RH415 - ch12s05

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

SectionSection 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

In this review, you will configure password quality requirements, configure system event recording, monitor file system changes, and manage compliance with OpenSCAP.

Outcomes

You should be able to:

Configure password quality requirements with PAM.
Record system events with Audit and enable keystroke logging in terminal sessions.
Detect changes made to files in the /etc directory.
Create a custom OpenSCAP tailoring file and use it to analyze a system and to generate an Ansible Playbook for remediation of noncompliance issues.

The setup script for this comprehensive review activity may remove changes you made to SELinux on servere for the preceding comprehensive review activity. Set up your computers for this exercise by logging in to workstation as student, and run the following command:

[student@workstation ~]$ lab monitoring-cr setup

Instructions

The files that you need to complete this activity are on workstation in the /home/student/RH415/labs/monitoring-cr directory.

On serverc, configure password complexity requirements. The system should require that new passwords have at least one uppercase character, at least one lowercase character, at least one numeric character, and be at least eight characters in length. Use the testuser1 user to test the new rules. The current testuser1 user password is redhat. You should configure the new rules and set the testuser1 password to Rt3stiop.
On serverb, configure the Audit service. Enable the rules for the STIG auditing requirements that are included with the audit package. Configure and enable keystroke auditing of terminal sessions for the student user on that server.
On workstation, customize the SCAP Security Guide Common Profile for General-Purpose Systems. Set the new profile identifier to xccdf_com.example_profile_cr-rhel7, disable all the rules, and only enable the Install AIDE and Build and Test AIDE Database rules. Save the customization in a new tailoring file in the /home/student/ directory, named cr-tailoring.xml.
Use the customized tailoring file to scan servere for compliance. Store the results in XML format on workstation in /home/student/cr-results.xml. Generate an HTML report of the scan results and save it on workstation as /home/student/cr-results.html.
Generate an Ansible Playbook to resolve the compliance issues detected by the OpenSCAP scan performed on servere for the previous item. Store the Ansible Playbook in /home/student/RH415/labs/monitoring-cr/fix.yml. Run it to resolve the compliance issues on servere.
After remediating any issues reported by the OpenSCAP scan on servere, add a new testuser2 user to that system, setting the user's password to redhat. Manually run an AIDE check and determine that it detected changes made to files in /etc when that user was created.

On serverc, configure password complexity requirements. The system should require that new passwords have at least one uppercase character, at least one lowercase character, at least one numeric character, and be at least eight characters in length. Use the testuser1 user to test the new rules. The current testuser1 user password is redhat. You should configure the new rules and set the testuser1 password to Rt3stiop.
1. Log in to serverc as student. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$ 
```
2. Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverc ~]$ sudo -i
[sudo] password for student: student
[root@serverc ~]# 
```
3. Edit the /etc/security/pwquality.conf file. Add the following parameters at the end.
```
[root@serverc ~]# vim /etc/security/pwquality.conf
...output omitted...
minlen = 8
ucredit = -1
lcredit = -1
dcredit = -1
ocredit = 0
```
4. Use the provided passwords to test your configuration on the testuser1 user. The current password for testuser1 is redhat.
```
[root@serverc ~]# su - testuser1
[testuser1@serverc ~]$ passwd
Changing password for user testuser1.
Changing password for testuser1.
(current) UNIX password: redhat
New password: Rt3stiop
Retype new password: Rt3stiop
passwd: all authentication tokens updated successfully.
[testuser1@serverc ~]$ logout
[root@serverc ~]# logout
[student@serverc ~]# logout
Connection to serverc closed.
[student@workstation ~]# 
```

On serverb, configure the Audit service and enable the prepackaged STIG Audit rules. Configure and enable terminal keystroke logging for the student user on that server.

