Matej Tyc, Software Engineer and Tech Lead - Security Compliance in Red Hat® Enterprise Linux® (RHEL) Security, Red Hat®
Marek Haicman, Senior Quality Engineer and Product Owner - Security Compliance in RHEL Security, Red Hat®
Lucy Kerner, Senior Principal Security Global Technical Evangelist and Strategist, Red Hat®
Gabriel Gaspar Becker, Software Engineer - Security Compliance in RHEL Security, Red Hat®
Jan Cerny, Software Engineer - Security Compliance in RHEL Security, Red Hat®
Watson Sato, Software Engineer - Security Compliance in RHEL Security, Red Hat®
Matúš Marhefka, Quality Engineer - Security Compliance in RHEL Security, Red Hat®
Vojtěch Polašek, Software Engineer - Security Compliance in RHEL Security, Red Hat®
This lab introduces you to the ComplianceAsCode project, a comprehensive tool that creates content for automated security tools. The project contains over 1,000 rules—elements of security policies. Rules have descriptions, justifications, and references to existing security standards. They also have Open Vulnerability and Assessment Language (OVAL) checks, bash remediations, and Red Hat® Ansible® Automation content to a varying degree.
ComplianceAsCode enables automated evaluation and fast and efficient remediations against security controls for compliance with regulatory or custom profiles, and for automated configuration compliance. It allows you to produce a tailor-made security policy for your company with minimal effort, and the OpenSCAP ecosystem can do the scanning and support for problem resolution. Specifically, OpenSCAP is a National Institute of Standards and Technology (NIST) certified scanner designed to perform configuration and vulnerability scans on a system, validate security compliance content, generate reports and guides based on these scans and evaluations, and allows users to automatically remediate systems that have been found in a non-compliant state.
Red Hat® Enterprise Linux® provides tools that allow for fully automated compliance audits. These tools are based on
ComplianceAsCode and the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.
This lab is geared toward system administrators, cloud administrators and operators, architects, and others working on infrastructure operations management who are interested in learning how to automate security compliance using Red Hat® provided tooling for compliance against both industry standard and custom policies.
The prerequisites for this lab include basic Linux skills gained from a Red Hat® Certified System Administrator (RHCSA®) certification or equivalent system administration skills.
How to use the OpenSCAP scanner to scan systems and perform security fixes as needed.
How to navigate among existing rules and learn how to modify them and take advantage of parameterization.
How to create new security profiles and populate them with existing rules.
How to create new rules from scratch and add them to security profiles.
How to write OVAL checks with minimal effort and ensure correctness.
How to create Ansible Automation content for remediations of systems.
Your entire lab environment is hosted online and includes Red Hat® Enterprise Linux® and Red Hat® Ansible® Automation.
To connect to your environment, first execute the below SSH command in the terminal:
ssh -o "ServerAliveInterval 30" lab-user@<IP_ADDRESS>
yesto accept server’s identity if asked, and then input the following password:
If everything works correctly, you end up in the lab’s system shell. You can confirm this by listing the directory with lab exercises:
[... ~]$ cd [... ~]$ ls labs lab1_introduction lab2_openscap lab3_profiles lab4_ansible lab5_oval
Congratulations, now you are in your text console.
This is a Red Hat® Enterprise Linux® 8 system with GUI. It is the machine that you will use throughout all of the exercises in this lab. To access the Graphical User Interface (GUI) you need either a Virtual Network Computing (VNC) client or a Remote Desktop Protocol (RDP) client installed on your system. We recommend using a VNC client since it is faster.
We recommend you to install
tigervnc, check how to install here: Tiger VNC. Or run one of the following:
yum install tigervnc
dnf install tigervnc
apt-get install tigervnc-viewer
After you install
tigervnc, you can run the following commands on a terminal:
First you open a SSH connection using port forwarding. This will open a connection forwarding the port
5901to your localhost:
ssh -N -L 5901:localhost:5901 lab-user@<IP_ADDRESS>
yesto accept server’s identity if asked, and then input the following password. Note that the terminal hangs because of the port forwarding. In the end of the workshop you can terminate the connecting by hitting
Open TigerVNC (it’s called either tigervnc or vncviewer) application and type under
VNC Servertext input:
Connectand then answer
yesto accept server’s identity if asked and input the following password in the pop up window:
If an alert appears stating that the connection isn’t secure, disregard that alert. Although VNC data is unencrypted by default, you’re accessing the VNC server using an encrypted SSH tunnel.
Congratulations, you are in your graphical console using a VNC connection.
This section contains various tips that may be useful to keep in mind as you are doing the lab exercises.
Shell session listings obey the following conventions:
[... ~]$ pwd /home/lab-user [... ~]$ cd labs [... labs]$ ls lab1_introduction lab2_openscap lab3_profiles lab4_ansible lab5_oval [... labs]$ cat /etc/passwd ... lab-user:x:1000:1000:GTPE Student:/home/lab-user:/bin/bash
Commands such as
cat /etc/passwdin this example are prefixed by
[…, followed by the respective directory name and
]$. For reference, in the actual terminal, commands are prefixed also by the current username and hostname—for example,
Lines that follow commands and are not commands themselves represent the last command’s output. In the example above, the output of the
lscommand in the
labsdirectory is a list of directories with lab exercises.
