RH415 - ch09s02

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

SectionSection 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Installing OpenSCAP

In this exercise, you will install OpenSCAP tools and the SCAP Security Guide on a server and examine the files they provide.

Outcomes

You should be able to install OpenSCAP tools and the SCAP Security Guide on a server.

Confirm that the workstation and serverc machines are started.

Log in to workstation as student using student as the password. On workstation, run lab oscap-install setup to verify that the environment is ready.

[student@workstation ~]$ lab oscap-install setup

On serverc, install the oscap command-line tool and the SCAP Security Guide.
1. Log in to serverc as student. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$ 
```
2. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```
3. The openscap-scanner package provides the oscap command-line utility. Install that package.
```
[root@serverc ~]# yum install openscap-scanner
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!
```
4. Run the oscap -V command to confirm that the tool is now available.
```
[root@serverc ~]# oscap -V
OpenSCAP command line tool (oscap) 1.2.16
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.
...output omitted...
```
5. The oscap command needs some security content to work. Install the scap-security-guide package, which provides the SCAP Security Guide. This SCAP Security Guide contains some standard security policies for Linux systems.
```
[root@serverc ~]# yum install scap-security-guide
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!
```

Review the available profiles in the SCAP Security Guide.

The scap-security-guide package installs the scap-security-guide(8) manual page. In this manual page, review the Red Hat Enterprise Linux 7 PROFILES section which lists and describes the available profiles.
```
[root@serverc ~]# man scap-security-guide
```

Another way to list the available profiles is to directly review the XCCDF XML files. The scap-security-guide package deploys those files to the /usr/share/xml/scap/ssg/content/ directory. In that directory, extract the profile list from the ssg-rhel7-ds.xml file.

[root@serverc ~]# grep '<Profile' \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
      <Profile id="xccdf_org.ssgproject.content_profile_standard">
      <Profile id="xccdf_org.ssgproject.content_profile_pci-dss">
      <Profile id="xccdf_org.ssgproject.content_profile_C2S">
      <Profile id="xccdf_org.ssgproject.content_profile_rht-ccp">
      <Profile id="xccdf_org.ssgproject.content_profile_common">
      <Profile id="xccdf_org.ssgproject.content_profile_stig-rhel7-disa">
      <Profile id="xccdf_org.ssgproject.content_profile_stig-rhevh-upstream">
      <Profile id="xccdf_org.ssgproject.content_profile_ospp-rhel7">
      <Profile id="xccdf_org.ssgproject.content_profile_cjis-rhel7-server">
      <Profile id="xccdf_org.ssgproject.content_profile_docker-host">
      <Profile id="xccdf_org.ssgproject.content_profile_nist-800-171-cui">

The id attribute provides a unique identifier for each profile. You use this identifier with the oscap command to indicate the profile to use during a system scan.

The oscap info command can also parse this XML file and display the profiles.

[root@serverc ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Document type: Source Data Stream
Imported: 2018-01-08T08:03:07

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
		Status: draft
		Generated: 2018-01-08
		Resolved: true
		Profiles:
			Title: Standard System Security Profile
				Id: xccdf_org.ssgproject.content_profile_standard
			Title: PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: C2S for Red Hat Enterprise Linux 7
				Id: xccdf_org.ssgproject.content_profile_C2S
			Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
				Id: xccdf_org.ssgproject.content_profile_rht-ccp
			Title: Common Profile for General-Purpose Systems
				Id: xccdf_org.ssgproject.content_profile_common
			Title: DISA STIG for Red Hat Enterprise Linux 7
				Id: xccdf_org.ssgproject.content_profile_stig-rhel7-disa
			Title: STIG for Red Hat Virtualization Hypervisor
				Id: xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
			Title: United States Government Configuration Baseline (USGCB / STIG) - DRAFT
				Id: xccdf_org.ssgproject.content_profile_ospp-rhel7
			Title: Criminal Justice Information Services (CJIS) Security Policy
				Id: xccdf_org.ssgproject.content_profile_cjis-rhel7-server
			Title: Standard Docker Host Security Profile
				Id: xccdf_org.ssgproject.content_profile_docker-host
			Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
				Id: xccdf_org.ssgproject.content_profile_nist-800-171-cui
...output omitted...

Generate the HTML security guide for the Standard System Security profile (xccdf_org.ssgproject.content_profile_standard) and review the security rules included in that profile.
1. One way to retrieve the rules associated with a profile is to consult the XCCDF XML file, /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml. The oscap command can, however, generate a more palatable HTML version of the security guide for a specific profile.
  Use the oscap xccdf generate guide command to generate the HTML security guide for the Standard System Security profile.
```
[root@serverc ~]# oscap xccdf generate guide \
> --profile xccdf_org.ssgproject.content_profile_standard \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > guide.html
[root@serverc ~]# 
```
2. Use scp to copy the guide.html file to workstation so you can use Firefox to display it. Use student as the password.
```
[root@serverc ~]# scp guide.html student@workstation:
The authenticity of host 'workstation (172.25.250.254)' can't be established.
ECDSA key fingerprint is SHA256:GCpIQxItJSWgZDzlmpnZINbwsjf9axrs+o6170OyOuk.
ECDSA key fingerprint is MD5:2b:98:e1:85:8b:c7:ea:31:72:08:4d:39:15:ec:5d:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'workstation,172.25.250.254' (ECDSA) to the list of known hosts.
student@workstation's password: student
guide.html                                     100%  311KB  18.6MB/s   00:00
```
3. Log off from serverc.
```
[root@serverc ~]# logout
[student@serverc ~]$ logout
[student@workstation ~]$ 
```
4. Use Firefox to display the guide.html file. Browse through the page and review some of the rules. Close Firefox when you are done.
```
[student@workstation ~]$ firefox guide.html
```
  Navigate to Table of Contents → System Settings. Click the Installing and Maintaining Software link to review the Updating Software group information and Ensure Red Hat GPG Key Installed rule details.
On workstation, use the SCAP Workbench graphical utility to review the Standard System Security profile from the SCAP Security Guide.
1. The classroom setup has already installed the scap-workbench and the scap-security-guide packages on workstation. You can use the scap-workbench command to start the SCAP Workbench.
```
[student@workstation ~]$ scap-workbench
```
  The SCAP Workbench detects that the SCAP Security Guide is already installed on the system and asks you to select the content to use.
  In the Select content to load field, select RHEL7 and click Load Content.
2. Locate the Profile field and select Standard System Security Profile. The lower part of the window displays the rules associated with that profile. Review the rules but do not initiate a scan at this time. Close the SCAP Workbench when you are done exploring.

Cleanup

On workstation, run the lab oscap-install cleanup script to clean up this exercise.

[student@workstation ~]$ lab oscap-install cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c