RH415 - ch12s04

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

SectionSection 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Restricting USB Device Access and Mitigating Risk with SELinux

In this review, you will selectively control which USB devices may access or be accessed by the system, using USBGuard.

Outcomes

You should be able to:

Create a permanent USBGuard policy that allows a specific USB device to interact with the system.
Generate a base policy that will maintain currently defined policies and ignore any additional USB devices that attempt to connect to the system.
Use command-line tools confirm USB device access policies.
Enable and configure SELinux to limit user access to sudo commands.

Set up your computers for this exercise by logging in to workstation as student, and run the following command:

[student@workstation ~]$ lab usbguard-cr setup

Instructions

Configure the usbguard virtual machine hosted on workstation to use USBGuard. There are XML files on workstation in the /home/student/RH415/labs/usbguard-cr that can be used to define virtual USB devices for testing.

The usbguard virtual machine should allow only the MRKTG USB device to have access to the system. It should reject any additional USB devices from interacting with the system. You can use the provided GREEN USB device to test whether device rejection is working. Make sure that the USBGuard service is configured, operating, and will start automatically on boot.

Note also the following information about the usbguard system and how it should be configured:

Make sure you start the usbguard virtual machine on workstation. After it has started, open the usbguard virtual machine console and log in as student using student as the password.
```
[student@workstation ~]$ virsh start usbguard
[student@workstation ~]$ virsh console usbguard
```
You might need to install packages on usbguard.

Set a permanent USBGuard policy to allow the MRKTG USB device access to the system. Use the provided /home/student/RH415/labs/usbguard-cr/usb-disk-mrktg.xml file to attach a new MRKTG USB device to the usbguard VM.

[student@workstation ~]$ sudo virsh attach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-mrktg.xml

[student@workstation ~]$ sudo virsh detach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-mrktg.xml

Set a permanent USBGuard base policy with a reject rule target to ignore any additional USB devices that try to interact with the system. Use the provided /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml file to attach a new GREEN USB device to the usbguard VM. You should be able to use this to confirm that GREEN is blocked from interacting with the usbguard virtual machine.
```
[student@workstation ~]$ sudo virsh attach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml
```
```
[student@workstation ~]$ sudo virsh detach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml
```
The USBGuard service should be operating and the policy should remain in force after a reboot.

In addition, on servere, configure the devops Linux user using SELinux so that devops cannot use the su command but can use sudo and to log in using ssh.

The following criteria should be met:

On servere, make sure that SELinux is set to enforcing mode.
On servere, confine the users to prevent them from using the sudo and su commands. Prevent them from running programs in their home directory. These restrictions do not apply to the root user.
On servere, create a new administrative devops user with redhat as password. Map that user to a confined SELinux user to restrict su access, but make sure that the user can use the sudo command, and is able to log in through ssh.

On workstation, configure the usbguard VM to allow only the MRKTG USB device access to the system. It should reject any additional USB devices from interacting with the system. Make sure that the USBGuard service is configured and persists across reboots. For testing purposes, use the provided GREEN USB device.
On workstation, start the usbguard virtual machine (VM). Open the usbguard VM console and log in as student using student as the password.
1. On workstation, use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@workstation ~]$ sudo -i
[sudo] password for student: student
[root@workstation ~]# 
```
2. Use the virsh start command with the usbguard VM name to start it.
```
[root@workstation ~]# virsh start usbguard
Domain usbguard started
```
  Allow the usbguard VM about two minutes to complete the startup process.
3. Use the virsh console command with the VM name to access its console interface. If the console delays in displaying the login prompt, press the Enter key to proceed to the prompt.
```
[root@workstation ~]# virsh console usbguard
Connected to domain usbguard
Escape character is ^]
<Enter>

Red Hat Enterprise Linux Server 7.5 (Maipo)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64

localhost login: student
Password: student
[student@localhost ~]$ 
```
On the usbguard VM, install the RPM packages used to configure, control, and manage USB device access.
1. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@localhost ~]$ sudo -i
[sudo] password for student: student
[root@localhost ~]# 
```
2. Use yum to install usbguard, usbutils, and udisks2 packages.
```
[root@localhost ~]# yum install usbguard usbutils udisks2
...output omitted...
Is this ok [y/d/N]: y
...output omitted...

Complete!
```

Start the USBGuard service and configure it to persist across reboots. Run the usbguard list-devices command to list the default devices.

