RH415 - ch12s02

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

SectionSection 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Automating Configuration and Remediation with Ansible

In this review, you will ensure your workstation is prepared to use Ansible and has been configured with an appropriate configuration file and inventory, and use a provided playbook to ensure that several servers are in the correct configuration.

Outcomes

You should be able to:

Install and configure Ansible.
Verify the configuration of managed hosts with Ansible ad hoc commands.
Run Ansible Playbooks.

Warning

Before starting the following exercises, you must reset your virtual machines. This will destroy any data stored on those machines from previous exercises.

If you want to keep any data from the lab environment, save it before resetting your machines.

You must reset all machines in the lab environment for the following exercises to work as expected.

Set up your computers for this exercise by logging in to workstation as student, and run the following command:

[student@workstation ~]$ lab ansible-cr setup

Instructions

As the devops user on workstation, use the existing in the /home/devops/cr-lab1 directory Ansible Playbook to configure your web servers based on the following instructions.

On workstation, install the ansible package. Confirm that the ansible command is available.
In the existing /home/devops/cr-lab1 directory, create an Ansible inventory file that defines the http host group. This host group should include two managed hosts, servera.lab.example.com and serverb.lab.example.com.
You should also create an Ansible configuration file in the /home/devops/cr-lab1 directory. It should set the inventory file to use the one you created in that directory. It should configure Ansible to log in as the devops user on remote managed hosts. It should enable privilege escalation using sudo and prompt the user for their ssh and sudo passwords.
In that directory, use an Ansible ad hoc command to confirm that you can use Ansible to manage the two managed hosts in the http host group.
Before running the playbook, use Ansible ad hoc commands to ensure that the httpd package is not installed, and that TCP port 80 is blocked by firewalld on those managed hosts.
Run the http://materials.example.com/ansible/cr-httpd.yml Ansible Playbook to install and configure the httpd service on the managed hosts.
Open Firefox and navigate to http://servera.lab.example.com and http://serverb.lab.example.com to confirm that the web servers are available.

On workstation, install the ansible package.

On workstation as the student, install the ansible package with the sudo command.

[student@workstation ~]$ sudo yum -y install ansible
[sudo] password for student: student
...output omitted...
Installed:
  ansible.noarch 0:2.5.5-1.el7ae

Complete!

As the devops user on workstation, create an Ansible inventory file in the existing /home/devops/cr-lab1 directory. It should define the http host group, which should consist of two managed hosts, servera.lab.example.com and serverb.lab.example.com.
1. Switch to the devops user. Use redhat as the password.
```
[student@workstation ~]$ su - devops
Password: redhat
Last login: Wed Aug  1 07:53:19 IST 2018 on pts/0
[devops@workstation ~]$ 
```
2. Change your working directory to /home/devops/cr-lab1.
```
[devops@workstation ~]$ cd ~/cr-lab1
```
3. Create an inventory file in the cr-lab1 directory. This inventory file should define the http host group, which should consist of two managed hosts, servera.lab.example.com and serverb.lab.example.com.
```
[devops@workstation cr-lab1]$ vi inventory
[http]
servera.lab.example.com
serverb.lab.example.com
```
Create an Ansible configuration file that uses the inventory file previously created, and log in to the remote managed hosts as the devops user.
1. In the cr-lab1 directory, create an Ansible configuration file. It should set the inventory file to the one you just created. It should configure Ansible to log in as the devops user on remote managed hosts. It should enable privilege escalation using sudo and prompt for the remote user's SSH and sudo passwords.
```
[devops@workstation cr-lab1]$ vi ansible.cfg
[defaults]
inventory = ./inventory
remote_user = devops
ask_pass = True

[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=True
```

Use an Ansible ad hoc command to confirm that you can use Ansible to manage the two managed hosts in the http host group. Use additional ad hoc commands to ensure that neither host has the httpd package installed, and that TCP port 80 is blocked by firewalld on those managed hosts.

