RH415 - ch08s06

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

SectionSection 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Auditing the SELinux Policy

In this exercise, you will use system tools to examine the system's current SELinux policy, and to interpret whether or not specific SELinux domains used by processes have access to files and ports labeled with specific SELinux types.

Outcomes

You should be able to:

Use policy tools to predict what SELinux domain the process will have when it is run, based on the SELinux type on an executable.
Determine what SELinux types may be accessed by that process and what access is permitted or blocked.
Determine whether or not a particular SELinux domain can transition to unconfined_t, and whether or not unconfined_t can transition to that domain.

Confirm that the workstation and serverc machines are started.

Log in to workstation as student using student as the password. On workstation, run lab selinux-audit setup to verify that the environment is ready. This script also installs httpd on serverc.

[student@workstation ~]$ lab selinux-audit setup

Use the SELinux policy tools to predict the SELinux domain type for the httpd daemon when systemd starts the service.

[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```

Install the policycoreutils-devel and setools-console packages to provide the sepolicy and sesearch commands, respectively.

[root@serverc ~]# yum install policycoreutils-devel setools-console
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!

When using systemctl to start a service, the command forwards the request to the systemd daemon. Use the ps -Z command to retrieve the SELinux domain type of the systemd daemon.
```
[root@serverc ~]# ps -Z -C systemd
LABEL                             PID TTY          TIME CMD
system_u:system_r:init_t:s0         1 ?        00:00:27 systemd
```
The systemd daemon starts the service by executing the httpd binary file. Use the ls -Z command to retrieve the SELinux context type of the httpd executable.
```
[root@serverc ~]# which httpd
/sbin/httpd
[root@serverc ~]# ls -Z /sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /sbin/httpd
```
Use the sesearch command to retrieve the SELinux domain transition rule for when a daemon of type init_t executes a program of type httpd_exec_t.
```
[root@serverc ~]# sesearch -T -s init_t -t httpd_exec_t
Found 1 semantic te rules:
   type_transition init_t httpd_exec_t : process httpd_t;
```
The SELinux domain type of the resulting process is httpd_t.

Use the sepolicy transition command as another way to list domain transitions.

[root@serverc ~]# sepolicy transition -s init_t -t httpd_t
init_t @ httpd_exec_t --> httpd_t
init_t ... initrc_t @ httpd_exec_t --> httpd_t
init_t ... initrc_t ... vpnc_t ... ifconfig_t ... iptables_t ... insmod_t ... mount_t ... glusterd_t @ httpd_exec_t --> httpd_t
init_t ... initrc_t ... vpnc_t ... ifconfig_t ... iptables_t ... insmod_t ... mount_t ... glusterd_t ... udev_t ... cupsd_config_t ... cupsd_t ... logrotate_t @ httpd_exec_t --> httpd_t
...output omitted...

The sepolicy transition command displays all the transition paths between a source and a target domain. The first line indicates a direct transition by execution of a binary with the httpd_exec_t type. Notice that for the sepolicy transition command, the -t option is the target domain type. For the sesearch command, -t is the SELinux type of the program file.

Confirm your observation by starting the httpd service and getting the domain type of the resulting httpd processes.

[root@serverc ~]# systemctl start httpd
[root@serverc ~]# ps -Z -C httpd
LABEL                             PID TTY          TIME CMD
system_u:system_r:httpd_t:s0     1826 ?        00:00:01 httpd
system_u:system_r:httpd_t:s0     1827 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1828 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1829 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1830 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1831 ?        00:00:00 httpd

Manually start the httpd daemon, without using systemctl. Observe and explain the resulting SELinux domain type.

Stop the httpd service.

[root@serverc ~]# systemctl stop httpd
[root@serverc ~]#

Directly start the httpd daemon, without using systemctl.
```
[root@serverc ~]# httpd
[root@serverc ~]# 
```
Red Hat does not recommend starting services this way. Always use the systemctl command.

Retrieve the SELinux domain type of the httpd daemon.

[root@serverc ~]# ps -Z -C httpd
LABEL                             PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1856 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1857 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1858 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1859 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1860 ? 00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1861 ? 00:00:00 httpd

The httpd domain type is unconfined_t.

The source domain that started the httpd daemon is your Bash shell. Retrieve the SELinux type of your shell.

