RH415 - ch10s05

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

SectionSection 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Customize the OpenSCAP Policy in Red Hat Satellite

Objectives

After completing this section, students should be able to apply a tailoring file to a SCAP profile in Red Hat Satellite and use the customized SCAP profile to scan registered servers.

Customizing SCAP Profiles in Red Hat Satellite

Organizations sometimes need to adjust a standard security policy, making it stricter or more lenient based on its actual compliance requirements. SCAP tailoring files allow compliance managers to customize a profile without writing new SCAP content. You can create these tailoring files in SCAP Workbench and they are saved as XCCDF profiles.

Red Hat Satellite 6.3 introduced support for tailoring files. This feature allows users to upload a tailoring file to customize a compliance policy. The uploaded tailoring file is assigned to an existing SCAP profile when creating or updating a compliance policy.

Important

Red Hat Satellite does not have an interface to create or edit tailoring files. A compliance manager should create the tailoring file in SCAP Workbench, then upload it to the Satellite Server.

Uploading a Tailoring File

After you create a tailoring file in SCAP Workbench, save it in XCCDF Customization format. Then, upload it to the Red Hat Satellite Server that manages the compliance policy for your scans. You should have already installed the XCCDF profile on which the tailoring file is based on the Satellite Server.

Uploading a Tailoring File to Red Hat Satellite

The following steps outline the process for uploading a tailoring file to the Satellite Server:

Log in to the Satellite Server's web UI as a user with the Compliance Manager role.
Navigate to Hosts → Tailoring Files and then click New Tailoring File.
On the Upload new Tailoring File page, enter a name in the Name field. Click Browse to upload the tailoring file.
Click Submit.

Assigning a Tailoring File to a Compliance Policy

A tailoring file is comprised of one or more XCCDF profiles. One tailoring file can be assigned to a compliance policy. Any change to a compliance policy is propagated to the Satellite's clients when their Puppet agents check in.

Assigning a Tailoring File using Satellite's Web Interface

The following steps outline the process for assigning a tailoring file to a compliance policy on a Satellite Server:

Log in to the Satellite's web UI as a user with the Compliance manager role.
Navigate to Hosts → Policies. Choose Edit from the drop-down list of the required policy.
Alternatively, click New Policy, or New Compliance Policy to create a new compliance policy.
On the SCAP Content tab, choose the required tailoring file from the Tailoring File list.
Choose an XCCDF Profile in Tailoring File from the drop-down list. Click Submit.

Executing a Compliance Scan using a Customized Compliance Policy

The Puppet agent running on the Satellite client fetches the change in the compliance policy. The interval between checks is set by the runinterval variable in the Puppet agent's configuration. The default run interval for the Puppet agent is 30 minutes. The Puppet agent can be executed manually either by remote execution from the Satellite Server or by running the puppet agent --test command on the client.

The /etc/foreman_scap_client/config.yaml file contains the information about the tailoring file and XCCDF profile to be used for the compliance scan.

# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET
...output omitted...
# policy (key is id as in Foreman)
1:
  :profile: 'xccdf_com.lab.example_profile_common_customized'
  :content_path: '/var/lib/openscap/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/1/content/96c2a9d5278d5da905221bbb2dc61d0ace7ee3d97f021fccac994d26296d986d'
  :tailoring_path: '/var/lib/openscap/tailoring/7ebe67694d7ce79d08c960a5854c3b246fd317b5de187a7cd467f349a777a679.xml'
  :tailoring_download_path: '/compliance/policies/1/tailoring/7ebe67694d7ce79d08c960a5854c3b246fd317b5de187a7cd467f349a777a679'

In the above screen output, the xccdf_com.lab.example_profile_common_customized is the XCCDF tailoring profile. The tailoring_path variable defines the location of the tailoring file on the SCAP client. The tailoring_download_path variable defines the download location of the tailoring file from the Satellite Server.

The compliance scan is executed based on the Cron job defined in the compliance policy. To execute the scan manually you can either use remote execution from the Satellite Server or the foreman_scap_client command. The result of the scan is uploaded to the Satellite Server.

References

For more information, refer to the Managing Security Compliance chapter in the Administering Red Hat Satellite at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/administering_red_hat_satellite/#chap-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Security_Compliance_Management

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c