Rh413 Redhat Server Hardening

I liked this exam. Do you have a background in security hardening/STIG'd images? The exam is on RHEL 6 fwiw. Be sure you're comfortable with PAM params, auditd rules, setting up an IPA server/users, etc. It's a 4 hour exam, but if you're comfortable with the content, you will have a lot of time left over.

And pay attention to IPA config and PAM config. It's a little bit tricky - just do the IPA tasks before PAM.
This exam is very interesting but if you can do and understand all the tasks in comprehensive review from official course book you're good to go.

brombulec wrote: »

And pay attention to IPA config and PAM config. It's a little bit tricky - just do the IPA tasks before PAM.
This exam is very interesting but if you can do and understand all the tasks in comprehensive review from official course book you're good to go.

Yes! Good point brombulec. The PAM config files that are pertinent to this course are overwritten anytime authconfig is run.

asummers

When I was looking at Red Hat exams this was the one that I was most wearly of. It covers alot of material - but doesn't go too deep into each.

Also found finding the materials tough - as the exam objectives were a little vague.

Really you want to try and find out what the RH413 course contains - that would be a good base

Sander Van Vugt is going to be releasing a 20 hour video course for EX413. Super stoked since its going to probably end up on Safari Books like the rest of his videos.

Also, here's a link to the DISA STIGs for the uninitiated:

http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx

Based on what Wolf said, focus on the RHEL 6 STIG. It's painful to go through each check since there's usually a couple hundred, but you will learn a lot.

JockVSJock

Agreed on knowing PAM modules and configuration like the back of your hand.

If you want to get experience in hardening, look at the DISA Stigs, which are designed for RHEL, however could be applied to Fedora and Cent OS.

Also check out Bastille Linux.

BASTILLE-LINUX

JockVSJock wrote: »

Also check out Bastille Linux.

BASTILLE-LINUX

Interesting...first I've heard of this Bastille-Linux. Have you used it before Jock? If so, what do you like/dislike about it?

JockVSJock

Verities wrote: »

Interesting...first I've heard of this Bastille-Linux. Have you used it before Jock? If so, what do you like/dislike about it?

Sadly, you can lock yourself out of a perfectly good running version of Linux, so you have to be very careful when you implement it. However that happened to me back in 2002/2003...so the software may have changed to prevent that.

However on a positive note, it does a very good job of hardening whatever version of Linux you throw at it. You kind of have to know a little about Linux to install it.

Looks like the News and Updates isn't very active, however looks like the project is still active.

I think that looking at Oracle Enterprise Linux is a good choice.
Also AppArmor from SuSE is a good source of information

You can also use SCCS from Symantec : https://www.symantec.com/products/threat-protection/data-center-security/control-compliance-suite
This is a security scanner with very good explanations for all of STIG related issues.

On RHEL7/Fedora you can use OpenSCAP - this is great tool for system scanning.

@Jock - Sounds nice, pretty much like automated STIGs. You can do the same thing with them if you're not careful.

@Brombulec - I concur, OpenScap is an excellent utility that I use when manually hardening systems. Currently working on getting it working in Satellite 6.

JockVSJock

I remember this as I was driving in to work this morning.

SANS has a number of Linux/UNIX hardening classes which would be another way to gain more knowledge on this subject:

https://www.sans.org/course/securing-linux-unix

JockVSJock wrote: »

I remember this as I was driving in to work this morning.

SANS has a number of Linux/UNIX hardening classes which would be another way to gain more knowledge on this subject:

https://www.sans.org/course/securing-linux-unix

Wow..that costs over $2k more than the official RHEL course.

varelg

brombulec, isn't Oracle Linux simply rebranded RHEL?

varelg wrote: »

brombulec, isn't Oracle Linux simply rebranded RHEL?

*cough* stolen *cough*

Bodanel

No *cough*, just stolen. I hate oracle (lower o) for their vision of acquire, embrace, extinguish. All the opensource products that oracle acquired are practically dead so I give a particular finger to oracle.

Actually when Red Hat shipped an already patched kernel (not kernel and patches separated) they were trying to hit oracle not CentOS or Scientific LInux.

