RH415 - ch12s06

If you did not reset your workstation and server machines at the end of the last chapter, then save any work you want to keep from earlier exercises on those machines, and reset them now.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start compreview-openscap

Specifications

Use a tailoring file to create a custom OpenSCAP profile based on the DISA STIG for Red Hat Enterprise Linux 9 profile that contains only the Ensure PAM Enforces Password Requirements - Minimum Length check. Specify a minimum password length of 12 characters.
Perform an OpenSCAP scan on the serverd machine and use the results to generate a remediation playbook.
Configure Ansible and apply the remediation playbook from the workstation machine to remediate the noncompliant serverd machine. Use an inventory file named /home/student/inventory on the workstation machine.

On the workstation machine, install the SCAP Workbench and SCAP Security Guide utilities.

[student@workstation ~]$ sudo dnf install -y scap-workbench scap-security-guide
[sudo] password for student: student
...output omitted...
Complete!

On the workstation machine, customize the DISA STIG for Red Hat Enterprise Linux 9 profile. Set the new profile identifier to xccdf_com.example_profile_compreview-rhel9, disable all the rules, and then enable only the Ensure PAM Enforces Password Requirements - Minimum Length check. Specify a minimum password length of 12 characters. Store the resulting tailoring file on the workstation machine in the /home/student/compreview-tailoring.xml file.
1. On the workstation machine, start SCAP Workbench by running the scap-workbench command.
```
[student@workstation ~]$ scap-workbench
```
  SCAP Workbench detects that the SCAP Security Guide is already installed on the system and asks you to select the content to use.
  In the Select content to load field, select RHEL 9 and click Load Content.
2. In the Profile field, select the [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 (496) profile.
  Click Customize to the right of that field.
3. In the New Profile ID field, enter xccdf_com.example_profile_compreview-rhel9 and click OK.
  The new window displays all the available rules.
4. Click Deselect All to clear all the rules.
5. Use the Search field to find and enable the Ensure PAM Enforces Password Requirements - Minimum Length rule in the Set Password Quality Requirements section. Specify 12 for the minlen value. Click OK.
6. Save the customization in a tailoring file. Select File → Save Customization Only and enter compreview-tailoring.xml for the file name in the /home/student/ directory.
  Close SCAP Workbench.
Scan the serverd machine for compliance with your customization of the DISA STIG for Red Hat Enterprise Linux 9 profile. Save the result on the workstation machine in the /home/student/compreview-results.xml file. Generate the HTML report of the scan and store it in the /home/student/compreview-results.html file on the workstation machine.
1. Copy the compreview-tailoring.xml tailoring file to the serverd machine. You need this file to scan the system.
```
[student@workstation ~]$ scp compreview-tailoring.xml student@serverd:
...output omitted...
```
2. Log in to the serverd machine as the student user. No password is required.
```
[student@workstation ~]$ ssh student@serverd
[student@serverd ~]$
```
3. Change to the root user. Use student as the password.
```
[student@serverd ~]$ sudo -i
[sudo] password for student: student
[root@serverd ~]#
```
4. Install the scap-security-guide package.
```
[root@serverd ~]# dnf install -y scap-security-guide
...output omitted...
Complete!
```
5. Scan the system for compliance with your customization. Save the result in the /home/student/compreview-results.xml file.
```
[root@serverd ~]# oscap xccdf eval \
    --profile xccdf_com.example_profile_compreview-rhel9 \
    --tailoring-file /home/student/compreview-tailoring.xml \
    --results /home/student/compreview-results.xml \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
...output omitted...
```
6. When the scan is complete, convert the /home/student/compreview-results.xml file to HTML. Save the HTML report as /home/student/compreview-results.html.
```
[root@serverd ~]# oscap xccdf generate report \
    compreview-results.xml > compreview-results.html
[root@serverd ~]#
```
7. Use the scp command to copy the two files to the workstation machine. Use student as the password.
```
[root@serverd ~]# scp /home/student/compreview-results.* student@workstation:
student@workstation's password: student
...output omitted...
```
8. Return to the workstation machine.
```
[root@serverd ~]# logout
[student@serverd ~]$ logout
[student@workstation ~]$
```

On the workstation machine, generate an Ansible Playbook to resolve the compliance issues that were detected in the previous step. Create an inventory file that contains the serverd host. Save the Ansible Playbook as /home/student/fix.yml and run it to resolve the compliance issues on the serverd host.

Use the oscap xccdf generate fix command to generate the Ansible Playbook. Save the playbook as /home/student/fix.yml.

[student@workstation ~]$ oscap xccdf generate fix \
    --profile xccdf_com.example_profile_compreview-rhel9 \
    --tailoring-file compreview-tailoring.xml \
    --fix-type ansible \
    --result-id "" \
    compreview-results.xml > fix.yml
[student@workstation ~]$

Create an inventory file that contains the serverd host.
```
[student@workstation ~]$ echo serverd > inventory
```

Edit the fix.yml file to set the become: true option.

...output omitted...
- hosts: all
  become: true
  vars:
  tasks:
...output omitted.

Use the ansible-playbook command to run the playbook. Use the -K flag and the student become password.

[student@workstation ~]$ ansible-playbook -K -i inventory fix.yml
BECOME password: student
...output omitted...
PLAY RECAP
***********************************************************************************
serverd                    : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-openscap

Finish

As the student user on the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-openscap

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299