[student@workstation ~]$ ssh student@serverb
[student@serverb ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]# 
```
Copy the /usr/share/doc/audit-2.8.1/rules/30-stig.rules file with the STIG Audit rules into the /etc/audit/rules.d/ directory.
```
[root@serverb ~]# cp /usr/share/doc/audit-2.8.1/rules/30-stig.rules \
> /etc/audit/rules.d/
```
Load the STIG Audit rules with the augenrules --load command.
```
[root@serverb ~]# augenrules --load
...output omitted...
```

Edit the /etc/pam.d/system-auth and the /etc/pam.d/password-auth files to enable logging terminal keystrokes of the student user, with the pam_tty_audit PAM module.

[root@serverb ~]# vi /etc/pam.d/system-auth
...output omitted...
session    required     pam_tty_audit.so disable=* enable=student
[root@serverb ~]# vi /etc/pam.d/password-auth
...output omitted...
session    required     pam_tty_audit.so disable=* enable=student

Log in to serverb as student, and run the ls /tmp command to test that terminal keystroke logging is working. When done, log in to serverb as root.

[root@serverb ~]# logout
[student@serverb ~]$ logout
[student@workstation ~]$ ssh student@serverb
[student@serverb ~]$ ls /tmp
...output omitted...
[student@servera ~]$ logout
[student@workstation ~]$ ssh root@serverb

Verify the Audit logs for the previous commands with the aureport --tty command. When done, log off from serverb.

[root@serverb ~]# aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
...output omitted...
2. 26/07/18 06:36:58 3750 1000 ? 22 bash "ls /tmp",<ret>,"logout",<ret>
[root@serverb ~]# logout
[student@workstation ~]$

Customize the SCAP Security Guide Common Profile for General-Purpose Systems SCAP profile. Set the new profile identifier to xccdf_com.example_profile_cr-rhel7, disable all the rules, and enable the Install AIDE and Build and Test AIDE Database rules. Save the customization in a new tailoring file in the /home/student/ directory as cr-tailoring.xml.
Use the tailoring file to scan servere for compliance, store the results on workstation in the /home/student/scan-results.xml file. Generate an HTML report of the scan and save it on workstation as scan-results.html.
1. On workstation, use scap-workbench command to start SCAP Workbench.
```
[student@workstation ~]$ scap-workbench
```
  SCAP Workbench detects that the SCAP Security Guide is already installed on the system and asks you to select the content to use.
  In the Select content to load field, select RHEL7 and click Load Content.
2. Locate the Profile field and select Common Profile for General-Purpose Systems.
  Click Customize at the right of that field.
3. In the New Profile ID field, enter xccdf_com.example_profile_cr-rhel7 and click OK.
  The new window displays all the available rules.
4. Click Deselect All and check the following rules in the System and Software Integrity section:
  - Install AIDE
  - Build and Test AIDE Database
  Click OK.
5. Save the customization in a tailoring file. Select File → Save Customization Only and enter cr-tailoring.xml for the file name in the /home/student directory.
  When done, close SCAP Workbench.

Use the customized tailoring file to scan servere for compliance. Store the results on workstation as /home/student/cr-results.xml. Generate an HTML report of the scan and save it on workstation as /home/student/cr-results.html.

Copy the cr-tailoring.xml tailoring file on workstation to servere. You need this file to scan the system.

[student@workstation ~]$ scp cr-tailoring.xml student@servere:
cr-tailoring.xml                             100% 7317   606.7KB/s   00:00

[student@workstation ~]$ ssh student@servere
[student@servere ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]# 
```

Install the openscap-scanner and the scap-security-guide packages.

[root@servere ~]# yum install openscap-scanner scap-security-guide
...output omitted...
Is this ok [y/d/N]: y
...output omitted...
Complete!

Scan the system for compliance with your customization. Save the result in the /root/cr-results.xml file.

[root@servere ~]# oscap xccdf eval \
> --profile xccdf_com.example_profile_cr-rhel7 \
> --tailoring-file /home/student/cr-tailoring.xml \
> --results /root/cr-results.xml \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://learn.spidernet.pl/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-27096-7
Result  fail

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Ident   CCE-27220-3
Result  fail

When the scan is complete, convert the /root/cr-results.xml file to HTML. Save the HTML report as /root/cr-results.html.
```
[root@servere ~]# oscap xccdf generate report \
> cr-results.xml > cr-results.html
[root@serverd ~]# 
```

Use scp to copy cr-results.xml and cr-results.html to the student account on workstation. Use student as the password.

