RH415 - ch09s09

Confirm that OpenSCAP tools and SCAP Security Guide content are installed on one of your servers, use SCAP Workbench to create a tailoring file, use OpenSCAP to scan the server with that tailored policy, and use Ansible to remediate a compliance check that failed.

Outcomes

Install OpenSCAP tools and the SCAP Security Guide.
Create a tailoring file by using SCAP Workbench.
Scan the system using the customized policy.
Generate and use an Ansible Playbook to remediate failed compliance checks.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start openscap-review

Instructions

On the workstation machine, install the SCAP Workbench and SCAP Security Guide utilities.

[student@workstation ~]$ sudo dnf install -y scap-workbench scap-security-guide
[sudo] password for student: student
...output omitted...
Complete!

On the workstation machine, customize the DISA STIG for Red Hat Enterprise Linux 9 profile. Set the new profile identifier to xccdf_com.example_profile_lab-rhel9, disable all the rules, and then enable only the following rules:
- Install AIDE
- Build and Test AIDE Database
- Configure AIDE to Verify the Audit Tools
- Configure Periodic Execution of AIDE
Store the resulting tailoring file on the workstation machine in the /home/student/lab-tailoring.xml file.
On the workstation machine, start SCAP Workbench by running the scap-workbench command.
[student@workstation ~]$ scap-workbench
SCAP Workbench detects that the SCAP Security Guide is already installed on the system and asks you to select the content to use.
In the Select content to load field, select RHEL9 and click Load Content.
Locate the Profile field and select the DISA STIG for Red Hat Enterprise Linux 9 profile.
Click Customize to the right of that field.
In the New Profile ID field, enter xccdf_com.example_profile_lab-rhel9 and click OK.
The new window displays all the available rules.
Click Deselect All and select the following rules in the System and Software Integrity section:
Install AIDE
Build and Test AIDE Database
Configure AIDE to Verify the Audit Tools
Configure Periodic Execution of AIDE
Click OK.
Save the customization in a tailoring file. Select File → Save Customization Only and enter lab-tailoring.xml for the file name in the /home/student/ directory.
Close SCAP Workbench.
Scan the serverd machine for compliance with your customization of the DISA STIG for Red Hat Enterprise Linux 9 profile. Save the result on the workstation machine in the /home/student/lab-results.xml file. Generate the HTML report of the scan and store it in the /home/student/lab-results.html file on the workstation machine.
Copy the lab-tailoring.xml tailoring file to the serverd machine. You need this file to scan the system.
[student@workstation ~]$ scp lab-tailoring.xml student@serverd: ...output omitted...
Log in to the serverd machine as the student user. No password is required.
[student@workstation ~]$ ssh student@serverd [student@serverd ~]$
Change to the root user. Use student as the password.
[student@serverd ~]$ sudo -i [sudo] password for student: student [root@serverd ~]#
Install the scap-security-guide package.
[root@serverd ~]# dnf install -y scap-security-guide ...output omitted... Complete!
Scan the system for compliance with your customization. Save the result in the /root/lab-results.xml file.
[root@serverd ~]# oscap xccdf eval \ --profile xccdf_com.example_profile_lab-rhel9 \ --tailoring-file /home/student/lab-tailoring.xml \ --results /root/lab-results.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml ...output omitted...
When the scan is complete, convert the /root/lab-results.xml file to HTML. Save the HTML report as /root/lab-results.html.
[root@serverd ~]# oscap xccdf generate report \ lab-results.xml > lab-results.html [root@serverd ~]#
Use the scp command to copy the two files to the workstation machine. Use student as the password.
[root@serverd ~]# scp lab-results.* student@workstation: student@workstation's password: student ...output omitted...
Return to the workstation machine.
[root@serverd ~]# logout [student@serverd ~]$ logout [student@workstation ~]$

On the workstation machine, generate an Ansible Playbook to resolve the compliance issues that were detected in the previous step. Create an inventory file that contains the serverd host. Save the Ansible Playbook as /home/student/fix.yml and run it to resolve the compliance issues on the serverd host.

Use the oscap xccdf generate fix command to generate the Ansible Playbook. Save the playbook as /home/student/fix.yml.

[student@workstation ~]$ oscap xccdf generate fix \
    --profile xccdf_com.example_profile_lab-rhel9 \
    --tailoring-file lab-tailoring.xml \
    --fix-type ansible \
    --result-id "" \
    lab-results.xml > fix.yml
[student@workstation ~]$

Create an inventory file that contains the serverd host.
```
[student@workstation ~]$ echo serverd > inventory
```

Edit the fix.yml file to set the become: true option.

...output omitted...
- hosts: all
  become: true
  vars:
  tasks:
...output omitted.

Use the ansible-playbook command to run the playbook. The AIDE database build might take several minutes to complete. Use the -K flag and the student become password.

[student@workstation ~]$ ansible-playbook -K -i inventory fix.yml
BECOME password: student
...output omitted...
PLAY RECAP
***********************************************************************************
serverd                    : ok=14   changed=5    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Scan the serverd machine again for compliance with your customization of the DISA STIG for Red Hat Enterprise Linux 9 profile. Save the result on the workstation machine in the /home/student/lab-results-fix.xml file.

Log in to the serverd machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@serverd
[student@serverd ~]$
```

Change to the root user. Use student as the password.

[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]#

Scan the system for compliance with your customization of the DISA STIG for Red Hat Enterprise Linux 9 profile. Save the result in the /root/lab-results-fix.xml file.

[root@serverd ~]# oscap xccdf eval \
    --profile xccdf_com.example_profile_lab-rhel9 \
    --tailoring-file /home/student/lab-tailoring.xml \
    --results /root/lab-results-fix.xml \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
...output omitted...
--- Starting Evaluation ---

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-90843-4
Result  pass

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Ident   CCE-83438-2
Result  pass

Title   Configure AIDE to Verify the Audit Tools
Rule    xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Ident   CCE-87757-1
Result  pass

Title   Configure Periodic Execution of AIDE
Rule    xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Ident   CCE-83437-4
Result  pass

Use the scp command to copy the /root/lab-results-fix.xml file to the workstation machine. Use student as the password.

[root@serverd ~]# scp lab-results-fix.xml student@workstation:
student@workstation's password: student
lab-results-fix.xml                                   100%   15MB 219.0MB/s   00:00

Return to the workstation machine as the student user.

[root@serverd ~]# logout
[student@serverd ~]$ logout
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade openscap-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish openscap-review

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299