1. Workshop Introduction

1.1. Presenters/Lab Developers

Matej Tyc, Software Engineer and Tech Lead - Security Compliance in Red Hat® Enterprise Linux® (RHEL) Security, Red Hat®

Marek Haicman, Senior Quality Engineer and Product Owner - Security Compliance in RHEL Security, Red Hat®

Lucy Kerner, Senior Principal Security Global Technical Evangelist and Strategist, Red Hat®

Gabriel Gaspar Becker, Software Engineer - Security Compliance in RHEL Security, Red Hat®

1.2. Additional Lab Developers

Jan Cerny, Software Engineer - Security Compliance in RHEL Security, Red Hat®

Watson Sato, Software Engineer - Security Compliance in RHEL Security, Red Hat®

Matúš Marhefka, Quality Engineer - Security Compliance in RHEL Security, Red Hat®

1.3. Overview and Prerequisites

This lab introduces you to the ComplianceAsCode project, a comprehensive tool that creates content for automated security tools. The project contains over 1,000 rules—​elements of security policies. Rules have descriptions, justifications, and references to existing security standards. They also have Open Vulnerability and Assessment Language (OVAL) checks, bash remediations, and Red Hat® Ansible® Automation content to a varying degree.

ComplianceAsCode enables automated evaluation and fast and efficient remediations against security controls for compliance with regulatory or custom profiles, and for automated configuration compliance. It allows you to produce a tailor-made security policy for your company with minimal effort, and the OpenSCAP ecosystem can do the scanning and support for problem resolution. Specifically, OpenSCAP is a National Institute of Standards and Technology (NIST) certified scanner designed to perform configuration and vulnerability scans on a system, validate security compliance content, generate reports and guides based on these scans and evaluations, and allows users to automatically remediate systems that have been found in a non-compliant state.

Red Hat® Enterprise Linux® provides tools that allow for fully automated compliance audits. These tools are based on ComplianceAsCode and the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.

This lab is geared toward system administrators, cloud administrators and operators, architects, and others working on infrastructure operations management who are interested in learning how to automate security compliance using Red Hat® provided tooling for compliance against both industry standard and custom policies.

The prerequisites for this lab include basic Linux skills gained from a Red Hat® Certified System Administrator (RHCSA®) certification or equivalent system administration skills.

1.4. What Attendees Will Learn In This Lab:

  • How to use the OpenSCAP scanner to scan systems and perform security fixes as needed.

  • How to navigate among existing rules and learn how to modify them and take advantage of parameterization.

  • How to create new security profiles and populate them with existing rules.

  • How to create new rules from scratch and add them to security profiles.

  • How to write OVAL checks with minimal effort and ensure correctness.

  • How to create Ansible Automation content for remediations of systems.

1.5. Lab Environment

Your entire lab environment is hosted online and includes Red Hat® Enterprise Linux® and Red Hat® Ansible® Automation.

2. Setup Steps

2.1. Using the Terminal to Access the Remote Shell

  1. To connect to your environment, first execute the below SSH command in the terminal:

    ssh -o "ServerAliveInterval 30" lab-user@<IP_ADDRESS>
Tip
Use Ctrl+Shift+V to paste in the terminal.
  1. Answer yes to accept server’s identity if asked, and then input the following password:

    <PASSWORD>
  2. If everything works correctly, you end up in the lab’s system shell. You can confirm this by listing the directory with lab exercises:

    [... ~]$ cd
    [... ~]$ ls labs
    lab1_introduction  lab2_openscap  lab3_profiles  lab4_ansible  lab5_oval

Congratulations, now you are in your text console.

2.2. Accessing the Graphical User Interface of your dedicated environment

  1. This is a Red Hat® Enterprise Linux® 8 system with GUI. It is the machine that you will use throughout all of the exercises in this lab. To access the Graphical User Interface (GUI) you need either a Virtual Network Computing (VNC) client or a Remote Desktop Protocol (RDP) client installed on your system. We recommend using a VNC client since it is faster.

