lab2.adoc

Lab 2: Enforcing Automated Compliance with Security Policies

Lab Length: Medium/Average

Goal of Lab 2

The goal of this lab is to introduce you to the power and flexibility of Red Hat Ansible Automation and Red Hat CloudForms to enforce compliance with your security policies in an automated fashion.

Specifically, using a combination of Red Hat Ansible Automation and the control policy engine in Red Hat CloudForms, you will: enforce the installation of the AIDE package and enforce Openstack security group membership in an automated fashion.

Introduction

Red Hat Ansible Automation is automation software powered by Red Hat Ansible Engine-an execution engine with hundreds of modules that can automate all aspects of IT environments and processes—and Red Hat Ansible Tower—a management interface that can integrate with other services. In this lab exercise, you will use Red Hat Ansible Tower for centralized automation.

Red Hat Ansible Tower and Red Hat CloudForms can easily communicate with each other for security and compliance automation tasks.

Red Hat CloudForms is an infrastructure management platform that allows IT departments to control users’ self-service abilities to provision, manage, and ensure compliance across virtual machines and private clouds. The Red Hat CloudForms control and policy engine provides built-in compliance and governance capabilities. A control policy is created in the Red Hat CloudForms control and policy engine by defining an Event, Condition, and Action. The Action can be one of the defined actions in the Red Hat CloudForms control engine or it can be free-form automation. The Red Hat CloudForms automate engine can be utilized to execute free-form automation using the integrated Ansible engine, by using the native ruby language, or by communicating directly to your Red hat Ansible Tower instance to execute your Ansible playbooks.

Lab 2.1 Using Red Hat Ansible Tower and Red Hat CloudForms to enforce the installation of the AIDE package

1. Log into Red Hat CloudForms (https://cfme-GUID.rhpds.opentlc.com) with admin as the user name and r3dh4t1! as the password (if not already logged in). Don’t forget to replace the GUID with your provided GUID.

2. Navigate to Control → Explorer.

   

3. Navigate to Policy Profiles → Enforce-AIDE → Enforce AIDE Package.

   

   Note	This control policy dictates that when a VM is powered on, install the AIDE package.

4. Click on this control policy by clicking on the event action that says Yum Install Aide.

   

5. Notice that this control policy is invoking a custom automation by calling a job template , named Yum Install Aide , from Red Hat Ansible Tower that will install the AIDE package on the host where this control policy is applied.

   

6. We are going to apply this control policy to the rhel7-vm1.hosts.example.com VM. Let’s first confirm that the AIDE package is not installed on this VM and remove the AIDE package from this VM if it is installed.

7. If not already there, log into to the bastion host as lab-user from your desktop system replacing GUID with your lab’s GUID. Use the password r3dh4t1! for lab-user if needed. Become root by typing sudo -i.

   [localhost ~]$ ssh lab-user@workstation-GUID.rhpds.opentlc.com
   [lab-user@workstation ~]$ sudo -i

8. Log into the rhel7-vm1.hosts.example.com VM using its IP address 192.168.0.51.

   [root@workstation-GUID ~]# ssh ansible@192.168.0.51

9. Once logged in check to see if the AIDE package is installed. If it is, remove this package by typing yum remove aide and then typing y to remove the package. Do not exit out of this ssh session in your terminal.

   [ansible@rhel7-vm1 ~]# sudo rpm -qa --last aide
   [ansible@rhel7-vm1 ~]# sudo yum -y remove aide

10. Now that we have confirmed and made sure that the AIDE package is not installed, let’s go ahead and turn the rhel7-vm1.hosts.example.com VM off and begin testing our Enforce AIDE control policy.

11. Navigate to the Compute → Infrastructure → Virtual Machines.

    

12. Search for the rhel7-vm1.hosts.example.com VM in the top right search bar and then click on this VM.

    

13. First, let’s Power Off this rhel7-vm1.hosts.example.com VM. From the VM summary page, power off this VM by clicking on Power → Power Off. Press OK.

    

14. The rhel7-vm1.hosts.example.com VM will power off within about 2 minutes. Press the refresh button at the top left until you see that this VM has turned off.

    

15. Click on Policy → Manage Policies.

    

16. Notice that the Enforce AIDE control policy is assigned to this rhel7-vm1.hosts.example.com VM. Also if you scroll down on this page, notice that there is a yellow shield on this VM. This indicates that a control policy is on this VM. Click on Cancel to exit.

    

17. As stated before, the Enforce AIDE control policy will automatically install the AIDE package to the VM that this control policy is applied to whenever the VM is turned on. Now let’s confirm that this Enforce AIDE control policy will automatically execute on this rhel7-vm1.hosts.example.com VM whenever it is powered on.

18. From the VM summary page, power on the rhel7-vm1.hosts.example.com VM. Click OK. This will trigger the control policy to execute the Yum Install Aide Red Hat Ansible Job Template to install the AIDE package on this VM. Note that it can take a minute or so for the package to be installed.

    

19. Note the IP address for the rhel7-vm1.hosts.example.com VM, which is 192.168.0.51.

    

20. Go to Red Hat Ansible Tower (https://tower-GUID.rhpds.opentlc.com) and log in with admin as the user name and r3dh4t1! as the password (if not already logged in). Don’t forget to replace the GUID with your provided GUID.

21. Navigate to Jobs and click on the job that is being run at the top , which is Yum Install Aide.

    

22. Notice that this job is running the install-packages.yml playbook and is being run on the rhel7-vm1.hosts.example.com VM.

    

23. Go back to your terminal where you are still logged in as root on the rhel7-vm1.hosts.example.com VM.

24. Once logged in check to see if the AIDE package is now installed.

    [ansible@rhel7-vm1 ~]# sudo rpm -qa --last aide
    aide-0.15.1-13.el7.x86_64  Sun 28 Apr 2019 04:26:59 PM EDT

25. The Enforce AIDE control policy has automatically executed on the rhel7-vm1.hosts.example.com VM successfully!

26. Exit out of the ssh session.

Lab 2.2 Using Red Hat CloudForms control engine to enforce OpenStack Security Group membership

1. Go back to Red Hat CloudForms (https://cfme-GUID.rhpds.opentlc.com) and log in with admin as the user name and r3dh4t1! as the password (if not already logged in). Don’t forget to replace the GUID with your provided GUID.

2. Navigate to Control → Explorer.

   

3. Navigate to Policy Profiles → OSP Security Group Enforcement → OSP Attach Security Group Policy. You will notice that this policy states that when an OpenStack instance is powered on, ensure that the Production security group is attached.

   

4. Navigate to Compute → Cloud → Instances.

   

5. Click on the Openstack instance named openstack-instance to go to the Instance summary page.

   

6. Click on Policy → Manage Policies.

   

7. Notice that the OSP Security Group Enforcement control policy is assigned to this Openstack instance. Click on Cancel to exit.

   

8. From the Instance summary page, locate Relationships and click on Security Groups.

   

9. You will see that this instance is only assigned to 1 security group, the default security group.

   

10. Click on the back arrow to navigate back to the VM summary page.

    

11. From the Instance summary page, power on this instance by clicking on Power → Start. Click OK to start this instance. This will trigger the control policy to ensure that the Production security group is applied to this instance whenever it is powered on.

    

12. Click on the refresh button until the VM has powered on and the security group count has changed. Once changed, click on Security Groups again.

    

13. You will now notice that the Production security group has been applied automatically due to the control policy set on this Openstack instance.

    

Table of Contents | Lab 3: Automated Patching of Host Systems