Confirm that you can connect to the two managed hosts in the http host group with Ansible. Use the ping Ansible module in an ad hoc command.
Note
If you get an error connecting to the managed hosts due to the SSH host key not being known to workstation, you can work around this by using ssh to connect to each system once and then accepting the unknown host key presented. For this to work you must use the Fully Qualified Domain Names for all the hosts, for example: servera.lab.example.com. Then you can try this ad hoc command a second time and it should work.
```
[devops@workstation cr-lab1]$ ansible http -m ping
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera.lab.example.com | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
serverb.lab.example.com | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
```

Use the yum Ansible module in an ad hoc command to ensure that the httpd package is not installed on the managed hosts of the http host group.

[devops@workstation cr-lab1]$ ansible http -m yum \
> -a "name=httpd state=absent"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "",
    "rc": 0,
    "results": [
        "httpd is not installed"
    ]
}
serverb.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "",
    "rc": 0,
    "results": [
        "httpd is not installed"
    ]
}

Use the firewalld Ansible module in an ad hoc command to ensure that TCP port 80 is blocked on the managed hosts of the http host group.

[devops@workstation cr-lab1]$ ansible http -m firewalld \
> -a "port=80/tcp state=disabled immediate=true permanent=true"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "Permanent and Non-Permanent(immediate) operation"
}
serverb.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "Permanent and Non-Permanent(immediate) operation"
}
[ansible-testuser@workstation lab]$ ansible http -m firewalld \
> -a "service=http state=disabled immediate=true permanent=true"
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
servera.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "Permanent and Non-Permanent(immediate) operation"
}
serverb.lab.example.com | SUCCESS => {
    "changed": false,
    "msg": "Permanent and Non-Permanent(immediate) operation"
}

Download the Ansible Playbook at http://materials.example.com/labs/cr-httpd.yml to your /home/devops/cr-lab1 directory on workstation. Run it to install and configure the httpd service on your managed hosts.

Download the cr-httpd.yml Ansible Playbook from http://materials.example.com/ansible/cr-httpd.yml.

[devops@workstation cr-lab1]$ wget \
> http://materials.example.com/ansible/cr-httpd.yml
...output omitted...

Run the cr-httpd.yml playbook to deploy the httpd service and open TCP port 80 on your managed hosts.

[devops@workstation cr-lab1]$ ansible-playbook cr-httpd.yml
SSH password: redhat
SUDO password[defaults to SSH password]: redhat
...output omitted...
servera.lab.example.com    : ok=8    changed=7    unreachable=0    failed=0
serverb.lab.example.com    : ok=8    changed=7    unreachable=0    failed=0

Open Firefox and navigate to http://servera.lab.example.com and http://serverb.lab.example.com to confirm that the web server on each system is running and serving content.

Use the curl command and navigate http://servera.lab.example.com. Verify that a new page is displayed.

[devops@workstation cr-lab1]$ curl http://servera.lab.example.com
This is a test message RedHat 7.5 <br>
Current Host: servera <br>
Server list: <br>
servera.lab.example.com <br>
serverb.lab.example.com <br>
Deployment Version: 1<br>

Navigate to http://serverb.lab.example.com. Verify that a new page is displayed.

[devops@workstation cr-lab1]$ curl http://serverb.lab.example.com
This is a test message RedHat 7.5 <br>
Current Host: serverb <br>
Server list: <br>
servera.lab.example.com <br>
serverb.lab.example.com <br>
Deployment Version: 1<br>
[devops@workstation cr-lab1]$ logout
[student@workstation ~]$

Evaluation

As the student user on workstation, run the lab ansible-cr script with the grade argument to confirm success on this exercise. Correct any reported failures and rerun the script until successful.

[student@workstation ~]$ lab ansible-cr grade

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c

Red Hat Security: Linux in Physical, Virtual, and Cloud

This course is now legacy content

Lab: Automating Configuration and Remediation with Ansible

Warning

Note