RH415 - ch05s09

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

SectionSection 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Controlling Authentication with PAM

Performance Checklist

In this lab, you will configure system authentication with PAM to use SSSD for authentication, enforce a specified password complexity policy on password changes, and lock user accounts after a specified number of failed logins.

Outcomes

You should be able to:

Configure password quality requirements.
Configure locking of accounts on failed login.
Ensure SSSD-based authentication is configured.

Verify that the workstation and serverd machines are started.

Log in to workstation as student using student as the password. On workstation, run lab pam-review setup to verify that the environment is ready. For your tests, this script also creates the architect1 user with a password of redhat.

[student@workstation ~]$ lab pam-review setup

The PAM configuration is broken on serverd. Users have been complaining that they cannot log in at the console and that the sudo command does not work anymore. They can still access the system through ssh. Fortunately, the root login over ssh is still available because you have not yet finished securing serverd. Diagnose and fix your serverd system.

[student@workstation ~]$ ssh student@serverd
[student@serverd ~]$

Use sudo -i to confirm that the command does not work.

[student@serverd ~]$ sudo -i
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

Log out from serverd and log in again as root.

[student@serverd ~]$ logout
[student@workstation ~]$ ssh root@serverd
[root@serverd ~]#

Troubleshoot your system by first reviewing the contents of the /etc/pam.d/sudo-i file. This is the PAM configuration file that the sudo -i command uses.

[root@serverd ~]# cd /etc/pam.d
[root@serverd pam.d]# cat sudo-i
#%PAM-1.0
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so

The auth management group includes the sudo file.

Review the /etc/pam.d/sudo file.

[root@serverd pam.d]# cat sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

The auth management group includes the system-auth file.

Review the /etc/pam.d/system-auth file.

[root@serverd pam.d]# cat system-auth
[root@serverd pam.d]# ls -l system-auth
lrwxrwxrwx. 1 root root 30 Jul 13 10:09 system-auth -> /etc/pam.d/system-auth-serverd
[root@serverd pam.d]# ls -l /etc/pam.d/system-auth-serverd
-rw-r--r--. 1 root root 0 Jul 13 10:09 /etc/pam.d/system-auth-serverd

The system-auth link points to an empty file. This is the cause of the error.

The easiest way to fix this issue is to recreate the link to the original system-auth-ac file.

[root@serverd pam.d]# rm system-auth
rm: remove symbolic link ‘system-auth’? y
[root@serverd pam.d]# ln -s system-auth-ac system-auth
[root@serverd pam.d]#

Confirm the success of your correction by logging in as student and using the sudo -i command. Use student as the password for sudo.

[root@serverd pam.d]# logout
[student@workstation ~]$ ssh student@serverd
[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]#

Configure serverd to enforce the password complexity as follows:
- At least one uppercase character
- At least one lowercase character
- At least one numeric character
- A minimum of 15 characters for the password length
Change the password of the architect1 user as a test. The current password is redhat. You can use the following passwords:
- I<3joulutorttu - should not work (1 uppercase, 1 lowercase, 1 digit, but only 14 characters)
- Il0veGulabjamun - should work (1 uppercase, 1 lowercase, 1 digit, and 15 characters)
Confirm that the default PAM configuration already includes a rule that calls the pam_pwquality module.
[root@serverd ~]# cd /etc/pam.d [root@serverd pam.d]# grep pam_pwquality.so system-auth password-auth system-auth:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password-auth:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
Edit the /etc/security/pwquality.conf file. Add the following parameters at the end.
[root@serverd ~]# vim /etc/security/pwquality.conf ...output omitted... minlen = 15 ucredit = -1 lcredit = -1 dcredit = -1 ocredit = 0
The default value of ocredit is 1, so remember to set it to 0. Otherwise, you will be able to enter a 14 character password as long as it contains a special character. The special character gives one credit and reduces the password size by one.
Use the provided passwords to test your configuration on the architect1 user. The current password for architect1 is redhat.
[root@serverd pam.d]# su - architect1 [architect1@serverd ~]$ passwd Changing password for user architect1. Changing password for architect1. (current) UNIX password: redhat New password: I<3joulutorttu BAD PASSWORD: The password is shorter than 15 characters New password: Il0veGulabjamun Retype new password: Il0veGulabjamun passwd: all authentication tokens updated successfully. [architect1@serverd ~]$ logout [root@serverd pam.d]#

To protect your serverd system against user password guessing, configure account locking as follows:

Lock the account after 3 failed login attempts in a 15-minute interval.
The account must stay locked for seven days.
These restrictions also apply to the root account.