Configure the usbguard service to persist across reboots.

[root@localhost ~]# systemctl enable usbguard --now
Created symlink from /etc/systemd/system/basic.target.wants/usbguard.service to /usr/lib/systemd/system/usbguard.service.

Use the usbguard list-devices command to list all USB devices recognized by USBGuard.

[root@localhost ~]# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00

From workstation, open a second terminal session and attach the MRKTG USB device (usb-disk-mrktg.img) to the usbguard VM and record its device ID number:

[student@workstation ~]$ sudo virsh attach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-mrktg.xml
[sudo] password for student: student
Device attached successfully

On the virsh console terminal, connected to the usbguard VM, you will see kernel messages indicating that the MRKTG USB device is not authorized for use. Press Enter to return to the command prompt.

[13865.418288] usb 1-1: new high-speed USB device number 4 using ehci-pci
[13865.544834] usb 1-1: New USB device found, idVendor=46f4, idProduct=0001
[13865.548156] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[13865.552218] usb 1-1: Product: QEMU USB HARDDRIVE
[13865.554899] usb 1-1: Manufacturer: QEMU
[13865.557623] usb 1-1: SerialNumber: MRKTG
[13865.560922] usb 1-1: Device is not authorized for usage
Enter

[root@localhost ~]#

From the usbguard VM, list the blocked USB devices and record the device number for the MRKTG USB device.

The device number (5 on this system) may be different on your system.

[root@localhost ~]# usbguard list-devices --blocked
5: block id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50

On the usbguard VM, use the usbguard allow-device -p 5 command to add a permanent allow rule target for the MRKTG USB device.

[root@localhost ~]# usbguard allow-device -p 5
[40641.494327] usb 1-1: authorized to connect
...output omitted...
Enter

[root@localhost ~]#

Restart the usbguard services to ensure the USBGuard daemon loads the /etc/usbguard/rules.conf file.

[root@localhost ~]# systemctl restart usbguard

Run the usbguard list-rules command to list persistent rules and ensure that the MRKTG USB device is listed. Rule numbers may vary.

[root@localhost ~]# usbguard list-rules
6: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" with-interface 08:06:50

List the devices to ensure that the MRKTG USB device has a target policy of allow.

[root@localhost ~]# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
5: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50

From workstation, open a second terminal session and attach the GREEN USB device to the usbguard VM. Use the provided /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml file to attach a new GREEN USB device to the usbguard VM. Leave only the MRKTG USB device attached and create a permanent block rule target for the GREEN USB device, and detach the GREEN USB device.

Attach the GREEN USB device (usb-disk-green.img) to the usbguard VM.

[student@workstation ~]$ sudo virsh attach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml
Device attached successfully

On the virsh console terminal, connected to the usbguard VM, you will see kernel messages indicating that the GREEN USB device is not authorized for use. Press Enter to return to the command prompt.

[16334.781286] usb 1-2: new high-speed USB device number 5 using ehci-pci
[16334.908460] usb 1-2: New USB device found, idVendor=46f4, idProduct=0001
[16334.912567] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[16334.917532] usb 1-2: Product: QEMU USB HARDDRIVE
[16334.921468] usb 1-2: Manufacturer: QEMU
[16334.923748] usb 1-2: SerialNumber: GREEN
[16334.927286] usb 1-2: Device is not authorized for usage
Enter

[root@localhost ~]#

From the usbguard VM, list the USB devices to confirm that the MRKTG USB device has a rule target of allow and the GREEN USB device has a rule target of block.

The device numbers (5 and 7 on this system) may be different on your system.

[root@localhost ~]# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
5: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50
7: block id 46f4:0001 serial "GREEN" name "QEMU USB HARDDRIVE" hash "GT0vx1ANtDVdOaekgV1a9GmXHc2Mwrx4o3w6gXae5Lo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-2" with-interface 08:06:50

On workstation, use the second terminal session to detach the GREEN USB device from the usbguard VM:

[student@workstation ~]$ sudo virsh detach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml
Device detached successfully

Generate a new base policy with a reject rule target that will ignore any additional USB devices that try to interact with the system. Use the provided /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml file to confirm that the GREEN USB device is blocked from interacting with the usbguard VM.

