RH415 - ch10s07

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

SectionSection 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Automating Compliance with Red Hat Satellite

Performance Checklist

In this lab, you will use Red Hat Satellite to scan all of your servers for compliance with a customized OpenSCAP policy, evaluate the results, and remediate at least one reported issue.

Outcomes

You should be able to:

Create a Red Hat Satellite compliance policy customized with a tailoring file.
Initiate an OpenSCAP scan on one or more hosts from Red Hat Satellite using a compliance policy.
Evaluate the results of a compliance policy's OpenSCAP scans in Red Hat Satellite's web UI.
Remediate failed compliance checks using the command provided by the OpenSCAP evaluation report.

Confirm that the workstation, satellite, servera, serverb, serverc, serverd, and servere machines are started.

Log in to workstation as student using student as the password. On workstation, run lab compliance-review setup to verify that the environment is ready. The script re-registers all hosts to the Satellite Server to enabling remote execution as the root user.

[student@workstation ~]$ lab compliance-review setup

From workstation, connect to the Satellite web UI at https://satellite.lab.example.com. If prompted, accept the self-signed certificate and log in as admin using redhat as the password.
Upload a new tailoring file named ComplianceLab-TailoringFile to customize the default Standard System Security profile for RHEL 7 SCAP content. Download the tailoring file from http://materials.example.com/labs/compliancelab-tailoring.xml to workstation.
On workstation open a command terminal. Use the wget command to download the tailoring file from http://materials.example.com/labs/compliancelab-tailoring.xml to the /home/student/Downloads directory.
[student@workstation ~]$ wget \ > http://materials.example.com/labs/compliancelab-tailoring.xml \ > -P ~/Downloads ...output omitted...
In the Satellite web UI, navigate to Hosts → Tailoring Files. Click New Tailoring File to upload a new tailoring file.
On the Upload new Tailoring File page, enter ComplianceLab-TailoringFile in the Name field. Click Browse to upload the /home/student/Downloads/compliancelab-tailoring.xml tailoring file. Click Submit.
Create a compliance policy named ComplianceLab-Policy1 using the default RHEL 7 SCAP content. Choose the Standard System Security XCCDF profile and the ComplianceLab-TailoringFile tailoring file. The policy should execute weekly on Sunday. Use the following table to specify the other fields while creating the compliance policy:
Table 10.4. Compliance Policy Parameters
Field Value
Locations Default Location
Organizations org-example
Hostgroups org-hostgroup1
Navigate to Hosts → Policies.
Click New Policy.
On the New Compliance Policy page, enter ComplianceLab-Policy1 as the name of the policy. The policy description is optional. Click Next.
On the SCAP Content tab, select Red Hat rhel7 default content from the SCAP Content list. For XCCDF Profile, select Standard System Security Profile. For Tailoring File, select ComplianceLab-TailoringFile. The XCCDF Profile in Tailoring File list automatically sets the Standard System Security Profile [CUSTOMIZED] XCCDF profile, because there is only one profile included in the tailoring file. Click Next.
On the Schedule tab, for Period, choose Weekly. For Weekday, select Sunday. Click Next.
On the Locations tab, click Default Location to move it to the Selected items list. Click Next.
On the Organizations tab, click org-example to move it to the Selected items list. Click Next.
On the Hostgroups tab, click org-hostgroup1 to move it to the Selected items list. Click Submit to create the compliance policy.
Manually run the Puppet agent on the following hosts to update the clients with the new compliance policy. You may use the remote execution feature of Red Hat Satellite to do this.
- servera.lab.example.com
- serverb.lab.example.com
- serverc.lab.example.com
- serverd.lab.example.com
- servere.lab.example.com
From the Satellite's web UI, use the remote execution feature to run the Puppet agent. Navigate to Hosts → All hosts. Select the following hosts in the Hosts page.
servera.lab.example.com
serverb.lab.example.com
serverc.lab.example.com
serverd.lab.example.com
servere.lab.example.com
