RH415 - ch12s03

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

SectionSection 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Protecting Data with LUKS and NBDE

In this review, you will create and encrypt a storage device with LUKS and configure it to automatically decrypt at boot time in a secure manner using NBDE.

Outcomes

You should be able to:

Encrypt a partition with LUKS.
Install and configure a Tang server.
Decrypt a LUKS partition with multiple Tang servers.

You should be able to create a storage device and configure it to automatically decrypt at boot time.

Set up your computers for this exercise by logging in to workstation as student, and run the following command:

[student@workstation ~]$ lab nbde-cr setup

Instructions

On servera configure a storage partition to automatically decrypt and mount on the /storage directory at boot time.

Confirm that an additional disk, /dev/vdb, is available on servera. Partition this disk for your LUKS-encrypted storage.
Create a 1 GB partition on the additional disk on servera.
Encrypt the /dev/vdb1 partition with LUKS. Use redhatRHT as the encryption password.
Name the storage partition storage.
Create an XFS file system on the storage partition, and mount this file system on the /storage directory. In that directory, create a new text file named encryption-test.txt.
Unmount the file system and lock the storage partition.
Install Tang servers on serverb, serverc, and serverd. Make sure that the firewall on those systems permits connections to the default port for Tang servers (80/TCP).
As the root user on servera, associate the LUKS-encrypted storage partition available on /dev/vdb1 with the Tang servers on serverb, serverc, and serverd. Configure SSS encryption so that all three Tang servers must be available to automatically decrypt the partition.
Enable the clevis-luks-askpass.path unit for systemd to support non-root LUKS-encrypted storage partitions.
Rotate the keys for the Tang server on serverc. Generate a new signature key called signature.jwk. Generate a new exchange key called exchange.jwk.

After completing the configuration, reboot servera and verify that the LUKS-encrypted storage partition on /dev/vdb1 is decrypted and mounted automatically on the /storage directory.

Verify that an additional disk is available on servera. Use this disk to create a storage partition.

[student@workstation ~]$ ssh student@servera
[student@servera ~]$

Use the sudo -i command to change to the root user. Use student as the password.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Verify that the /dev/vdb disk is available and has no partitions.

[root@servera ~]# parted -l
...output omitted...
Error: /dev/vdb: unrecognised disk label
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

Create a 1 GB partition on the additional disk on servera.

Use the parted command to create a partition on the additional disk on servera. Use the whole disk for the partition.
```
[root@servera ~]# parted /dev/vdb \
> mklabel msdos \
> mkpart primary xfs 1M 1G
...output omitted...
```

Verify that the partition is available.

[root@servera ~]# parted /dev/vdb print
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
1      1049kB  1074MB  1073MB  primary

Encrypt the /dev/vdb1 partition with LUKS. Use redhatRHT as the password for the encryption.

Use the cryptsetup luksFormat command to encrypt the /dev/vdb1 partition with LUKS.

[root@servera ~]# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: redhatRHT
Verify passphrase: redhatRHT

Name the storage partition storage.
1. Use the cryptsetup luksOpen command to name the storage partition storage.
```
[root@servera ~]# cryptsetup luksOpen /dev/vdb1 storage
Enter passphrase for /dev/vdb1: redhatRHT
```
2. Verify that the partition is now available at /dev/mapper/storage
```
[root@servera ~]# ls /dev/mapper/storage
/dev/mapper/storage
```

Create an XFS file system on the storage partition, and then mount the new file system on the /storage directory. In that directory create a new text file named encryption-test.txt.

Create an XFS file system on /dev/mapper/storage.

[root@servera ~]# mkfs.xfs /dev/mapper/storage
meta-data=/dev/mapper/storage isize=512    agcount=4, agsize=65344 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=0, sparse=0
data     =                       bsize=4096   blocks=261376, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=855, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

Create the /storage directory.
```
[root@servera ~]# mkdir /storage
```

Mount /dev/mapper/storage on the /storage directory.

[root@servera ~]# mount -t xfs /dev/mapper/storage /storage

Verify that the /dev/vdb1 partition is correctly mounted.

[root@servera ~]# mount | grep /storage
/dev/mapper/storage on /storage type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

Create a text file named encryption-test.txt.

[root@servera ~]# touch /storage/encryption-test.txt

Unmount the file system and lock the storage partition.

Unmount the file system from /storage.
```
[root@servera ~]# umount /storage
```

Lock the storage partition.

[root@servera ~]# cryptsetup luksClose storage

When done, log off from serverb.

[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

Install Tang servers on serverb, serverc, and serverd. Configure the firewall on those nodes to allow connections to the default port for Tang servers (80/TCP).

[student@workstation ~]$ ssh student@serverb
[student@serverb ~]$

Use the sudo -i command to change to the root user. Use student as the password.

[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

Install the tang package.

[root@serverb ~]# yum install tang
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Installed:
tang.x86_64 0:6-1.el7
...output omitted...
Complete!

Enable socket activation for the Tang server.

[root@serverb ~]# systemctl enable tangd.socket --now
Created symlink from /etc/systemd/system/multi-user.target.wants/tangd.socket to /usr/lib/systemd/system/tangd.socket.

Confirm that firewalld allows connections to TCP port 80. When done, log off from serverb.