Generate a new base policy with a reject rule target. Restart the usbguard service.

[root@localhost ~]# usbguard generate-policy -X \
> -t reject > /etc/usbguard/rules.conf
[root@localhost ~]# systemctl restart usbguard.service

Run the usbguard list-rules command to confirm an allow rule target for the MRKTG USB device followed by a catchall reject rule target that will apply to any additional USB devices.

[root@localhost ~]# usbguard list-rules
1: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" with-interface 09:00:00
2: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" with-interface 09:00:00
3: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" with-interface 09:00:00
4: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" with-interface 09:00:00
5: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" with-interface 08:06:50
6: reject

From workstation, attach the GREEN USB device (usb-disk-green.img) to the usbguard VM.
```
[student@workstation ~]$ sudo virsh attach-device usbguard \
> /home/student/RH415/labs/usbguard-cr/usb-disk-green.xml
Device attached successfully
```
Although the command output indicates that the GREEN USB device was successfully attached, further investigation on the usbguard VM will confirm that the attempt to attach a USB device was not authorized. A blocked USB device shows up in command-line tool listings but will not be allowed to mount. A rejected USB device is ignored by the system and therefore does not display in command-line tool listings.

The journal records the kernel action as well as the USBGuard action.

[root@localhost ~]# journalctl -b -e
...output omitted...
Jul 17 23:42:10 localhost usbguard-daemon[1401]: uid=0 pid=1399 result='SUCCESS'
Jul 17 23:44:34 localhost kernel: usb 1-2: new high-speed USB device number 5 us
Jul 17 23:44:34 localhost kernel: usb 1-2: New USB device found, idVendor=46f4,
Jul 17 23:44:34 localhost kernel: usb 1-2: New USB device strings: Mfr=1, Produc
Jul 17 23:44:34 localhost kernel: usb 1-2: Product: QEMU USB HARDDRIVE
Jul 17 23:44:34 localhost kernel: usb 1-2: Manufacturer: QEMU
Jul 17 23:44:34 localhost kernel: usb 1-2: SerialNumber: GREEN
Jul 17 23:44:34 localhost kernel: usb 1-2: Device is not authorized for usage
Jul 17 23:44:34 localhost usbguard-daemon[1401]: uid=0 pid=1399 result='SUCCESS'
Jul 17 23:44:34 localhost usbguard-daemon[1401]: uid=0 pid=1399 result='SUCCESS'
Jul 17 23:44:34 localhost kernel: usb 1-2: USB disconnect, device number 5
Jul 17 23:44:34 localhost usbguard-daemon[1401]: uid=0 pid=1399 result='SUCCESS'
...output omitted...

Run the usbguard list-devices command to confirm that the MRKTG USB device is listed but the GREEN USB device is ignored and therefore not listed.

[root@localhost ~]# usbguard list-devices
7: allow id 1d6b:0002 serial "0000:00:04.7" name "EHCI Host Controller" hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" parent-hash "qiR4Ubbd7AIXLCz201hJYzaO9KIrOvqqRgqs2vM2NOY=" via-port "usb1" with-interface 09:00:00
8: allow id 1d6b:0001 serial "0000:00:04.0" name "UHCI Host Controller" hash "sKXn6PthDDlGgdxZHdnlUQ9DROkH/YSojkBlfpcnsaU=" parent-hash "VC8ZB6FZ51WMN42QA3CqGvK9+eLDu4jpdgzSwLFn+fs=" via-port "usb2" with-interface 09:00:00
9: allow id 1d6b:0001 serial "0000:00:04.1" name "UHCI Host Controller" hash "6t6CPSS/v2EqQwsw6CMq8DVfOhgUGO2f+bEBX7R2yz0=" parent-hash "0JRYS5mysCKe92s8So5WC7cbttP3haCBtScjU64BJs0=" via-port "usb3" with-interface 09:00:00
10: allow id 1d6b:0001 serial "0000:00:04.2" name "UHCI Host Controller" hash "BSaNQWADaBI31jUqbck0N56uRuh3uVT1Vk4rdoD0ghs=" parent-hash "prVi21GR+cpMC0ykIE8H9TC9QoaAkFrbmw2PLcWNGkw=" via-port "usb4" with-interface 09:00:00
11: allow id 46f4:0001 serial "MRKTG" name "QEMU USB HARDDRIVE" hash "AKmuakTNktSfF54t2IHFRMaukoUw47v3lu/9ZebOsNo=" parent-hash "CsKOZ6IY8v3eojsc1fqKDW84V+MMhD6HsjjojcZBjSg=" via-port "1-1" with-interface 08:06:50

