RH415 - ch10s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

SectionSection 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

This Guided Exercise requires that the previous exercise has been successfully completed. In this exercise, you will use Red Hat Satellite to perform an OpenSCAP scan of one of your servers and evaluate the results.

Outcomes

You should be able to:

Create a Red Hat Satellite compliance policy for centralized OpenSCAP scans.
Manually trigger a compliance policy scan on a Red Hat Satellite client.
Evaluate the compliance report for that scan in the Red Hat Satellite web UI.

Confirm that the workstation, satellite, and serverd machines are started.

Log in to workstation as student using student as the password. From workstation, run lab compliance-scan setup to verify that the environment is ready.

[student@workstation ~]$ lab compliance-scan setup

On workstation, open a browser and connect to the Satellite Server web UI at https://satellite.lab.example.com. If required, accept the self-signed certificate and log in as admin using redhat as the password.
Create a compliance policy named OpenSCAP-Policy1 using the default RHEL7 SCAP content. The policy should execute every 10 minutes.
1. Navigate to Hosts → Policies and click New Policy.
2. In the New Compliance Policy dialog box, enter OpenSCAP-Policy1 as the name of the policy. The policy description is optional. Click Next.
3. On the SCAP Content tab, select Red Hat rhel7 default content from the SCAP Content drop-down list. For XCCDF Profile, select Common Profile for General-Purpose Systems. Click Next.
4. On the Schedule tab, for Period, select Custom. Enter */10 * * * * in the Cron line field to run the scan every 10 minutes. Click Next.
5. On the Locations tab, select Default Location to move it to the Selected items list. Click Next.
6. On the Organizations tab, ensure that org-example is the selected organization. Click Next.
7. On the Hostgroups tab, select org-hostgroup1 to move it to the Selected items list. Click Submit to create the compliance policy.

Rerun the Puppet module on serverd to fetch the new compliance policy. Review the configuration of the compliance policy in the /etc/foreman_scap_client/config.yaml file.

Log in to serverd as student. No password is required. Use the sudo -i command to change to the root user. Use student as the password.
```
[student@workstation ~]$ ssh student@serverd
[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]# 
```

Run the following command on serverd to fetch the new compliance policy. The command executes the Puppet module on serverd, and configures the host to run foreman_scap_client using the new compliance policy.

[root@serverd ~]# puppet agent --test --verbose
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for serverd.lab.example.com
Info: Applying configuration version '1532692309'
Notice: /Stage[main]/Foreman_scap_client/File[foreman_scap_client]/content:
--- /etc/foreman_scap_client/config.yaml  2018-07-27 17:18:11.279676375 +0530
+++ /tmp/puppet-file20180727-2630-gep1op  2018-07-27 17:21:50.652457820 +0530
@@ -21,3 +21,12 @@

 # policy (key is id as in Foreman)

 +1:
 +  :profile: 'xccdf_org.ssgproject.content_profile_common'
 +  :content_path: '/var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml'
 +  # Download path
 +  # A path to download SCAP content from proxy
 +  :download_path: '/compliance/policies/1/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d'
 +  :tailoring_path: ''
 +  :tailoring_download_path: ''
 +

 Info: Computing checksum on file /etc/foreman_scap_client/config.yaml
 ...output omitted...

  # foreman_scap_client cron job

  +# Runs foreman_scap_client 1
  +*/10 * * * * root /usr/bin/foreman_scap_client 1 > /dev/null
  +

  Info: Computing checksum on file /etc/cron.d/foreman_scap_client_cron
 ...output omitted...
  Notice: Applied catalog in 0.30 seconds

View the /etc/foreman_scap_client/config.yaml file to confirm that the Satellite Server compliance policy ID and OpenSCAP XCCDF profile defined in the file.

[root@serverd ~]# cat /etc/foreman_scap_client/config.yaml
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET

...output omitted...
# policy (key is id as in Foreman)

1:
  :profile: 'xccdf_org.ssgproject.content_profile_common'
  :content_path: '/var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/1/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d'
  :tailoring_path: ''
  :tailoring_download_path: ''

In the preceding output the compliance policy ID is 1. The policy will use the xccdf_org.ssgproject.content_profile_common OpenSCAP profile.

Execute an OpenSCAP scan manually using the foreman_scap_client command installed by the Puppet module. (This command is also executed automatically by Cron according to the schedule specified when you created the compliance policy.)

Execute the foreman_scap_client command manually to run the OpenSCAP scan and upload the results to the Red Hat Satellite OpenSCAP capsule. Use the compliance policy ID specified in the /etc/foreman_scap_client/config.yaml file as an argument to the command.

[root@serverd ~]# foreman_scap_client 1
File /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://satellite.lab.example.com:9090/compliance/policies/1/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d
DEBUG: running: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common  --results-arf /tmp/d20180727-2719-ois40f/results.xml /var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://learn.spidernet.pl/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20180727-2719-ois40f/results.xml
Uploading results to https://satellite.lab.example.com:9090/compliance/arf/1

Log off from serverd.

[root@serverd ~]# logout
[student@serverd ~]$ logout
Connection to serverd closed.
[student@workstation ~]$

Evaluate the compliance report in your Satellite Server web UI in order to determine which checks passed and which failed.
1. Navigate to Hosts → Reports to list the compliance reports uploaded by serverd. The page lists the number of passes, failures, and some in other categories for all the audited systems.
2. If there is more than one report, there will be more than one link under Reported At. To open the latest report, click the link under the Reported At column to view the details for the latest scan result.
3. Click View full report to evaluate the full report.

Cleanup

On workstation, run the lab compliance-scan cleanup script to clean up this exercise.

[student@workstation ~]$ lab compliance-scan cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083