[root@serverb ~]# firewall-cmd --zone=public --add-port=80/tcp \
> --permanent
Warning: ALREADY_ENABLED: 80:tcp
success
[root@serverb ~]# firewall-cmd --reload
success
[root@serverb ~]# logout
[student@serverb ~]$ logout
[student@workstation ~]$

Perform the same steps for serverc and serverd.
Note
If you do not want to repeat the steps to configure the Tang servers for serverc and serverd as practice, an Ansible Playbook is available to accelerate this part of the solution.
On workstation as student, change your working directory to /home/student/RH415/labs/nbde-cr. Run the install_tang.yml playbook.
```
[student@workstation ~]$ cd ~/RH415/labs/nbde-cr
[student@workstation nbde-cr]$ ansible-playbook install_tang.yml
```

On servera as the root user, associate the LUKS-encrypted storage partition /dev/vdb1 with the Tang servers on serverb, serverc, and serverd. Configure SSS on servera so that three Tang servers must be available to automatically decrypt the partition.

[student@workstation ~]$ ssh student@servera
[student@servera ~]$

Use the sudo -i command to change to the root user. Use student as the password.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Install the packages required to configure servera as a Clevis client.

[root@servera ~]# yum install clevis clevis-luks clevis-dracut
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Installed:
  clevis.x86_64 0:7-4.el7               clevis-dracut.x86_64 0:7-4.el7
  clevis-luks.x86_64 0:7-4.el7
...output omitted...
Complete!

Associate the LUKS-encrypted storage partition available on /dev/vdb1 with the Tang servers on serverc and serverd. Configure the SSS encryption so that three Tang servers must be available to decrypt the partition.

[root@servera ~]# cfg=$'{"t":3,"pins":{"tang":[\n
> {"url":"http://serverb.lab.example.com"},\n
> {"url":"http://serverc.lab.example.com"},\n
> {"url":"http://serverd.lab.example.com"}]}}'
[root@servera ~]# clevis luks bind -d /dev/vdb1 sss "$cfg"
The advertisement contains the following signing keys:

gks_IaVo1yog0KuQei95rg_yGns

Do you wish to trust these keys? [ynYN] Y
The advertisement contains the following signing keys:

mtrjAU6q2CfG3g3gu8yHmwLrctg

Do you wish to trust these keys? [ynYN] Y
The advertisement contains the following signing keys:

vA5xAeUiKPqvkg4UyR4TemzXoAw
Do you wish to trust these keys? [ynYN] Y
You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.

Do you wish to initialize /dev/vdb1? [yn] y
Enter existing LUKS password: redhatRHT

On servera, enable the clevis-luks-askpass.path systemd unit in order to support non-root LUKS-encrypted storage partitions.
1. Use the systemctl enable clevis-luks-askpass.path command to enable clevis-luks-askpass.path.
```
[root@servera ~]# systemctl enable clevis-luks-askpass.path
Created symlink from /etc/systemd/system/remote-fs.target.wants/clevis-luks-askpass.path to /usr/lib/systemd/system/clevis-luks-askpass.path.
```
Configure the storage partition on servera so that it is automatically decrypted and mounted on the /storage directory at boot time.
1. Modify the /etc/crypttab file to open the storage partition at boot time.
```
[root@servera ~]# vi /etc/crypttab
storage       /dev/vdb1  none   _netdev
```
2. Update the /etc/fstab file to mount the storage partition on the /storage directory. When done, log off from servera.
```
[root@servera ~]# vi /etc/fstab
...output omitted...
/dev/mapper/storage   /storage       xfs    _netdev        1 2
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$ 
```
Reboot servera to confirm that it automatically decrypts and mounts the XFS file system in the LUKS-encrypted partition, /dev/vdb1, on the /storage directory at boot time.
1. Click Actions → Shutdown for servera to stop that virtual machine, and wait until the status for servera is STOPPED. When done, click Actions → Start for servera to start that virtual machine, and wait until the status for servera is STARTED.
2. Log in to servera as student. No password is required.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$ 
```
3. Use the sudo -i command to change to the root user. Use student as the password.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]# 
```
4. Verify that the storage partition is mounted on the /storage directory.
```
[root@servera ~]# mount | grep /storage
/dev/mapper/storage on /storage type xfs (rw,relatime,seclabel,attr2,inode64,noquota,_netdev)
```
5. Verify that the previously created file is still available in the /storage directory. When done, log off from servera.
```
[root@servera ~]# ls /storage
encryption-test.txt
[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$ 
```
Rotate the keys for the Tang server on serverc. Generate a new signature key called signature.jwk. Generate a new exchange key called exchange.jwk.
1. Log in to serverc as student. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$ 
```
2. Use the sudo -i command to change to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```
3. Generate new signature and exchange keys in the directory for the Tang server key database, /var/db/tang. The Tang server uses the new keys automatically for new client bindings.
```
[root@serverc ~]# cd /var/db/tang
[root@serverc tang]# jose jwk gen -i '{"alg":"ES512"}' \
> -o signature.jwk
[root@serverc tang]# jose jwk gen -i '{"alg":"ECMR"}' \
> -o exchange.jwk
```
4. Rename the old keys with a . as a prefix. The names of your old keys may be different. When done, log off from serverc.
```
[root@serverc tang]# mv gxB7oqYiEu3zrLayhymtD10sV9E.jwk \
> .gxB7oqYiEu3zrLayhymtD10sV9E.jwk
[root@serverc tang]# mv k25k6PbmgUu-pWWUb210xgBelhfQ.jwk \
> .k25k6PbmgUu-pWWUb210xgBelhfQ.jwk
[root@serverc tang]# logout
[student@serverc ~]$ logout
[student@workstation ~]$ 
```

Evaluation

As the student user on workstation, run the lab nbde-cr script with the grade argument to confirm success on this exercise. Correct any reported failures and rerun the script until successful.

[student@workstation ~]$ lab nbde-cr grade

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-b847083

Red Hat Security: Linux in Physical, Virtual, and Cloud

This course is now legacy content

Lab: Protecting Data with LUKS and NBDE

Note