To enable and configure the pam_faillock module, use the authconfig command with the --enablefaillock and --faillockargs options.

Remember that the authconfig command updates the system-auth-ac and password-auth-ac files. For PAM to take these files into account, make sure that the system-auth and password-auth links point to these *-ac files. If not, recreate the links.

[root@serverd pam.d]# ls -l system-auth password-auth
lrwxrwxrwx. 1 root root 32 Jul 13 10:09 password-auth -> /etc/pam.d/password-auth-serverd
lrwxrwxrwx. 1 root root 14 Jul 13 10:28 system-auth -> system-auth-ac
[root@serverd pam.d]# rm password-auth
rm: remove symbolic link ‘password-auth’? y
[root@serverd pam.d]# ln -s password-auth-ac password-auth
[root@serverd pam.d]# ls -l system-auth password-auth
lrwxrwxrwx. 1 root root 16 Jul 13 11:26 password-auth -> password-auth-ac
lrwxrwxrwx. 1 root root 14 Jul 13 10:28 system-auth -> system-auth-ac

If you plan to manually modify the PAM configuration it may be better to use custom files and include the *-ac files in those custom files.

Use the authconfig command to enable and configure the pam_faillock module. The fail_interval and unlock_time parameters are in seconds.
- 15 minutes = 15 * 60 = 900 seconds
- 7 days = 7 * 24 hours * 60 minutes * 60 seconds = 604800 seconds
```
[root@serverd pam.d]# authconfig --enablefaillock \
> --faillockargs="even_deny_root deny=3 fail_interval=900 \
> unlock_time=604800" --update
[root@serverd pam.d]# 
```

Confirm that you meet the requirements by trying to log in to localhost as architect1 but using an incorrect password. Use the faillock command to verify that the pam_faillock module has locked the user account.

[root@serverd pam.d]# ssh architect1@localhost
ECDSA key fingerprint is SHA256:BMdnasLF5CBGg42Dx77nuXodXdI9dKoEBQGFK5O0HRI.
ECDSA key fingerprint is MD5:9e:a8:ec:0c:86:d2:70:34:ef:5a:94:15:6d:48:73:db.
Are you sure you want to continue connecting (yes/no)? yes
architect1@localhost's password: wrong1
Permission denied, please try again.
architect1@localhost's password: wrong2
Permission denied, please try again.
architect1@localhost's password: wrong3
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@serverd pam.d]# faillock --user architect1
architect1:
When                Type  Source                                 Valid
2018-07-13 11:58:01 RHOST localhost                                  V
2018-07-13 11:58:04 RHOST localhost                                  V
2018-07-13 11:58:07 RHOST localhost                                  V

Switch your PAM configuration from the legacy authentication methods to SSSD.

Install the SSSD packages.

[root@serverd pam.d]# yum install sssd
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!

Use the authconfig command to enable SSSD for authentication.

[root@serverd pam.d]# authconfig --enablesssdauth --update
[root@serverd pam.d]#

Confirm that authconfig has added the rules for pam_sss to the system-auth and password-auth files.

[root@serverd pam.d]# grep pam_sss.so system-auth password-auth
system-auth:auth        sufficient    pam_sss.so forward_pass
system-auth:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
system-auth:password    sufficient    pam_sss.so use_authtok
system-auth:session     optional      pam_sss.so
password-auth:auth        sufficient    pam_sss.so forward_pass
password-auth:account     [default=bad success=ok user_unknown=ignore] pam_sss.so
password-auth:password    sufficient    pam_sss.so use_authtok
password-auth:session     optional      pam_sss.so

Evaluation

As the student user on workstation, run the lab pam-review script with the grade argument to confirm success of this exercise. Correct any reported failures and rerun the script until successful.

[student@workstation ~]$ lab pam-review grade

Cleanup

On workstation, run the lab pam-review cleanup command to clean up this exercise.

[student@workstation ~]$ lab pam-review cleanup

This concludes the lab.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083