[root@servere ~]# scp cr-results.* student@workstation:
The authenticity of host 'workstation (172.25.250.254)' can't be established.
ECDSA key fingerprint is SHA256:GCpIQxItJSWgZDzlmpnZINbwsjf9axrs+o6170OyOuk.
ECDSA key fingerprint is MD5:2b:98:e1:85:8b:c7:ea:31:72:08:4d:39:15:ec:5d:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'workstation,172.25.250.254' (ECDSA) to the list of known hosts.
student@workstation's password: student
cr-results.html                               100%  266KB   6.9MB/s   00:00
cr-results.xml                                100% 4304KB  10.5MB/s   00:00

Log off from servere.

[root@servere ~]# logout
[student@servere ~]$ logout
[student@workstation ~]$

Generate an Ansible Playbook to resolve the compliance issues detected in the previous step. Store the Ansible Playbook in /home/student/RH415/labs/monitoring-cr/fix.yml and run it to resolve the compliance issues on servere.

Use the oscap xccdf generate fix command to generate the Ansible Playbook. Save the playbook as /home/student/RH415/labs/monitoring-cr/fix.yml.

[student@workstation ~]$ oscap xccdf generate fix \
> --profile xccdf_com.example_profile_cr-rhel7 \
> --tailoring-file cr-tailoring.xml \
> --fix-type ansible \
> --result-id "" \
> cr-results.xml > /home/student/RH415/labs/monitoring-cr/fix.yml
[student@workstation ~]$

From the /home/student/RH415/labs/monitoring-cr/ directory, use the ansible-playbook command to run the playbook. The AIDE database build takes several minutes to complete.

[student@workstation ~]$ cd /home/student/RH415/labs/monitoring-cr/
[student@workstation monitoring-cr]$ ansible-playbook fix.yml
...output omitted...
PLAY RECAP *******************************************************
servere.lab.example.com : ok=5  changed=3  unreachable=0  failed=0

After remediating any issues reported by the OpenSCAP scan on servere, add a new testuser2 user to that system, setting the user's password to redhat. Manually run an AIDE check and determine that it detected changes made to files in /etc when that user was created.

[student@workstation ~]$ ssh student@servere
[student@servere ~]$

Use the sudo -i command to switch identity to the root user. Use student as the password.
```
[student@servere ~]$ sudo -i
[sudo] password for student: student
[root@servere ~]# 
```
Create the new testuser2 user.
```
[root@servere ~]# adduser testuser2
```

Set the testuser2 user to redhat.

[root@servere ~]# passwd testuser2
Changing password for user testuser2.
New password: redhat
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: redhat
passwd: all authentication tokens updated successfully.

Use AIDE to verify that all the file system changes have been caught.

[root@servere ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-08-13 06:31:52

Summary:
  Total number of files:	62251
  Added files:			0
  Removed files:		0
  Changed files:		4


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/group
changed: /etc/gshadow
changed: /etc/passwd
changed: /etc/shadow

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/group
 SHA256   : x1GqZsE8tYrCXvSz/91ravqtb/bFQysd , FvuvfA6ulkKm+xbql1jnzGq97g6gJk8L

File: /etc/gshadow
 SHA256   : L0ZeJqjyEhUyve8DzjksxcSmAAoi+RXS , GrssrYLnxupLF5mMq0V95QGxOf/ATH2f

File: /etc/passwd
 SHA256   : A0+V4jt/T3u6gReQLSBV1vy7lZb4QD/8 , HlMqpp7nNK4H3qmW7otM+juAHK5u4ekp

File: /etc/shadow
 SHA256   : 6s0+dW5l6HXrPu/VxOu4WAUyIAK5rvyC , +6K7zAlhkMpTXKd3m3JTClJB8tzlN/2J

Evaluation

As the student user on workstation, run the lab monitoring-cr script with the grade argument to confirm success on this exercise. Correct any reported failures and rerun the script until successful.

[student@workstation ~]$ lab monitoring-cr grade

This concludes the comprehensive review lab.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c