Select Schedule Remote Job from the Select Action list.
On the Job invocation page, for Job Category, select Puppet. Ensure that Execute now is selected for Schedule. Click Submit.
On the Overview tab, wait until you see succeeded with the 100% Success message.
Initiate OpenSCAP scans of the following hosts from your Satellite Server's web UI:
- servera.lab.example.com
- serverb.lab.example.com
- serverc.lab.example.com
- serverd.lab.example.com
- servere.lab.example.com
Navigate to Hosts → All hosts. Select the following hosts:
servera.lab.example.com
serverb.lab.example.com
serverc.lab.example.com
serverd.lab.example.com
servere.lab.example.com
Select Schedule Remote Job from the Select Action list.
On the Job invocation page, for Job Category, select OpenSCAP. Ensure that Execute now is selected for Schedule. Click Submit.
On the Overview tab, wait until you see succeeded with the 100% Success message.
Evaluate the OpenSCAP reports in your Satellite Server's web UI to determine which checks passed and which failed on each host.
Navigate to Hosts → Reports.
To open the latest report, click the link under the Reported At column to view the details for the latest scan result on serverd.
Click View full report to evaluate the detailed full report.
Remediate the Prevent Log In to Accounts With Empty Password compliance issue detected in the previous step on serverd using the commands provided by an OpenSCAP evaluation report. Execute the commands on serverd using the remote execution feature of the Satellite Server.
On the OpenSCAP Evalution Report page of serverd, glance through the report to see what rules passed or failed. Evaluate the severity of the security rules.
Search for Prevent Log In to Accounts With Empty Password in the OpenSCAP evaluation report. Notice that the Prevent Log In to Accounts With Empty Password security rule fails with severity high.
Click the Prevent Log In to Accounts With Empty Password link. The Remediation Shell script section provides the remediation commands to fix the compliance issue. Click show.
Copy both commands.
sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth
In the Satellite web UI, navigate to Hosts → All hosts. Select serverd.lab.example.com. Clear any other hosts that are selected.
Choose Schedule Remote Job from the Select Action list.
On the Job invocation page, for Job Category, select Commands. Paste the remediation commands from the previous step in the command field. Ensure that Execute now is selected for Schedule. Click Submit.
On the Overview tab, wait until you see succeeded with the 100% Success message.
Scan all the hosts again for compliance and evaluate the OpenSCAP scan results. Verify that the Prevent Log In to Accounts With Empty Password compliance issue is resolved on serverd.
Navigate to Hosts → All hosts. Select the following hosts:
servera.lab.example.com
serverb.lab.example.com
serverc.lab.example.com
serverd.lab.example.com
servere.lab.example.com
Select Schedule Remote Job from the Select Action list.
On the Job invocation page, for Job Category, select OpenSCAP. Ensure that Execute now is selected for Schedule. Click Submit.
On the Overview tab, wait until you see succeeded with the 100% Success message.
Navigate to Hosts → Reports to list the OpenSCAP scan reports uploaded by all the hosts.
Notice that the OpenSCAP scan on serverd must now show 10 passes and 0 failed result. The other hosts must show 9 passes and 1 failed result.
Click the link under the Report At column to view the details for the latest scan result on serverd.
Click View full report to view the OpenSCAP Evalution Report page. Verify that the Prevent Log In to Accounts With Empty Password compliance report is resolved on serverd.
Log off from the Satellite web UI.

Field	Value
Locations	Default Location
Organizations	org-example
Hostgroups	org-hostgroup1

Evaluation

As the student user on workstation, run the lab compliance-review script with the grade argument to confirm success of this exercise. Correct any reported failures and rerun the script until successful.

[student@workstation ~]$ lab compliance-review grade

Cleanup

On workstation, run the lab compliance-review cleanup command to clean up this exercise.

[student@workstation ~]$ lab compliance-review cleanup

This concludes the lab.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083