Rh413 Redhat Server Hardening

Daniel333 · June 2016

All,

Thinking of taking Redhat's server hardening exam for fun next. Any recommendations on self study mateirals and labs?

https://www.redhat.com/en/services/training/rh413-red-hat-server-hardening

wolfinsheepsclothing · June 2016

I liked this exam. Do you have a background in security hardening/STIG'd images? The exam is on RHEL 6 fwiw. Be sure you're comfortable with PAM params, auditd rules, setting up an IPA server/users, etc. It's a 4 hour exam, but if you're comfortable with the content, you will have a lot of time left over.

brombulec · June 2016

And pay attention to IPA config and PAM config. It's a little bit tricky - just do the IPA tasks before PAM.
This exam is very interesting but if you can do and understand all the tasks in comprehensive review from official course book you're good to go.

wolfinsheepsclothing · June 2016

brombulec wrote: »

And pay attention to IPA config and PAM config. It's a little bit tricky - just do the IPA tasks before PAM.
This exam is very interesting but if you can do and understand all the tasks in comprehensive review from official course book you're good to go.

Yes! Good point brombulec. The PAM config files that are pertinent to this course are overwritten anytime authconfig is run.

asummers · June 2016

When I was looking at Red Hat exams this was the one that I was most wearly of. It covers alot of material - but doesn't go too deep into each.

Also found finding the materials tough - as the exam objectives were a little vague.

Really you want to try and find out what the RH413 course contains - that would be a good base

Verities · June 2016

Sander Van Vugt is going to be releasing a 20 hour video course for EX413. Super stoked since its going to probably end up on Safari Books like the rest of his videos.

Verities · June 2016

Also, here's a link to the DISA STIGs for the uninitiated:

http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx

Based on what Wolf said, focus on the RHEL 6 STIG. It's painful to go through each check since there's usually a couple hundred, but you will learn a lot.

JockVSJock · June 2016

Agreed on knowing PAM modules and configuration like the back of your hand.

If you want to get experience in hardening, look at the DISA Stigs, which are designed for RHEL, however could be applied to Fedora and Cent OS.

Also check out Bastille Linux.

BASTILLE-LINUX

Verities · June 2016

JockVSJock wrote: »

Also check out Bastille Linux.

BASTILLE-LINUX

Interesting...first I've heard of this Bastille-Linux. Have you used it before Jock? If so, what do you like/dislike about it?

JockVSJock · June 2016

Verities wrote: »

Interesting...first I've heard of this Bastille-Linux. Have you used it before Jock? If so, what do you like/dislike about it?

Sadly, you can lock yourself out of a perfectly good running version of Linux, so you have to be very careful when you implement it. However that happened to me back in 2002/2003...so the software may have changed to prevent that.

However on a positive note, it does a very good job of hardening whatever version of Linux you throw at it. You kind of have to know a little about Linux to install it.

Looks like the News and Updates isn't very active, however looks like the project is still active.

brombulec · June 2016

I think that looking at Oracle Enterprise Linux is a good choice.
Also AppArmor from SuSE is a good source of information

You can also use SCCS from Symantec : https://www.symantec.com/products/threat-protection/data-center-security/control-compliance-suite
This is a security scanner with very good explanations for all of STIG related issues.

On RHEL7/Fedora you can use OpenSCAP - this is great tool for system scanning.

Verities · June 2016

@Jock - Sounds nice, pretty much like automated STIGs. You can do the same thing with them if you're not careful.

@Brombulec - I concur, OpenScap is an excellent utility that I use when manually hardening systems. Currently working on getting it working in Satellite 6.

JockVSJock · June 2016

I remember this as I was driving in to work this morning.

SANS has a number of Linux/UNIX hardening classes which would be another way to gain more knowledge on this subject:

https://www.sans.org/course/securing-linux-unix

Verities · June 2016

JockVSJock wrote: »

I remember this as I was driving in to work this morning.

SANS has a number of Linux/UNIX hardening classes which would be another way to gain more knowledge on this subject:

https://www.sans.org/course/securing-linux-unix

Wow..that costs over $2k more than the official RHEL course.

varelg · June 2016

brombulec, isn't Oracle Linux simply rebranded RHEL?

wolfinsheepsclothing · June 2016

varelg wrote: »

brombulec, isn't Oracle Linux simply rebranded RHEL?

*cough* stolen *cough*

Bodanel · June 2016

No *cough*, just stolen. I hate oracle (lower o) for their vision of acquire, embrace, extinguish. All the opensource products that oracle acquired are practically dead so I give a particular finger to oracle.

Actually when Red Hat shipped an already patched kernel (not kernel and patches separated) they were trying to hit oracle not CentOS or Scientific LInux.

