RH415 - ch02s02

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start ansible-configure

Instructions

On the workstation machine, install the ansible-navigator RPM package that provides automation content navigator, to use that machine as your control node.

[student@workstation ~]$ sudo dnf install ansible-navigator
[sudo] password for student: student
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

Ensure that for the ansible-navigator tool, the execution environment container image is downloaded.

Note

You do not need to download the ee-supported-rhel9 execution environment, because it is preloaded in your classroom.

[student@workstation ~]$ ansible-navigator images

  Image                 Tag     Execution environment   Created         Size
0│ee-supported-rhel9    latest  True                    10 days ago     1.63 GB


^b/PgUp page up   ^f/PgDn page down   ↑↓ scroll   esc back   [0-9] goto   :help

Press Esc to exit the image list.

Create the /home/student/security-ansible directory.

[student@workstation ~]$ mkdir ~student/security-ansible

Navigate to the /home/student/security-ansible directory.

[student@workstation ~]$ cd ~student/security-ansible
[student@workstation security-ansible]$

In the /home/student/security-ansible directory, create an Ansible configuration file named ansible.cfg. Use the following content and values.

[student@workstation security-ansible]$ cat ansible.cfg
[defaults]
inventory       = ./inventory
remote_user     = ansible-testuser

[privilege_escalation]
become          = true
become_method   = sudo
become_user     = root
become_ask_pass = false

In the /home/student/security-ansible directory, create the inventory file named inventory. Use the following content.

[student@workstation security-ansible]$ cat inventory
[Boston]
servera
serverb

[Raleigh]
workstation

[cities:children]
Boston
Raleigh

List all the managed hosts that are present in the inventory.

[student@workstation security-ansible]$ ansible-navigator inventory \
    -m stdout --graph
@all:
  |--@ungrouped:
  |--@cities:
  |  |--@Boston:
  |  |  |--servera
  |  |  |--serverb
  |  |--@Raleigh:
  |  |  |--workstation

In the /home/student/security-ansible directory, create an Ansible Playbook file named sshd_config.yml. Use the following content and values.

[student@workstation security-ansible]$ cat sshd_config.yml
---
- name: Play to disable SSH password-based authentication
  hosts: Boston
  tasks:
    - name: Task to disable SSH password-based authentication
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: 'PasswordAuthentication yes'
        backrefs: yes
        line: 'PasswordAuthentication no'
    - name: Restart sshd
      ansible.builtin.service:
        name: sshd
        state: restarted
...

Before running your playbook, validate the sshd_config.yml playbook syntax. Correct any reported errors before continuing.

[student@workstation security-ansible]$ ansible-navigator run \
    -m stdout sshd_config.yml --syntax-check
playbook: /home/student/security-ansible/sshd_config.yml

Run the sshd_config.yml playbook. Read through the generated output to ensure that all tasks completed successfully.

[student@workstation security-ansible]$ ansible-navigator run \
    -m stdout sshd_config.yml
PLAY [Play to disable SSH password-based authentication] ***********************

TASK [Gathering Facts] *********************************************************
ok: [serverb]
ok: [servera]

TASK [Task to disable SSH password-based authentication] ***********************
changed: [serverb]
changed: [servera]

TASK [Restart sshd] ************************************************************
changed: [serverb]
changed: [servera]

PLAY RECAP *********************************************************************
servera   : ok=2    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
serverb   : ok=2    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Verify that you cannot log in to the servera or serverb machines from the serverc machine by using password authentication.

Log in to the serverc machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@serverc
[student@serverc ~]$
```

Verify that you cannot log in to the servera or serverb machines by using password authentication.

[student@serverc ~]$ ssh student@servera
student@servera: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[student@serverc ~]$ ssh student@serverb
student@serverb: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[student@serverc ~]$

Return to the workstation machine when done.

[student@serverc ~]$ logout
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish ansible-configure

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299