1.lab.example.com"},\n
> {"url":"http://demotang2.lab.example.com"},\n
> {"url":"http://demotang3.lab.example.com"}]}}'
[root@demo ~]# clevis luks bind -d /dev/vdb1 sss "$cfg"
The advertisement contains the following signing keys:

4R1tkfaTw-67bW0uxTAmTprUPoo

Do you wish to trust these keys? [ynYN] Y
The advertisement contains the following signing keys:

gks_IaVo1yog0KuQei95rg_yGns

Do you wish to trust these keys? [ynYN] Y
The advertisement contains the following signing keys:

vA5xAeUiKPqvkg4UyR4TemzXoAw

Do you wish to trust these keys? [ynYN] Y
You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.

Do you wish to initialize /dev/vdb1? [yn] y
Enter existing LUKS password: demopass

As shown above, you need to trust the key for each Tang server.

References

clevis-encrypt-tang(1), clevis-encrypt-sss(1), and the jose-jwk-gen(1) man pages

For more information, refer to the Hardening Your System with Tools and Services chapter in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#sec-Using_Network-Bound_Disk_Encryption

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083