RH415 - ch05s02

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

SectionSection 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Auditing the PAM Configuration

In this exercise, you will review existing PAM configuration files used by programs on the system, and interpret and investigate how they control user authentication and authorization.

Outcomes

You should be able to:

Review and interpret the current PAM configuration.
Investigate the pam_faildelay PAM module and show how modifications to the /etc/login.defs file affect how that module reacts to failed logins.
Install a package that provides a PAM configuration and investigate that configuration.

Verify that the workstation and serverc machines are started.

Log in to workstation as student using student as the password. On workstation, run lab pam-auditing setup to verify that the environment is ready. This script also updates the system PAM configuration files to prepare the exercise.

[student@workstation ~]$ lab pam-auditing setup

Review the PAM configuration file for the sshd service.

[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$

Display the content of the /etc/pam.d/sshd file. The sshd daemon uses that file to authenticate users who log in using SSH.

[student@serverc ~]$ cat /etc/pam.d/sshd
#%PAM-1.0
auth	     required	    pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

During the user authentication phase, sshd uses libpam functions to execute the modules from the auth management group. From the previous output, you can see that PAM calls:
1. The pam_sepermit module to deny or allow access depending on the SELinux mode. You can get more details on this module in its manual page.
2. The substack control jumps to the /etc/pam.d/password-auth file. If a requisite module fails or if a sufficient module succeeds in this password-auth file, PAM carries on with the remainder of the current /etc/pam.d/sshd file.
3. The include control jumps to the /etc/pam.d/postlogin file. If a requisite module fails or if a sufficient module succeeds in this postlogin file, PAM gives control back to the sshd daemon.
4. The result of the pam_reauthorize module does not matter because the control is set to optional. PAM silently skips this rule if the module is not installed, because auth is prefixed with a "-" character.
Verify that the last module does not exist on your system.
```
[student@serverc ~]$ ls /usr/lib64/security/pam_reauthorize.so
ls: cannot access /usr/lib64/security/pam_reauthorize.so: No such file or directory
```

With the substack control in the /etc/pam.d/sshd configuration file, PAM includes all the rules from the /etc/pam.d/password-auth file. Many applications on the system share this file. This allows easy and consistent management of standard authentication tests for the whole system.

Display the contents of the /etc/pam.d/password-auth file.

[student@serverc ~]$ cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session    optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Investigate and configure the pam_faildelay module.
1. From the previous output, you can see that one of the modules that PAM executes during the authentication phase is pam_faildelay. Consult the man page for this module for more information and how to configure it.
```
[student@serverc ~]$ man pam_faildelay
...output omitted...
```
  When a user enters an incorrect password, pam_faildelay introduces a delay between retries. This helps protect against brute-force attacks on passwords.
  The pam_faildelay module man page describes two ways to modify the delay:
  - You can edit the /etc/pam.d/password-auth file to add the delay parameter to the pam_faildelay module.
  - You can specify a value for the FAIL_DELAY variable in the /etc/login.defs file.
2. Before changing this parameter, log in to localhost as student but provide an incorrect password. Measure the delay between retries.
```
[student@serverc ~]$ ssh student@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:BMdnasLF5CBGg42Dx77nuXodXdI9dKoEBQGFK5O0HRI.
ECDSA key fingerprint is MD5:9e:a8:ec:0c:86:d2:70:34:ef:5a:94:15:6d:48:73:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
student@localhost's password: mywrongpassword
Permission denied, please try again.
student@localhost's password: mywrongpassword
Permission denied, please try again.
student@localhost's password: mywrongpassword
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
```
  You should notice a 3-second delay between password retries.
3. Set the retry delay to 10 seconds. Modifying the /etc/pam.d/password-auth PAM configuration file requires extra care. Red Hat recommends that you use the second method, which consists of specifying a value for the FAIL_DELAY variable in /etc/login.defs.
  Edit the /etc/login.defs file and set the FAIL_DELAY variable to 10. Use student as the password for the sudo command.
```
[student@serverc ~]$ sudo vim /etc/login.defs
[sudo] password for student: student
...output omitted...
FAIL_DELAY 10
```
4. Try again to log in to localhost as student, again using an incorrect password. This time the delay between password retries is 10 seconds.
```
[student@serverc ~]$ ssh student@localhost
student@localhost's password: mywrongpassword
Permission denied, please try again.
student@localhost's password: mywrongpassword
Permission denied, please try again.
student@localhost's password: mywrongpassword
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
```
Install Cockpit and verify that the package installs the PAM configuration file for the new software.
Note
Cockpit is a web interface for administering, monitoring, and configuring your Red Hat Enterprise Linux systems. You are not going to use this tool here; you only install Cockpit in this exercise to demonstrate that packages for PAM-enabled applications often provide the associated PAM configuration files.
1. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```
2. Install the cockpit package and start the service.
```
[root@serverc ~]# yum install cockpit
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!
[root@serverc ~]# systemctl enable cockpit --now
[root@serverc ~]# 
```
3. The Cockpit web interface listens on port 9090. Open the firewall.
```
[root@serverc ~]# firewall-cmd --add-service cockpit
success
[root@serverc ~]# firewall-cmd --add-service cockpit --permanent
success
```
4. Display the contents of the /etc/pam.d/cockpit file and confirm that it is part of the Cockpit packages.
```
[root@serverc ~]# cat /etc/pam.d/cockpit
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
auth       optional     pam_ssh_add.so
account    required     pam_nologin.so
account    required     pam_shells.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    optional     pam_ssh_add.so
session    include      password-auth
session    include      postlogin
[root@serverc ~]# yum provides /etc/pam.d/cockpit
...output omitted...
cockpit-ws-154-3.el7.x86_64 : Cockpit Web Service
Repo        : rhel--server-dvd
Matched from:
Filename    : /etc/pam.d/cockpit
...output omitted...
```
5. In the same way that the sshd PAM configuration file includes the password-auth file, the /etc/pam.d/cockpit file also includes that file. Therefore, the delay between failed logins you previously configured should also apply to Cockpit.
  To confirm that delay, start Firefox on workstation and browse to the Cockpit web interface at https://serverc:9090/. Accept the self-signed certificate on the "Insecure Connection" page.
  On the Cockpit login page, enter student for the User name and an incorrect password in the Password field. Click Log In. After 10 seconds, the login page displays an error message and prompts the user to enter the password again.

Cleanup

On workstation, run the lab pam-auditing cleanup script to clean up this exercise.

[student@workstation ~]$ lab pam-auditing cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c

Red Hat Security: Linux in Physical, Virtual, and Cloud

This course is now legacy content

Guided Exercise: Auditing the PAM Configuration

Note