RH415 - ch10s02

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

SectionSection 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

In this exercise, you will configure an existing Satellite Server to perform OpenSCAP scans.

Outcomes

You should be able to configure an existing Satellite Server to push OpenSCAP client to the registered hosts to perform OpenSCAP scans.

Confirm that the workstation, satellite, and serverd machines are started.

Log in to workstation as student using student as the password. On workstation, run lab compliance-config setup to verify that the environment is ready.

[student@workstation ~]$ lab compliance-config setup

On workstation, open a web browser and navigate to https://satellite.lab.example.com. Log in as admin using redhat as the password.
1. From workstation, open a web browser and navigate to https://satellite.lab.example.com. Accept the self-signed certificate and log in as admin using redhat as the password.

Verify that a host group named org-hostgroup1 exists in the org-example organization.

Set the organization context to org-example. Navigate to Any Context → Any Organization and select org-example.
Navigate to Configure → Host groups. Verify that the org-hostgroup1 host group exists.

Click the org-hostgroup1 link to open the group for editing.

Ensure that the following fields are correctly configured:

Table 10.2. Puppet Configurations

Field	Value
Puppet Environment	production
Puppet Master	satellite.lab.example.com
Puppet CA	satellite.lab.example.com
OpenSCAP Capsule	satellite.lab.example.com

Add the foreman_scap_client Puppet module to the org-hostgroup1. This Puppet module automatically installs and configures the client's /etc/foreman_scap_client/config.yaml file with parameters that are needed for the operation of OpenSCAP scans and to upload the scan result to the Satellite Server.
1. From the Edit org-hostgroup1 page, select the Puppet Classes tab. Click + to add the foreman_scap_client Puppet class listed under the foreman_scap_client Puppet module.
2. Click Submit.

Upload the default OpenSCAP content provided by the scap-security-guide package to the Satellite Server's database.

On workstation, open a command terminal. Log in to the satellite server as student. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@workstation ~]$ ssh student@satellite
[student@satellite ~]$ sudo -i
[sudo] password for student: student
[root@satellite ~]# 
```

Use the foreman-rake foreman_openscap:bulk_upload:default command to upload the default SCAP content provided by the scap-security-guide package to the Satellite Server's database.

[root@satellite ~]# foreman-rake foreman_openscap:bulk_upload:default
Saved /usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml as Red Hat firefox default content
Saved /usr/share/xml/scap/ssg/content/ssg-jre-ds.xml as Red Hat jre default content
Saved /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml as Red Hat rhel6 default content
Saved /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml as Red Hat rhel7 default content

Verify that the default SCAP content is uploaded to the Satellite Server's database using the hammer CLI. Use the hammer scap-content list command from the terminal to list the SCAP content loaded to the Satellite Server's database.

[root@satellite ~]# hammer scap-content list
---|--------------------------------
ID | TITLE
---|--------------------------------
1  | Red Hat firefox default content
2  | Red Hat jre default content
3  | Red Hat rhel6 default content
4  | Red Hat rhel7 default content
---|--------------------------------

Log off from satellite.

[root@satellite ~]# logout
[student@satellite ~]$ logout
Connection to satellite closed.
[student@workstation ~]$

View the OpenSCAP content from the Satellite Server web UI.
Navigate to Hosts → SCAP contents. The SCAP Contents page lists the default SCAP contents.
In the classroom environment, the serverd.lab.example.com host is already registered to the Satellite Server running on satellite.lab.example.com. Re-registering serverd to the Satellite Server deletes the host from the Satellite Server and configures the host with the SCAP client and all necessary packages.
Re-registering serverd ensures that the foreman_scap_client Puppet class assigned to the org-hostgroup1 host group is executed.
1. Log in to serverd as student. Use the sudo -i command to change to the root user. Use student as the password.
```
[student@workstation ~]$ ssh student@serverd
[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]# 
```
2. Download the bootstrap.py script file from http://satellite.lab.example.com/pub/bootstrap.py on serverd. Change the permission of the bootstrap.py file to make it executable.
```
[root@serverd ~]# wget http://satellite.lab.example.com/pub/bootstrap.py
...output omitted...
[root@serverd ~]# chmod a+x bootstrap.py
```
3. Run the bootstrap.py script to re-register serverd with the serverkey activation key to the Satellite Server, as shown in the following example. Use the --force option to overwrite all the registration configurations. The command re-registers serverd and configures the SCAP client. Enter redhat as the admin user's password.
```
[root@serverd ~]# ./bootstrap.py -l admin -s satellite.lab.example.com \
> -o 'org-example' -L 'Default Location' -a serverkey -g org-hostgroup1 --force
Foreman Bootstrap Script
This script is designed to register new systems or to migrate an existing system to a Foreman server with Katello
admin's password: redhat
...output omitted...
Complete!
Uploading Enabled Repositories Report
Loaded plugins: langpacks, product-id, subscription-manager
[SUCCESS], [2018-07-25 20:28:35], [/usr/bin/yum -y remove rhn-setup rhn-client-tools yum-rhn-plugin rhnsd rhn-check rhnlib spacewalk-abrt spacewalk-oscap osad 'rh-*-rhui-client' 'candlepin-cert-consumer-*'], completed successfully.
```
4. View the /etc/foreman_scap_client/config.yaml file to check the Satellite capsule address to which the SCAP scan reports are uploaded. Notice that the OpenSCAP policy is not yet defined in the file.
```
[root@serverd ~]# cat /etc/foreman_scap_client/config.yaml
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET

# Foreman proxy to which reports should be uploaded
:server: 'satellite.lab.example.com'
:port: 9090 
...output omitted...
# policy (key is id as in Foreman)
```
5. List the OpenSCAP packages installed by the foreman_scap_client Puppet module.
```
[root@serverd ~]# rpm -qa | grep -E 'foreman_scap|openscap'
rubygem-foreman_scap_client-0.3.0-2.el7sat.noarch
openscap-scanner-1.2.16-8.el7_5.x86_64
openscap-1.2.16-8.el7_5.x86_64
```
  The rubygem-foreman_scap_client.noarch package provides the client script that runs the OpenSCAP scan and uploads the result to the Satellite Server.
6. Log off from serverd.
```
[root@serverd ~]# logout
[student@serverd ~]$ logout
Connection to serverd closed.
[student@workstation ~]$ 
```

Cleanup

From workstation, run the lab compliance-config cleanup script to clean up this exercise.

[student@workstation ~]$ lab compliance-config cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c