2.2.1. Connecting to the GUI through a VNC Client

  1. We recommend you to install tigervnc, check how to install here: Tiger VNC. Or run one of the following:

    1. RHEL:

      yum install tigervnc
    2. Fedora:

      dnf install tigervnc
    3. Ubuntu:

      apt-get install tigervnc-viewer
    4. macOS:

  2. After you install tigervnc, you can run the following commands on a terminal:

    1. First you open a SSH connection using port forwarding. This will open a connection forwarding the port 5901 to your localhost:

      ssh -N -L 5901:localhost:5901 lab-user@<IP_ADDRESS>
    2. Answer yes to accept server’s identity if asked, and then input the following password. Note that the terminal hangs because of the port forwarding. In the end of the workshop you can terminate the connecting by hitting Ctrl+C:

      <PASSWORD>
    3. Open TigerVNC (it’s called either tigervnc or vncviewer) application and type under VNC Server text input:

      localhost:1
    4. Click Connect and then answer yes to accept server’s identity if asked and input the following password in the pop up window:

      <PASSWORD>

If an alert appears stating that the connection isn’t secure, disregard that alert. Although VNC data is unencrypted by default, you’re accessing the VNC server using an encrypted SSH tunnel.

Congratulations, you are in your graphical console using a VNC connection.

This section contains various tips that may be useful to keep in mind as you are doing the lab exercises.

2.3.1. Command Listings

Shell session listings obey the following conventions:

[... ~]$ pwd
/home/lab-user
[... ~]$ cd labs
[... labs]$ ls
lab1_introduction  lab2_openscap  lab3_profiles  lab4_ansible  lab5_oval
[... labs]$ cat /etc/passwd
...
lab-user:x:1000:1000:GTPE Student:/home/lab-user:/bin/bash
  • Commands such as pwd and cat /etc/passwd in this example are prefixed by […​, followed by the respective directory name and ]$. For reference, in the actual terminal, commands are prefixed also by the current username and hostname—​for example, [lab-user@<hostname> ~]$.

  • Lines that follow commands and are not commands themselves represent the last command’s output. In the example above, the output of the ls command in the labs directory is a list of directories with lab exercises.

  • Ellipses may be used to indicate multiple output lines that have been omitted because they are of no interest. In the example above, the output of the cat /etc/passwd command contains many lines with the line containing lab-user's entry emphasized by an ellipsis.

2.3.2. Copy and Paste Conventions

Normally, when you select text you want to copy in the document, you press Ctrl+C to copy it to the system clipboard, and you paste it from the clipboard to the editor using Ctrl+V.

Keep in mind that when you paste to the terminal console or terminal editor, you have to use Ctrl+Shift+V instead of Ctrl+V. The same applies when copying from the Terminal window—​you have to use Ctrl+Shift+C after selecting the text, not just Ctrl+C.

2.3.3. Browser Searches

When you search for an occurrence of text in the Firefox browser, you have the following options:

  • Pressing Ctrl+F, which brings up the search window.

  • Clicking the "hamburger menu" at the top right corner, and clicking the Find in This Page entry. This is the same as the previous option, but it is useful if you have problems with the keyboard shortcut.

    600

  • If the browser has the Find in Page extension installed, there is a blue icon close to the "hamburger menu" at the top right corner of the browser. You can click it and start typing the text to search for. The extension displays previews of the web page next to occurrences of the expression.

    600

2.4. Read everything!

This lab has been designed for you to learn how things work from top to bottom. This means there are lots of descriptions and reading, not just commands for you to copy and paste! If you just copy and paste all the commands you can be done in 30 minutes…​ but you won’t learn anything!

You have plenty of time to complete the lab, take it slow and read everything. If you get stuck, don’t be afraid to ask for help at any time, but the answer is probably in the lab documentation.

3. Say Hello to ComplianceAsCode

3.1. Introduction

In this lab, you will become familiar with the ComplianceAsCode project. The purpose of this project is to help content authors create security policy content for various platforms. The ComplianceAsCode project enables content authors to efficiently develop and share security content.

