RH415 - ch09s09

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

SectionSection 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Managing Compliance with OpenSCAP

Performance Checklist

In this lab, you will confirm that OpenSCAP tools and SCAP Security Guide content is installed on one of your servers, use SCAP Workbench to create a tailoring file, use OpenSCAP to scan the server with that tailored policy, and use Ansible to remediate a compliance check that failed.

Outcomes

You should be able to:

Install OpenSCAP tools and the SCAP Security Guide.
Create a tailoring file using SCAP Workbench.
Scan the system using the customized policy.
Generate and use an Ansible Playbook to remediate failed compliance checks.

Confirm that the workstation and serverd machines are started.

Log in to workstation as student using student as the password. On workstation, run lab oscap-review setup to verify that the environment is ready.

[student@workstation ~]$ lab oscap-review setup

On workstation, customize the SCAP Security Guide Common Profile for General-Purpose Systems. Set the new profile identifier to xccdf_com.example_profile_lab-rhel7, disable all the rules, and then enable the following rules:
- Disable Prelinking
- Install AIDE
- Build and Test AIDE Database
Store the resulting tailoring file on workstation in /home/student/lab-tailoring.xml.
On workstation, start SCAP Workbench by running the scap-workbench command.
[student@workstation ~]$ scap-workbench
SCAP Workbench detects that the SCAP Security Guide is already installed on the system and asks you to select the content to use.
In the Select content to load field, select RHEL7 and click Load Content.
Locate the Profile field and select Common Profile for General-Purpose Systems.
Click Customize at the right of that field.
In the New Profile ID field, enter xccdf_com.example_profile_lab-rhel7 and click OK.
The new window displays all the available rules.
Click Deselect All and select the following rules in the System and Software Integrity section:
Disable Prelinking
Install AIDE
Build and Test AIDE Database
Click OK.
Save the customization in a tailoring file. Select File → Save Customization Only and enter lab-tailoring.xml for the file name in the /home/student directory.
Close SCAP Workbench.

Scan serverd for compliance with your customization of the Common Profile for General-Purpose Systems. Save the result on workstation in /home/student/lab-results.xml. Generate the HTML report of the scan and store it in /home/student/lab-results.html on workstation.

Copy the lab-tailoring.xml tailoring file to serverd. You need this file to scan the system.

[student@workstation ~]$ scp lab-tailoring.xml student@serverd:
lab-tailoring.xml                             100% 7317   606.7KB/s   00:00

[student@workstation ~]$ ssh student@serverd
[student@serverd ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]# 
```

Install the openscap-scanner and the scap-security-guide packages.

[root@serverd ~]# yum install openscap-scanner scap-security-guide
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!

Scan the system for compliance with your customization. Save the result in the /root/lab-results.xml file.

[root@serverd ~]# oscap xccdf eval \
> --profile xccdf_com.example_profile_lab-rhel7 \
> --tailoring-file /home/student/lab-tailoring.xml \
> --results /root/lab-results.xml \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://learn.spidernet.pl/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title   Disable Prelinking
Rule    xccdf_org.ssgproject.content_rule_disable_prelink
Ident   CCE-27078-5
Result  pass

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-27096-7
Result  fail

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Ident   CCE-27220-3
Result  fail

When the scan is complete, convert the /root/lab-results.xml file in HTML. Save the HTML report as /root/lab-results.html.
```
[root@serverd ~]# oscap xccdf generate report \
> lab-results.xml > lab-results.html
[root@serverd ~]# 
```

Use scp to copy the two files to workstation. Use student as the password.

[root@serverd ~]# scp lab-results.* student@workstation:
The authenticity of host 'workstation (172.25.250.254)' can't be established.
ECDSA key fingerprint is SHA256:GCpIQxItJSWgZDzlmpnZINbwsjf9axrs+o6170OyOuk.
ECDSA key fingerprint is MD5:2b:98:e1:85:8b:c7:ea:31:72:08:4d:39:15:ec:5d:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'workstation,172.25.250.254' (ECDSA) to the list of known hosts.
student@workstation's password: student
lab-results.html                               100%  266KB   6.9MB/s   00:00
lab-results.xml                                100% 4304KB  10.5MB/s   00:00

Log off from serverd.

[root@serverd ~]# logout
[student@serverd ~]$ logout
[student@workstation ~]$

On workstation, generate the Ansible Playbook to resolve the compliance issues detected in the previous step. Save the Ansible Playbook as /home/student/RH415/labs/oscap-review/fix.yml and run it to resolve the compliance issues on serverd.
The ansible.cfg and the inventory files have already been deployed for you in /home/student/RH415/labs/oscap-review/.
Use the oscap xccdf generate fix command to generate the Ansible Playbook. Save the playbook as /home/student/RH415/labs/oscap-review/fix.yml.
[student@workstation ~]$ oscap xccdf generate fix \ > --profile xccdf_com.example_profile_lab-rhel7 \ > --tailoring-file lab-tailoring.xml \ > --fix-type ansible \ > --result-id "" \ > lab-results.xml > /home/student/RH415/labs/oscap-review/fix.yml [student@workstation ~]$
From the /home/student/RH415/labs/oscap-review/ directory, use the ansible-playbook command to run the playbook. The AIDE database build takes several minutes to complete.
[student@workstation ~]$ cd /home/student/RH415/labs/oscap-review/ [student@workstation oscap-review]$ ansible-playbook fix.yml ...output omitted... PLAY RECAP ******************************************************* serverd.lab.example.com : ok=5 changed=3 unreachable=0 failed=0

Scan serverd again for compliance with your customization of the Common Profile for General-Purpose Systems. Save the result on workstation in /home/student/lab-results-fix.xml.

[student@workstation oscap-review]$ ssh student@serverd
[student@serverd ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]# 
```

Scan the system for compliance with your customization. Save the result in the /root/lab-results-fix.xml file.

[root@serverd ~]# oscap xccdf eval \
> --profile xccdf_com.example_profile_lab-rhel7 \
> --tailoring-file /home/student/lab-tailoring.xml \
> --results /root/lab-results-fix.xml \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://learn.spidernet.pl/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title   Disable Prelinking
Rule    xccdf_org.ssgproject.content_rule_disable_prelink
Ident   CCE-27078-5
Result  pass

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-27096-7
Result  pass

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Ident   CCE-27220-3
Result  pass

Use scp to copy the /root/lab-results-fix.xml file to workstation. Use student as the password.

[root@serverd ~]# scp lab-results-fix.xml student@workstation:
student@workstation's password: student
lab-results-fix.xml                            100% 4304KB  11.0MB/s   00:00

Log off from serverd.

[root@serverd ~]# logout
[student@serverd ~]$ logout
[student@workstation oscap-review]$

Evaluation

As the student user on workstation, run the lab oscap-review script with the grade argument to confirm success of this exercise. Correct any reported failures and rerun the script until successful.

[student@workstation ~]$ lab oscap-review grade

Cleanup

On workstation, run the lab oscap-review cleanup command to clean up this exercise.

[student@workstation ~]$ lab oscap-review cleanup

This concludes the lab.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083