Ellipses may be used to indicate multiple output lines that have been omitted because they are of no interest. In the example above, the output of the
cat /etc/passwdcommand contains many lines with the line containing lab-user's entry emphasized by an ellipsis.
Normally, when you select text you want to copy in the document, you press
Ctrl+C to copy it to the system clipboard, and you paste it from the clipboard to the editor using
Keep in mind that when you paste to the terminal console or terminal editor, you have to use
Ctrl+Shift+V instead of
The same applies when copying from the Terminal window—you have to use
Ctrl+Shift+C after selecting the text, not just
When you search for an occurrence of text in the Firefox browser, you have the following options:
Ctrl+F, which brings up the search window.
Clicking the "hamburger menu" at the top right corner, and clicking the
Find in This Pageentry. This is the same as the previous option, but it is useful if you have problems with the keyboard shortcut.
If the browser has the Find in Page extension installed, there is a blue icon close to the "hamburger menu" at the top right corner of the browser. You can click it and start typing the text to search for. The extension displays previews of the web page next to occurrences of the expression.
This lab has been designed for you to learn how things work from top to bottom. This means there are lots of descriptions and reading, not just commands for you to copy and paste! If you just copy and paste all the commands you can be done in 30 minutes… but you won’t learn anything!
You have plenty of time to complete the lab, take it slow and read everything. If you get stuck, don’t be afraid to ask for help at any time, but the answer is probably in the lab documentation.
In this lab, you will become familiar with the
ComplianceAsCode project. The purpose of this project is to help content authors create security policy content for various platforms. The
ComplianceAsCode project enables content authors to efficiently develop and share security content.
Using the powerful build system, you can generate output in various formats such as Ansible® Playbooks or SCAP datastreams that you can use to automate security auditing and hardening. The project contains many useful rules and checks that form various security policies and enables content authors to easily add new rules and checks.
You work with the project source repository at https://github.com/ComplianceAsCode/content.
In Red Hat® Enterprise Linux® (RHEL), the SCAP content generated from
ComplianceAsCode data is shipped as the
scap-security-guide RPM package.
Learn about the
ComplianceAsCodeproject to understand what is where and what you can use the project for.
Learn how to build the content from the source and go through what gets built.
Understand how to find the source of a particular part of the built artifact.
Learn how to parameterize rules that use variables.
Learn where to find additional rule content, such as checks and remediations.
ComplianceAsCoderepository is already cloned to all of the
/home/lab-user/labs/directories. For example,
/home/lab-user/labs/lab1_introductionis a clone of the
The following required dependencies for the
ComplianceAsCodecontent build are already installed using
Generic build utilities:
Utilities for generating SCAP content:
Python dependencies for putting content together:
|Content used in this lab has been altered to increase its educative potential, and is therefore different from the content in ComplianceAsCode upstream repository or the content in the scap-security-guide package shipped in Red Hat® products.|
ComplianceAsCode project consists of human-readable files that are compiled into standard-compliant files that are difficult to read and edit directly.
For your convenience, the environment is already set up, so the content is built and ready to be used. No worries, though—you get to rebuild it later in the exercise.
To start the hands-on section, take the following steps:
Log in to the VM using the text console if you have not done so already.
Go to the text console (Terminal window) and navigate to
[... ~]$ cd /home/lab-user/labs/lab1_introduction [... lab1_introduction v0.1.47|+4]$
ComplianceAsCode project provides HTML guides that are a great resource for those interested in the rules that make up a policy.
The HTML guides are located in the respective
build/guides of each lab exercise subdirectory. Therefore, the full path of the directory for this lab exercise is:
ComplianceAsCode project, policies are referred to as security profiles.
The HTML guide filenames have a
ssg-<product>-guide-<profile>.html format, so the HTML guide for the RHEL 8 Protection Profile for General Purpose Operating Systems (OSPP profile) is
On the remote desktop, you open the guide in a web browser. Click
Activitiesat the top left of your desktop and click the "file cabinet" icon to open the file explorer.
After the window appears, click the
Homeicon in the top left portion of the file explorer window.
Then, navigate to the location of the exercise by double-clicking the
labsfolder, followed by double-clicking the
As a last step, double-click the
ssg-rhel8-guide-ospp.htmlfile to open the HTML guide for the RHEL 8 OSPP profile.
Rules are organized in a system of hierarchical groups. Take a look through this HTML guide to see the various rules of the RHEL 8 OSPP profile.Figure 1. HTML guide showing all of the rules of the RHEL 8 Protection Profile for General Purpose Operating Systems (OSPP) profile
You will now take a closer look at a specific rule in the HTML guide of the RHEL 8 OSPP profile. For example, take a closer look at the Set Interactive Session Timeout rule entry.
In the HTML guide of the RHEL 8 OSPP profile that you opened in Firefox, press
Ctrl+Fand search for