Xavor

When I first got into IT we did STIGS on the Windows boxes, and I went through each item by hand. I learned a lot about the underpinnings of Windows and what gets reported back to Microsoft (boatloads).

I have earmarked a goal to do puppet scripts to apply the RHEL STIGS, but I don't really have the time atm.

Looking at the requirements, it doesn't look like SElinux is heavily involved? What about aide? I've used some locked down systems which had a lot of these controls configured. I assume the filesystem topic gets into facl and fine grained access controls? Where have you seen systems that heavily configured?

Xavor wrote: »

When I first got into IT we did STIGS on the Windows boxes, and I went through each item by hand. I learned a lot about the underpinnings of Windows and what gets reported back to Microsoft (boatloads).

I have earmarked a goal to do puppet scripts to apply the RHEL STIGS, but I don't really have the time atm.

Looking at the requirements, it doesn't look like SElinux is heavily involved? What about aide? I've used some locked down systems which had a lot of these controls configured. I assume the filesystem topic gets into facl and fine grained access controls? Where have you seen systems that heavily configured?

The usual SELinux stuff applies (correct context type for files/ports/etc). AIDE will definitely be used. With regard to such granular access, really depends on the Agency/type of information. You're right though; facls are not typically configured as part of a STIG baseline.

AIDE is one of the STIG's requirements. It is useful only if you have a habit of checking all logs everyday.
But the facls should be one of things of each admin's checklist. For me it's mandatory part of server hardening.

Xavor

@wolf/brom: Cool, thanks.

@Daniel333, I would just keep labbing the materials. There are a lot of topics on bastion hosts (resurgence with AWS), STIGS, etc, and give the RHEL Security Guide a read through.

alias454

@jock I don't think Bastille is being maintained as much for working with later versions of RHEL. You can look at lynis, which doesn't have a hardening mode but can do audits. SANS also talked about using BASTILLE when I took the GSEC course and found a lack of information on actual current working implementations on RHEL. From what I understand, the creator went to work at HP and continued to do development for HP-UX but I have not seen that codebase get pushed back out into the wild. Maybe someone else knows different and can share updated binaries?

This probably isn't related to the course but I assume the real reason to take a hardening course is to learn about hardening systems so in that regard, this is related. Another tool in the same vein for hardening, audit, and compliance is a new project opensourced by Adobe name hubbleStack. HStack has some pretty awesome features for doing audit, compliance reporting, and mitigation. It is on my short list of side projects to check out.

asummers

I think the main purpose would be to know what to harden, and how to do it. Automated tools would add a layer of abstraction where you don't know how to harden - you know how to run a program.

The RH413 course and exam would be geared towards hardening the main areas - it won't cover everything - and of course STIGs are very useful to learning how things hang together.

asummers wrote: »

I think the main purpose would be to know what to harden, and how to do it. Automated tools would add a layer of abstraction where you don't know how to harden - you know how to run a program.

The RH413 course and exam would be geared towards hardening the main areas - it won't cover everything - and of course STIGs are very useful to learning how things hang together.

Amen. I highly recommend people Work through some DISA STIGs (DoD systems) and/or OpenScap Security Guides (non DoD systems) manually. These guides will show you a well rounded approach at hardening your server.

I've went through the RHEL 6 STIG manually and I learned a lot. However, I'm not prepared for the RHEL 7 STIG one yet though since its pretty brutal and still a draft that subject to major revision changes.

So Sander's video course covers RHEL 7 which is current, but as Wolf said above, the EX413 exam is still covering RHEL 6. I contacted Red Hat training today and they said they have no plan in place yet to transition to RHEL 7 for EX413.

Some free EX413 study materials straight from Red Hat:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/index.html

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html

I just got the book for HP security training on Linux RHEL 7. Quite interesting but some chapters are too general.
Course description: http://h20195.www2.hp.com/v2/GetPDF.aspx/c04586449.pdf

The book any good Brombulec? I'm almost through Sander's videos that I mentioned above; he only has about half of the material available though. I was surprised at how much of the material is basically the DISA STIG for RHEL 6 v11.

I had no time last week to read more but it looks promising. Especially Kerberos, PAM and SELinux parts.
Stay tuned

By the way the new full STIG and benchmark got released a few days ago; RHEL 6 v1 R12.