RH415 - ch05s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

SectionSection 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Modifying the PAM Configuration

In this exercise, you will make changes to PAM configuration files manually and with system utilities, and explore the effects this has on the system.

Outcomes

You should be able to:

Back up the PAM configuration.
Make changes to PAM, ensuring that a root shell is open at all times to recover from errors.
Manually add and configure a PAM module to the configuration.
Explore when PAM configuration changes take effect.
Make a second change with authconfig and show what effect that has on the manual changes.
Restore the original PAM configuration.

Confirm that the workstation and serverc machines are started.

Log in to workstation as student using student as the password. On workstation, run lab pam-modify setup to verify that the environment is ready. This script also creates the operator1 and developer1 users, and the operators group.

[student@workstation ~]$ lab pam-modify setup

Before modifying your PAM configuration, open an extra root shell on serverc to recover from errors. Back up the PAM files.
1. Open a new terminal on workstation and log in to serverc as student. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$ 
```
2. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```
  Leave this terminal open at all times to recover from potential errors.
3. From another terminal, log in to serverc as student. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$ 
```
4. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```
5. Use the authconfig --savebackup=/root/authconfigbackup command to back up the PAM configuration into the /root/authconfigbackup/ directory.
```
[root@serverc ~]# authconfig --savebackup=/root/authconfigbackup
[root@serverc ~]# 
```

Configure the pam_time module so that users can only log in using SSH or the console between 6 p.m. and 11 p.m. on any given day. This restriction does not apply to root and student; they must be able to log in at any time.

The authconfig command cannot configure the pam_time module. Therefore you need to manually perform this configuration.

You need to add the rule for the pam_time module in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, because most of the PAM-enabled applications include those files, specifically sshd and login (for the console access). If you directly modify these files, however, a subsequent call to authconfig may overwrite them.
Confirm that /etc/pam.d/system-auth and /etc/pam.d/password-auth are links to the /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac files.
```
[root@serverc ~]# ls -l /etc/pam.d/system-auth
lrwxrwxrwx. 1 root root 14 Mar 22 15:11 /etc/pam.d/system-auth -> system-auth-ac
[root@serverc ~]# ls -l /etc/pam.d/password-auth
lrwxrwxrwx. 1 root root 16 Mar 22 15:11 /etc/pam.d/password-auth -> password-auth-ac
```
These two *-ac files (ac for AuthConfig) are in fact the ones updated by the authconfig command.

Copy system-auth-ac and password-auth-ac files to system-auth-local and password-auth-local. This two local files will contain your modifications.

[root@serverc ~]# cd /etc/pam.d
[root@serverc pam.d]# cp system-auth-ac system-auth-local
[root@serverc pam.d]# cp password-auth-ac password-auth-local

Recreate the links to point to your new local files.

[root@serverc pam.d]# rm system-auth password-auth
rm: remove symbolic link ‘system-auth’? y
rm: remove symbolic link ‘password-auth’? y
[root@serverc pam.d]# ln -s system-auth-local system-auth
[root@serverc pam.d]# ln -s password-auth-local password-auth
[root@serverc pam.d]# ls -l system-auth password-auth
lrwxrwxrwx. 1 root root 19 Jul 12 10:25 password-auth -> password-auth-local
lrwxrwxrwx. 1 root root 17 Jul 12 10:25 system-auth -> system-auth-local

You are now ready to add a new rule for the pam_time module.

Review the manual page for the pam_time module.
```
[root@serverc pam.d]# man pam_time
...output omitted...
```
This module is only valid for the account management group.

Edit your system-auth-local and password-auth-local files and add the new rule before the other account rules.

[root@serverc pam.d]# vim system-auth-local
...output omitted...
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_time.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
...output omitted...
[root@serverc pam.d]# vim password-auth-local
...output omitted...
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_time.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
...output omitted...

Edit the /etc/security/time.conf configuration file to set the time restriction. Add the following line at the end to allow the access between 6 p.m. and 11 p.m. This restriction does not apply to root and student. The configuration requires 24-hour format.
```
[root@serverc pam.d]# vim /etc/security/time.conf
...output omitted...
sshd|login;*;!root&student;Al1800-2300
```
Consult the time.conf(5) manual page if you need more details.

Try to log in to localhost as operator1 using redhat as the password. This should fail.

[root@serverc pam.d]# ssh operator1@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:BMdnasLF5CBGg42Dx77nuXodXdI9dKoEBQGFK5O0HRI.
ECDSA key fingerprint is MD5:9e:a8:ec:0c:86:d2:70:34:ef:5a:94:15:6d:48:73:db.
Are you sure you want to continue connecting (yes/no)? yes
operator1@localhost's password: redhat
Authentication failed.
[root@serverc pam.d]#

If you are able to log in as operator1, use the date command to verify the system time and review the /etc/security/time.conf file. You might need to adjust the time range in that file to trigger the rule.

Try to log in to localhost as student using student as the password. This should succeed. Log out when done.

[root@serverc pam.d]# ssh student@localhost
student@localhost's password: student
[student@serverc ~]$ logout
[root@serverc pam.d]#

Comment out or remove the added line to the /etc/security/time.conf file. The remainder of this exercise may not work as expected otherwise.
```
[root@serverc pam.d]# vim /etc/security/time.conf
...output omitted...
# sshd|login;*;!root&student;Al1800-2300
```

Switch your PAM configuration from the legacy authentication methods to SSSD.

Install SSSD and use the authconfig --enablesssdauth --update command to enable SSSD for authentication.