Using the powerful build system, you can generate output in various formats such as Ansible® Playbooks or SCAP datastreams that you can use to automate security auditing and hardening. The project contains many useful rules and checks that form various security policies and enables content authors to easily add new rules and checks.

You work with the project source repository at https://github.com/ComplianceAsCode/content.

In Red Hat® Enterprise Linux® (RHEL), the SCAP content generated from ComplianceAsCode data is shipped as the scap-security-guide RPM package.

Goals
  • Learn about the ComplianceAsCode project to understand what is where and what you can use the project for.

  • Learn how to build the content from the source and go through what gets built.

  • Understand how to find the source of a particular part of the built artifact.

  • Learn how to parameterize rules that use variables.

  • Learn where to find additional rule content, such as checks and remediations.

Preconfigured Lab Environment
  • The ComplianceAsCode repository is already cloned to all of the /home/lab-user/labs/ directories. For example, /home/lab-user/labs/lab1_introduction is a clone of the ComplianceAsCode project repository.

  • The following required dependencies for the ComplianceAsCode content build are already installed using yum install:

    • Generic build utilities: cmake and make

    • Utilities for generating SCAP content: openscap-scanner

    • Python dependencies for putting content together: python3-pyyaml and python3-jinja2

Important
Content used in this lab has been altered to increase its educative potential, and is therefore different from the content in ComplianceAsCode upstream repository or the content in the scap-security-guide package shipped in Red Hat® products.

3.2. Hands-on Lab

The ComplianceAsCode project consists of human-readable files that are compiled into standard-compliant files that are difficult to read and edit directly.

For your convenience, the environment is already set up, so the content is built and ready to be used. No worries, though—​you get to rebuild it later in the exercise.

To start the hands-on section, take the following steps:

  1. Log in to the VM using the text console if you have not done so already.

  2. Go to the text console (Terminal window) and navigate to /home/lab-user/labs/lab1_introduction:

    [... ~]$ cd /home/lab-user/labs/lab1_introduction
    [... lab1_introduction v0.1.47|+4]$

3.2.1. Viewing the HTML Guides for the ComplianceAsCode Project

The ComplianceAsCode project provides HTML guides that are a great resource for those interested in the rules that make up a policy. The HTML guides are located in the respective build/guides of each lab exercise subdirectory. Therefore, the full path of the directory for this lab exercise is:

/home/lab-user/labs/lab1_introduction/build/guides/

In the ComplianceAsCode project, policies are referred to as security profiles. The HTML guide filenames have a ssg-<product>-guide-<profile>.html format, so the HTML guide for the RHEL 8 Protection Profile for General Purpose Operating Systems (OSPP profile) is ssg-rhel8-guide-ospp.html.

  1. On the remote desktop, you open the guide in a web browser. Click Activities at the top left of your desktop and click the "file cabinet" icon to open the file explorer.

    100
  2. After the window appears, click the Home icon in the top left portion of the file explorer window.

  3. Then, navigate to the location of the exercise by double-clicking the labs folder, followed by double-clicking the lab1_introduction, build, and guides folders.

  4. As a last step, double-click the ssg-rhel8-guide-ospp.html file to open the HTML guide for the RHEL 8 OSPP profile.

    1000
    1. Rules are organized in a system of hierarchical groups. Take a look through this HTML guide to see the various rules of the RHEL 8 OSPP profile.

      html guide
      Figure 1. HTML guide showing all of the rules of the RHEL 8 Protection Profile for General Purpose Operating Systems (OSPP) profile

3.2.2. Updating a Rule Description to Find the Source of a Specific Rule

You will now take a closer look at a specific rule in the HTML guide of the RHEL 8 OSPP profile. For example, take a closer look at the Set Interactive Session Timeout rule entry.

  1. In the HTML guide of the RHEL 8 OSPP profile that you opened in Firefox, press Ctrl+F and search for session timeout.