[root@serverc ~]# ps -Z $$
LABEL                             PID TTY      STAT   TIME COMMAND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1735 pts/0 S   0:00 -bash

$$ is the PID of the current process.

Use the sesearch command to look for a domain transition rule from the unconfined_t source type to the unconfined_t domain type when executing a program with the httpd_exec_t type.
```
[root@serverc ~]# sesearch -T -s unconfined_t -t httpd_exec_t

[root@serverc ~]# 
```
There is no such rule. Therefore, the daemon resulting from the execution of /sbin/httpd inherits the domain type of the program that launches the command; your shell is this example.

Clean up by killing the httpd processes and restarting the service with systemctl.

[root@serverc ~]# pkill httpd
[root@serverc ~]# systemctl start httpd
[root@serverc ~]#

Create a test HTML page, and locate the rule that allows the httpd daemon to read that file.

Create the test page, index.html, in the httpd DocumentRoot directory, /var/www/html/. Use curl to confirm that you can access the new page.

[root@serverc ~]# cd /var/www/html
[root@serverc html]# echo "Hello World" > ./index.html
[root@serverc html]# curl http://localhost/index.html
Hello World

Retrieve the SELinux domain type of the httpd daemon, and the type of the index.html file.

[root@serverc html]# ps -Z -C httpd
LABEL                             PID TTY          TIME CMD
system_u:system_r:httpd_t:s0     1952 ?        00:00:02 httpd
system_u:system_r:httpd_t:s0     1953 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1954 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1955 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1956 ?        00:00:00 httpd
system_u:system_r:httpd_t:s0     1957 ?        00:00:00 httpd
[root@serverc html]# ls -Z ./index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 ./index.html

Use the sesearch command to retrieve the rule that allows the httpd_t domain type to read files with the httpd_sys_content_t type.

[root@serverc html]# sesearch -A -s httpd_t -t httpd_sys_content_t \
> -c file
Found 5 semantic av rules:
   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;
   allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
   allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
   allow httpd_t httpdcontent : file { read getattr execute open } ;
   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;

Locate the rule that allows the httpd daemon to execute CGI scripts in the /var/www/cgi-bin/ directory.

Retrieve the SELinux context type of the /var/www/cgi-bin/ directory.

[root@serverc html]# ls -Zd /var/www/cgi-bin/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/

CGI scripts in this directory also inherit that context.

Use the sesearch command to retrieve the rule that allows the httpd_t domain type to execute files with the httpd_sys_script_exec_t type.

[root@serverc html]# sesearch -A -s httpd_t \
> -t httpd_sys_script_exec_t -c file
Found 4 semantic av rules:
   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;
   allow httpd_t httpd_script_exec_type : file { ioctl read getattr lock open } ;
   allow httpd_t httpd_sys_script_exec_t : file { read getattr execute open } ;
   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;

The previous rule depends on the httpd_enable_cgi Boolean. Run the sesearch command again, but add the -C option to display the Booleans associated with each rule.

[root@serverc html]# sesearch -A -s httpd_t \
> -t httpd_sys_script_exec_t -c file -C
Found 4 semantic av rules:
   allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ;
   allow httpd_t httpd_script_exec_type : file { ioctl read getattr lock open } ;
ET allow httpd_t httpd_sys_script_exec_t : file { read getattr execute open } ; [ httpd_enable_cgi ]
ET allow httpd_t httpd_content_type : file { ioctl read getattr lock open } ; [ httpd_builtin_scripting ]

The httpd_enable_cgi Boolean is currently on (E), therefore the rule applies.

Locate the rule that allows the httpd daemon to bind to TCP port 80.

Use the semanage port command to retrieve the SELinux type associated with TCP port 80.

[root@serverc html]# semanage port -l | grep 80
...output omitted...
http_port_t           tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
...output omitted...

Use the sesearch command to get the rule that allows the httpd_t domain type to bind to the ports with the http_port_t type.

[root@serverc html]# sesearch -A -s httpd_t -t http_port_t
Found 11 semantic av rules:
   allow httpd_t http_port_t : tcp_socket name_bind ;
...output omitted...

Cleanup

On workstation, run the lab selinux-audit cleanup script to clean up this exercise.

[student@workstation ~]$ lab selinux-audit cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c