[root@serverc pam.d]# yum install sssd
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!
[root@serverc pam.d]# authconfig  --enablesssdauth --update
[root@serverc pam.d]#

Because you have redirected the system-auth and password-auth links to your custom files, system-auth-local and password-auth-local, instead of the default system-auth-ac and password-auth-ac files, the update you have just made is not taken into account. Remember that authconfig only modifies the *-ac files.

Confirm that authconfig has added the rules for pam_sss to the system-auth-ac and password-auth-ac files but not to your custom system-auth-local and password-auth-local files.

[root@serverc pam.d]# grep pam_sss.so system-auth-ac password-auth-ac
system-auth-ac:auth        sufficient    pam_sss.so forward_pass
system-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
system-auth-ac:password    sufficient    pam_sss.so use_authtok
system-auth-ac:session     optional      pam_sss.so
password-auth-ac:auth        sufficient    pam_sss.so forward_pass
password-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password-auth-ac:password    sufficient    pam_sss.so use_authtok
password-auth-ac:session     optional      pam_sss.so
[root@serverc pam.d]# grep pam_sss.so \
> system-auth-local password-auth-local
[root@serverc pam.d]#

In this exercise, because you want to manually modify the PAM configuration but also keep using the authconfig command, you need to include the *-ac files in your *-local files.
Edit the system-auth-local file, only keep your custom rules, and include the system-auth-ac file. Your file should look similar to the following:
```
[root@serverc pam.d]# vim system-auth-local
auth     include   system-auth-ac

account  required  pam_time.so
account  include   system-auth-ac

password include   system-auth-ac

session  include   system-auth-ac
```
In the same way, edit your password-auth-local file. It should look similar to the following:
```
[root@serverc pam.d]# vim password-auth-local
auth     include   password-auth-ac

account  required  pam_time.so
account  include   password-auth-ac

password include   password-auth-ac

session  include   password-auth-ac
```
Use the *-local files for your manual modifications. authconfig uses the *-ac files for its own modifications.

Restrict access to your system as follows:

Members of the operators group can only log in if they attempt access from workstation (172.25.250.254).
The root and student users can log in from anywhere.
Other users are not allowed to log in.

Use the authconfig command to enable the pam_access module and configure the /etc/security/access.conf file.

Locate the authconfig option that enables pam_access.

[root@serverc pam.d]# authconfig --help | grep access
    --enablepamaccess       check access.conf during account authorization
    --disablepamaccess      do not check access.conf during account authorization

Enable the pam_access module and verify your work.

[root@serverc pam.d]# authconfig --enablepamaccess --update
[root@serverc pam.d]# grep pam_access.so \
> system-auth-ac password-auth-ac
system-auth-ac:account     required      pam_access.so
password-auth-ac:account     required      pam_access.so

Edit the /etc/security/access.conf configuration file to apply the restrictions.

[root@serverc pam.d]# vim /etc/security/access.conf
...output omitted...
+:root student: ALL
+:(operators):172.25.250.254
-:ALL:ALL

Verify your configuration by trying to log in from workstation to serverc as developer1 using redhat as the password. This should fail because the developer1 user does not belong to the operators group.

[root@serverc pam.d]# logout
[student@serverc ~]$ logout
[student@workstation ~]$ ssh developer1@serverc
Authentication failed.
[student@workstation ~]$

Try to log in as operator1. If prompted, use redhat as the password. The connection succeeds because operator1 is a member of the operators group and the connection is originating from workstation. Log out and log in again as student when done.

[student@workstation ~]$ ssh operator1@serverc
Last failed login: Wed Jul 18 07:08:29 EDT 2018 from localhost on ssh:notty
There was 1 failed login attempt since the last successful login.
[operator1@serverc ~]$ logout
[student@workstation ~]$ ssh student@serverc
Last login: Wed Jul 18 07:08:48 2018 from localhost
[student@serverc ~]$

Review the log of the sshd daemon and locate the denied access.

[student@serverc ~]$ journalctl -u sshd
...output omitted...
Jul 12 13:15:25 serverc.lab.example.com sshd[4136]: pam_access(sshd:account): access denied for user 'developer1' from 'workstation.lab.example.com'
Jul 12 13:15:25 serverc.lab.example.com sshd[4136]: fatal: Access denied for user developer1 by PAM account configuration [preauth]
...output omitted...

Use the authconfig command to restore your PAM configuration.

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```

Restore the PAM configuration from the /root/authconfigbackup/ directory.

[root@serverc ~]# authconfig --restorebackup=/root/authconfigbackup
[root@serverc ~]#

Review the contents of the /etc/pam.d/ directory.

[root@serverc ~]# ls -l /etc/pam.d/
...output omitted...
lrwxrwxrwx. 1 root root   19 Jul 12 11:26 password-auth -> password-auth-local
-rw-r--r--. 1 root root 1033 Jul 12 13:30 password-auth-ac
-rw-r--r--. 1 root root  178 Jul 12 13:14 password-auth-local
...output omitted...
lrwxrwxrwx. 1 root root   17 Jul 12 11:26 system-auth -> system-auth-local
-rw-r--r--. 1 root root 1031 Jul 12 13:30 system-auth-ac
-rw-r--r--. 1 root root  170 Jul 12 12:23 system-auth-local
...output omitted...

Notice that the restore process did not remove the links to your *-local files. It only restored the *-ac files and preserved your custom modifications.

Cleanup

On workstation, run the lab pam-modify cleanup script to clean up this exercise.

[student@workstation ~]$ lab pam-modify cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083