Log off from the usbguard VM terminal session:

[root@localhost ~]# logout
[student@localhost ~]$ logout

Exit the virtual machine's serial console:

Red Hat Enterprise Linux Server 7.5 (Maipo)
Kernel 3.10.0-862.3.2.el7.x86_64 on an x86_64

localhost login: 
Ctrl+]
[root@workstation ~]# exit
[student@workstation ~]$

On servere, make sure that SELinux is set to enforcing mode.
1. Log in to servere as student. No password is required.
```
[student@workstation ~]$ ssh student@servere
[student@servere ~]$ 
```
2. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]# 
```
3. Get the current SELinux mode.
```
[root@servere ~]# getenforce
Permissive
```
4. Edit the /etc/selinux/config file and set the SELINUX variable to enforcing.
```
[root@servere ~]# vim /etc/selinux/config
...output omitted...
SELINUX=enforcing
...output omitted...
```
5. Use the setenforce command to change the current mode to enforcing. Verify your work with the getenforce command.
```
[root@servere ~]# setenforce 1
[root@servere ~]# getenforce
Enforcing
```
  Because the previous mode was permissive, you do not need to reboot servere for the change to take effect.
On servere, confine the users to prevent them from using the sudo and su commands. Prevent them from running programs in their home directory. These restrictions do not apply to the root user.
1. Change the default mapping between the Linux and the SELinux users. Map the Linux users to the user_u SELinux user.
```
[root@servere ~]# semanage login -m -s user_u -r s0 __default__
[root@servere ~]# 
```
2. To prevent users from running programs in their home directory, set the SELinux user_exec_content Boolean to off.
```
[root@servere ~]# setsebool -P user_exec_content off
[root@servere ~]# 
```
3. Log off from servere and log in again as student.
```
[root@servere ~]# logout
[student@servere ~]$ logout
[student@workstation ~]$ ssh student@servere
[student@servere ~]$ 
```
4. Confirm that you cannot use the sudo -i command anymore.
```
[student@servere ~]$ sudo -i
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
[student@servere ~]$ 
```
On servere, create a new administrative devops user with redhat as password. Map that user to a confined SELinux user to restrict su access, but make sure that the user can use the sudo command, and is able to login through ssh.
1. Log off from servere and log in as root.
```
[student@servere ~]$ logout
[student@workstation ~]$ ssh root@servere
[root@servere ~]# 
```
2. Create the devops account according to the requirements, and map it to the sysadm_u SELinux user.
```
[root@servere ~]# useradd -G wheel -Z sysadm_u devops
[root@servere ~]# echo redhat | passwd --stdin devops
Changing password for user devops.
passwd: all authentication tokens updated successfully.
```
3. Set the SELinux ssh_sysadm_login Boolean to on for sysadm_u SELinux users to be able to log in using SSH.
```
[root@servere ~]# setsebool -P ssh_sysadm_login on
[root@servere ~]# 
```
4. Log off from servere and log in as devops.
```
[root@servere ~]# logout
[student@workstation ~]$ ssh devops@servere
[devops@servere ~]$ 
```
5. Confirm that you can use the sudo -i command to become root. Use redhat for the password. When done, log off from servere.
```
[devops@servere ~]$ sudo -i
[sudo] password for devops: redhat
[root@servere ~]# logout
[devops@servere ~]$ logout
[student@workstation ~]$ 
```

Evaluation

As the student user on workstation, run the lab usbguard-cr script with the grade argument to confirm success on this exercise. Correct any reported failures and rerun the script until successful.

[student@workstation ~]$ lab usbguard-cr grade

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c