RH415 - ch11s07

Create a Red Hat Satellite compliance policy that is customized with a tailoring file.
Initiate an OpenSCAP scan on one or more hosts from Red Hat Satellite by using a compliance policy.
Evaluate the results of a compliance policy's OpenSCAP scans in the Red Hat Satellite web UI.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compliance-review

Instructions

From the workstation machine, connect to the Satellite web UI at https://satellite.lab.example.com. If prompted, accept the self-signed certificate and log in as the admin user with redhat as the password.
Upload a new tailoring file named ComplianceLab-TailoringFile to customize the default Standard System Security profile for RHEL 9 SCAP content. Upload the tailoring file from /home/student/RH415-tailoring.xml to Satellite.
Select Operations from the Organizations list.
Note
At some resolutions, the Organizations list displays in a sidebar menu. If the Organizations list does not display at the top, then navigate to Organizations → Operations from the sidebar menu.
In the Satellite web UI, navigate to Hosts → Compliance → Tailoring Files. Click Upload New Tailoring file to upload a new tailoring file.
On the Upload new Tailoring File page, enter ComplianceLab-TailoringFile in the Name field. Click Browse to upload the /home/student/RH415-tailoring.xml tailoring file. Click Submit.
Create a compliance policy named ComplianceLab-Policy1 by using the default RHEL 9 SCAP content. Choose the [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 XCCDF profile and the ComplianceLab-TailoringFile tailoring file. The policy should execute weekly on Sunday and should be deployed by using Ansible. Use the following table to specify the other fields for the compliance policy:
Table 11.3. Compliance Policy Parameters
Field Value
Deployment Ansible
Locations Default Location
Organizations Operations
Hostgroups org-hostgroup1
Navigate to Hosts → Compliance → Policies.
Click New Compliance Policy.
Select Ansible as the deployment option, and then click Next.
On the New Compliance Policy page, enter ComplianceLab-Policy1 as the name of the policy. The policy description is optional. Click Next.
On the SCAP Content tab, set the following values:
Select rhel9 content from the SCAP Content list.
For Tailoring File, select ComplianceLab-TailoringFile.
The XCCDF Profile in Tailoring File list automatically sets the [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 [CUSTOMIZED] XCCDF profile, because only one profile is included in the tailoring file. Click Next.
On the Schedule tab, choose Weekly for Period. For Weekday, select Sunday. Click Next.
On the Locations tab, select Default Location to move it to the Selected items list. Click Next.
On the Organizations tab, select Operations to move it to the Selected items list. Click Next.
On the Hostgroups tab, select org-hostgroup1 to move it to the Selected items list. Click Submit to create the compliance policy.
Assign the ComplianceLab-Policy1 policy to all hosts.
Navigate to Hosts → Hosts → All Hosts, and then select the checkboxes for the servera.lab.example.com and serverb.lab.example.com hosts.
Click Select Action and select Assign Compliance Policy from the list.
Select Remember hosts selection for the next bulk action.
Select ComplianceLab-Policy1 from the list and click Submit.
Select the checkboxes for the servera.lab.example.com and serverb.lab.example.com hosts. Click Select Action, and then select Run all Ansible roles from the list.
Manually run the compliance scan on the following hosts to update the clients with the new compliance policy.
- servera.lab.example.com
- serverb.lab.example.com
Navigate to Hosts → Hosts → All Hosts, and then select the checkboxes for the servera.lab.example.com and serverb.lab.example.com hosts.
Click Select Action → Schedule Remote Job.
Select the OpenSCAP job category and the Run OpenSCAP scans job template, and then click Run on selected hosts.
View and download the results of the ComplianceLab-Policy1 OpenSCAP scan.
Navigate to Hosts → Compliance → Policies.
Click Dashboard for the ComplianceLab-Policy1 scan.
Click View Report for the servera host.
Browse through the results to find which rules the servera machine is compliant with.
Click Download XML in bzip to download the results.

Field	Value
Deployment	Ansible
Locations	Default Location
Organizations	Operations
Hostgroups	org-hostgroup1

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compliance-review

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compliance-review

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299

Red Hat Security: Linux in Physical, Virtual, and Cloud

Lab: Automating Compliance with Red Hat Satellite

Note