RH415 - ch09s07

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

SectionSection 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Remediating OpenSCAP Issues with Ansible

Objectives

After completing this section, students should be able to run Ansible Playbooks, provided with the SCAP Security Guide's content, to remediate compliance checks that failed an OpenSCAP scan.

Generating a Remediation Ansible Playbook

The XCCDF files in the SCAP Security Guide include remediation scripts to fix the noncompliant checks. These scripts might take the form of shell scripts, Ansible snippets, Puppet snippets, or even Kickstart commands. Some rules provide multiple remediation scripts in different formats. For example, the rule that verifies if AIDE is installed provides a remediation shell script, but also an Ansible snippet, a Puppet snippet, and a Kickstart command. Some rules only provide one remediation method, and others do not provide remediation scripts at all.

Note

Remediation coverage is generally better for shell scripts and Ansible snippets.

With the oscap command, you can generate an Ansible Playbook from a SCAP Security Guide profile, or from a scan result XML file.

Creating an Ansible Playbook for a Profile

From a SCAP Security Guide profile, the oscap xccdf generate fix command can generate an Ansible Playbook that includes all the tasks for remediation that have Ansible snippets.

[user@demo ~]$ oscap xccdf generate fix \
> --profile xccdf_org.ssgproject.content_profile_pci-dss \
> --fix-type ansible \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > pci-dss.yml

You can include this Ansible Playbook in a more global Ansible infrastructure; for example, as a postinstallation step. Because Ansible Playbooks are idempotent, you can regularly run the playbook on your systems to keep them compliant; there is no impact on the already compliant items.

Remember that some SCAP rules do not have Ansible remediation snippets. For those rules, you may have to develop your own playbook tasks for remediation.

You should also remember that many profiles are meant as catalogs, not checklists, and not every remediation item may make sense in your environment. If you are going to generate a playbook from a profile, consider using one that has been tailored for your environment.

Creating an Ansible Playbook from a Result XML File

After scanning a system for compliance, the oscap xccdf generate fix command can create an Ansible Playbook from the XML result file to fix the noncompliant checks.

In the following example, the first oscap command scans the local system, and then the second generates the Ansible Playbook for remediation.

[root@demo ~]# oscap xccdf eval \
> --profile xccdf_org.ssgproject.content_profile_pci-dss \
> --results /root/results.xml \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
...output omitted...

[root@demo ~]# oscap xccdf generate fix \
> --profile xccdf_org.ssgproject.content_profile_pci-dss \
> --fix-type ansible \
> --result-id "" \
> /root/results.xml > remediation-playbook.yml

The generated Ansible Playbook is only relevant for the scanned system because it only includes the tasks to remediate the failed checks.

Adjusting Variables in the Remediation Ansible Playbook

You can edit the Ansible Playbook that the oscap xccdf generate fix command creates. In particular, the playbook exposes as variables some of the parameters associated with rules in the SCAP Security Guide profiles.

The following example shows an example of variables defined in a remediation Ansible Playbook.

...output omitted...
- hosts: all
  vars:
     var_accounts_maximum_age_login_defs: 90
     var_account_disable_post_pw_expiration: 90
     var_password_pam_dcredit: -1
     var_password_pam_minlen: 7
     var_password_pam_ucredit: -1
     var_password_pam_lcredit: -1
     var_auditd_space_left_action: email
     var_auditd_admin_space_left_action: single
     sshd_idle_timeout_value: 900
...output omitted...

Running a Remediation Ansible Playbook

The oscap xccdf generate fix command creates Ansible Playbooks with the hosts parameter set to all. You can adapt this parameter to specify the targeted group of systems to remediate, or you can create a custom inventory file that lists all these systems.

To specify a custom inventory file, use the -i inventory_file option with the ansible-playbook command.

[user@demo ~]$ ansible-playbook -i ./myinventory pci-dss.yml

Warning

The quality of the remediation snippets can vary depending on the content. You should review and test the playbook carefully before using it on production systems or at scale.

Filtering Tasks

The remediation Ansible Playbooks can be quite large. Some of the tasks inside these playbooks can be disruptive, such as updating the whole system. Other tasks may remediate low severity issues, and you may want to skip them.

The tasks in a remediation Ansible Playbook have tags. Tags are an Ansible feature that allow you to run only tasks that have that tag.

The SCAP Security Guide XCCDF files specify particular tags for its Ansible snippets. Rather than running the whole playbook, you can specify one or more tags to filter the tasks to play.

The following playbook extract shows two tasks and their associated tags.

- name: "Security patches are up to date"
  package:
    name: "*"
    state: "latest"
  tags:
    - security_patches_up_to_date
    - high_severity
    - patch_strategy
    - low_complexity
    - high_disruption
    - CCE-26895-3
    - NIST-800-53-SI-2
    - NIST-800-53-SI-2(c)
    - NIST-800-53-MA-1(b)
    - PCI-DSS-Req-6.2
    - CJIS-5.10.4.1
    - DISA-STIG-RHEL-07-020260


- name: disable prelinking
  lineinfile:
    path: /etc/sysconfig/prelink
    regexp: '^PRELINKING='
    line: 'PRELINKING=no'
  tags:
    - disable_prelink
    - low_severity
    - restrict_strategy
    - low_complexity
    - low_disruption
    - CCE-27078-5
    - NIST-800-53-CM-6(d)
    - NIST-800-53-CM-6(3)
    - NIST-800-53-SC-28
    - NIST-800-53-SI-7
    - NIST-800-171-3.13.11
    - PCI-DSS-Req-11.5
    - CJIS-5.10.1.3

The following command shows how to only run the tasks tagged high_severity from an Ansible Playbook.

[user@demo ~]$ ansible-playbook --tags=high_severity pci-dss.yml

You can also specify multiple tags using a comma-separated list. See the Ansible documentation for more information.

Applying Profiles During Installation

You can call the OpenSCAP installer add-on from a Kickstart file to evaluate system compliance and automatically remediate deviations during installation. Because the add-on also performs the remediation, your new systems are compliant after installation.

For example, by adding the following lines in your Kickstart file, your new systems will be compliant with the SCAP Security Guide PCI-DSS profile after installation.

%addon org_fedora_oscap
content-type = scap-security-guide
profile = pci-dss
%end

References

For more information, refer to the Using OpenSCAP with Ansible chapter in the Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#sect-Using_OpenSCAP_with_Ansible

For more information, refer to the Kickstart Syntax Reference chapter in the Installation Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/installation_guide/#sect-kickstart-syntax

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c