Xavor · June 2016

When I first got into IT we did STIGS on the Windows boxes, and I went through each item by hand. I learned a lot about the underpinnings of Windows and what gets reported back to Microsoft (boatloads).

I have earmarked a goal to do puppet scripts to apply the RHEL STIGS, but I don't really have the time atm.

Looking at the requirements, it doesn't look like SElinux is heavily involved? What about aide? I've used some locked down systems which had a lot of these controls configured. I assume the filesystem topic gets into facl and fine grained access controls? Where have you seen systems that heavily configured?

wolfinsheepsclothing · June 2016

Xavor wrote: »

When I first got into IT we did STIGS on the Windows boxes, and I went through each item by hand. I learned a lot about the underpinnings of Windows and what gets reported back to Microsoft (boatloads).

I have earmarked a goal to do puppet scripts to apply the RHEL STIGS, but I don't really have the time atm.

Looking at the requirements, it doesn't look like SElinux is heavily involved? What about aide? I've used some locked down systems which had a lot of these controls configured. I assume the filesystem topic gets into facl and fine grained access controls? Where have you seen systems that heavily configured?

The usual SELinux stuff applies (correct context type for files/ports/etc). AIDE will definitely be used. With regard to such granular access, really depends on the Agency/type of information. You're right though; facls are not typically configured as part of a STIG baseline.

brombulec · June 2016

AIDE is one of the STIG's requirements. It is useful only if you have a habit of checking all logs everyday.
But the facls should be one of things of each admin's checklist. For me it's mandatory part of server hardening.

Xavor · June 2016

@wolf/brom: Cool, thanks.

@Daniel333, I would just keep labbing the materials. There are a lot of topics on bastion hosts (resurgence with AWS), STIGS, etc, and give the RHEL Security Guide a read through.

alias454 · June 2016

@jock I don't think Bastille is being maintained as much for working with later versions of RHEL. You can look at lynis, which doesn't have a hardening mode but can do audits. SANS also talked about using BASTILLE when I took the GSEC course and found a lack of information on actual current working implementations on RHEL. From what I understand, the creator went to work at HP and continued to do development for HP-UX but I have not seen that codebase get pushed back out into the wild. Maybe someone else knows different and can share updated binaries?

This probably isn't related to the course but I assume the real reason to take a hardening course is to learn about hardening systems so in that regard, this is related. Another tool in the same vein for hardening, audit, and compliance is a new project opensourced by Adobe name hubbleStack. HStack has some pretty awesome features for doing audit, compliance reporting, and mitigation. It is on my short list of side projects to check out.

asummers · June 2016

I think the main purpose would be to know what to harden, and how to do it. Automated tools would add a layer of abstraction where you don't know how to harden - you know how to run a program.

The RH413 course and exam would be geared towards hardening the main areas - it won't cover everything - and of course STIGs are very useful to learning how things hang together.

Verities · June 2016

asummers wrote: »

I think the main purpose would be to know what to harden, and how to do it. Automated tools would add a layer of abstraction where you don't know how to harden - you know how to run a program.

The RH413 course and exam would be geared towards hardening the main areas - it won't cover everything - and of course STIGs are very useful to learning how things hang together.

Amen. I highly recommend people Work through some DISA STIGs (DoD systems) and/or OpenScap Security Guides (non DoD systems) manually. These guides will show you a well rounded approach at hardening your server.

I've went through the RHEL 6 STIG manually and I learned a lot. However, I'm not prepared for the RHEL 7 STIG one yet though since its pretty brutal and still a draft that subject to major revision changes.

Verities · July 2016

So Sander's video course covers RHEL 7 which is current, but as Wolf said above, the EX413 exam is still covering RHEL 6. I contacted Red Hat training today and they said they have no plan in place yet to transition to RHEL 7 for EX413.

Some free EX413 study materials straight from Red Hat:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/index.html

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html

brombulec · July 2016

I just got the book for HP security training on Linux RHEL 7. Quite interesting but some chapters are too general.
Course description: http://h20195.www2.hp.com/v2/GetPDF.aspx/c04586449.pdf

Verities · July 2016

The book any good Brombulec? I'm almost through Sander's videos that I mentioned above; he only has about half of the material available though. I was surprised at how much of the material is basically the DISA STIG for RHEL 6 v11.

brombulec · July 2016

I had no time last week to read more but it looks promising. Especially Kerberos, PAM and SELinux parts.
Stay tuned

Verities · July 2016

By the way the new full STIG and benchmark got released a few days ago; RHEL 6 v1 R12.

brombulec · July 2016

The STIG is invaluable source of information. Especially if you're preparing to EX413. I spent almost one month for preparations (3-4h per day) but it was fun especially with PAM (and my errors in configuration

) and IPA Server.
I'm looking forward for the RHEL7 version of this exam

but only to see the content - no more money for RH Exams

Rh413 Redhat Server Hardening

Comments