RH415 - ch05s08

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

SectionSection 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Limiting Access After Failed Logins

In this exercise, you will implement restrictions that cause accounts to lock automatically after a specified number of failed logins, test the restriction, and use administrative tools to manually unlock locked accounts.

Outcomes

You should be able to:

Modify the pam_faillock configuration to lock accounts after a set number of failed logins.
Test the locking operation.
Manually unlock a locked account.

Verify that the workstation and serverc machines are started.

Log in to workstation as student using student as the password. On workstation, run lab pam-faillock setup to verify that the environment is ready. This script also creates the operator2 user account.

[student@workstation ~]$ lab pam-faillock setup

The system must lock accounts with excessive failed login attempts. You must configure the pam_faillock module to set a limit of five failed attempts in a 15-minute interval. The system must automatically unlock locked accounts after 15 minutes. These restrictions do not apply to the root account.

[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```

Confirm that the default PAM configuration does not already include rules for the pam_faillock module.

[root@serverc ~]# cd /etc/pam.d
[root@serverc pam.d]# grep pam_faillock.so system-auth password-auth
[root@serverc pam.d]#

Use the authconfig --help | grep faillock command to retrieve the options related to the pam_faillock module.

[root@serverc pam.d]# authconfig --help | grep faillock
    --enablefaillock        enable account locking in case of too many consecutive authentication failures
    --disablefaillock       disable account locking on too many consecutive authentication failures
  --faillockargs=<options>
                        the pam_faillock module options

The --faillockargs option specifies the restrictions to apply. Review the pam_faillock manual page to get the module parameters to use with --faillockargs.

[root@serverc pam.d]# man pam_faillock
...output omitted...
 deny=n
     Deny access if the number of consecutive authentication failures
     for this user during the recent interval exceeds n. The default is
     3.

 fail_interval=n
     The length of the interval during which the consecutive
     authentication failures must happen for the user account lock out
     is n seconds. The default is 900 (15 minutes).

 unlock_time=n
     The access will be reenabled after n seconds after the lock out.
     The default is 600 (10 minutes).
...output omitted...

The deny parameter defines the number of failed attempts, the fail_interval parameter defines in seconds the time interval for failed attempts, and unlock_time defines the unlock timeout in seconds.

Use the authconfig command to enable and configure the pam_faillock module. Set a limit of five failed attempts in a 15-minute interval. The system must automatically unlock locked accounts after 15 minutes. These restrictions do not apply to the root account.
```
[root@serverc pam.d]# authconfig --enablefaillock \
> --faillockargs="deny=5 fail_interval=900 unlock_time=900" --update
...output omitted...
[root@serverc pam.d]# 
```

Review the rules that the previous authconfig command has added to the PAM configuration.

[root@serverc pam.d]# grep pam_faillock.so system-auth password-auth
system-auth:auth    required  pam_faillock.so preauth silent deny=5 fail_interval=900 unlock_time=900
system-auth:auth    required  pam_faillock.so authfail deny=5 fail_interval=900 unlock_time=900
system-auth:account required  pam_faillock.so
password-auth:auth    required  pam_faillock.so preauth silent deny=5 fail_interval=900 unlock_time=900
password-auth:account required  pam_faillock.so
password-auth:auth    required  pam_faillock.so authfail deny=5 fail_interval=900 unlock_time=900

Verify that you meet the requirements by trying to log in to localhost as operator2 with an incorrect password. You must enter an incorrect password at least five times to lock the account.

Try to log in to localhost as operator2 using an incorrect password.

[root@serverc pam.d]# ssh operator2@localhost
operator2@localhost's password: wrongpass1
Permission denied, please try again.
operator2@localhost's password: wrongpass2
Permission denied, please try again.
operator2@localhost's password: wrongpass3
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@serverc pam.d]# ssh operator2@localhost
operator2@localhost's password: wrongpass4
Permission denied, please try again.
operator2@localhost's password: wrongpass5
Permission denied, please try again.
operator2@localhost's password: wrongpass6
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

To confirm that the account is locked, try to log in to localhost as operator2 but this time use the correct password, redhat.

[root@serverc pam.d]# ssh operator2@localhost
operator2@localhost's password: redhat
Permission denied, please try again.
operator2@localhost's password: redhat
Permission denied, please try again.
operator2@localhost's password: redhat
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Use the faillock --user operator2 command to list the invalid login attempts.

[root@serverc pam.d]# faillock --user operator2
operator2:
When                Type  Source                                 Valid
2018-07-12 18:42:22 RHOST localhost                                  V
2018-07-12 18:42:25 RHOST localhost                                  V
2018-07-12 18:42:29 RHOST localhost                                  V
2018-07-12 18:42:35 RHOST localhost                                  V
2018-07-12 18:42:40 RHOST localhost                                  V

Because you configured pam_faillock to lock accounts after five failed attempts, the operator2 account is now locked.

Unlock the operator2 account and confirm that the user can log in again.

Use the faillock --user operator2 --reset command to unlock the account.

[root@serverc pam.d]# faillock --user operator2 --reset
[root@serverc pam.d]#

Use the faillock --user operator2 command to confirm that the account is unlocked.

[root@serverc pam.d]# faillock --user operator2
operator2:
When                Type  Source                                 Valid

Log in to localhost as operator2 using redhat as the password to verify that the account is unlocked. Log out when done.

[root@serverc pam.d]# ssh operator2@localhost
operator2@localhost's password: redhat
Last failed login: Thu Jul 12 18:52:12 EDT 2018 from localhost on ssh:notty
There were 9 failed login attempts since the last successful login.
Last login: Thu Jul 12 18:42:16 2018 from localhost
[operator2@serverc ~]$ logout
[root@serverc pam.d]#

Disable the pam_faillock module. Log out from serverc when done.

[root@serverc pam.d]# authconfig --disablefaillock --update
[root@serverc pam.d]# logout
[student@serverc ~]$ logout
[student@workstation ~]$

Cleanup

On workstation, run the lab pam-faillock cleanup script to clean up this exercise.

[student@workstation ~]$ lab pam-faillock cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c