redhatdemos / securitydemos Goto Github PK

I logged into selinux1.example.com twice as the instructions said, then tried the first exercise but I get:

[root@selinux1 selinux_scripts]# ./shellshock_exploit.sh
curl: (7) Failed to connect to 192.168.0.24 port 80: No route to host
[root@selinux1 selinux_scripts]#

I then fired up all the VMs with "selinux" in the name just in case (I had only started the first one) but that did not make a difference.

The exercise suggests this is all happening on selinux1.example.com, but for me that machine has IP address 192.168.0.19 and not 192.168.0.24 ?

• vim is not installed on the machine :-P

• point 2 shows the output of 'cat setup-selinux.yml', the output in the docs differs substantially from what's on the actual VM, in that all vars are missing on the actual lab machine. however the file name setup-selinux.yml.final has all the right content.

• running the ansible with the .final file seem to work except for selinux5 as noted on a previous issue

• no test to check the script worked is present in this lab

There are three main issues:

1. I was not able to complete it! The "keys" section of encryption tab was not there in my case
2. I believe it's worth having it merged with NBDE lab. (I mean one text, but separate machines, as it is now). First part on nbde1 node is the same, as well as the introductory text.
   2b) If not merged, link needs to be added to the Table of Contents
3. format is a bit off - each step should be numbered

Other points:

• you have to also install cockpit package for lab to work
• cockpit https is not trusted
• After clicking on Storage, you have to click on specific drive before you can see Encryption tab (on lab machine, tat's /dev/vda2)
• screenshots are off

• Lab 6.1 the password for auditlab user is not specified (turns out it is the usual r3dh4t1!) but it is requested to login from the workstation countrary to instructions.

-Lab 6.2 through 6.3.4
there is no success critieria shown, most labs ask you to perform actions but do not tell you how to validate they actually did anything useful, 6.3.2 does not give examples of what people should see no way to tell if it worked or not.
Note: everything seemed to work except perhaps the excercises about the project_tps_report.txt file:

$ chmod 0664 ~/project_tps_report.txt
chmod: cannot access '/home/auditlab/project_tps_report.txt': No such file or directory

Lab 6.3.5 is the only one that seem to show how the result of an action can be actually used, implicitly also validating that the action was performed correctly.

Need to instruct person to switch to the lab4_ansible directory. This needs to be first instruction in 4.2.

/home/lab-user/labs/lab4_ansible

[lab-user@workstation-r8338 labs]$ cd lab4_ansible/
[lab-user@workstation-r8338 lab4_ansible]$

https://github.com/RedHatDemos/SecurityDemos/blob/master/2019Labs/CustomSecurityContent/documentation/lab4_ansible.adoc

@lkerner

I got admin password expired so I needed to changed it first.
Please, extended the livetime of it or make it unexpirable.

• IP address for crypto2 hosts in /etc/hosts files is broken, and this causes all the lab to fail right away: needs to be changed to 192.168.0.40, that IP is now reserved for crypto2

• httpd service fails to start on boot on crypto2 due to timeouts: add instructions to tell users to start it manually?

This lab cannot be done at all, there is no workstation to log into.

It's mostly nitpicks, but anyway:

NBDE

• sometimes LUKs is used, instead of full capitalization

USBGuard

• 'he/she' can be changed to 'they'
• the preconfiguration notes are a bit unclear, as there is "preliminary knowledge" section. It's still just FYI (you are not supposed to act on that), but it confused me a bit. I was not sure, if I am supposed to create those XML files or not

GPG

• what is referenced as "user ID" is "Real Name" in CLI
• '(O) for Okay' is just fine, instead of 'Okay/Quit'
• "comment" is before OK, so switch those lines

Near the end of the exercise there is a "termshot" of the exit command with a root prompt "#".
There should be a "bash-4.2$" prompt instead as the command is to exit the hacked shell

Incorrect denial "termshot" in lab

At point 3 the denials showed are not the denials you get on the machine which currenl;y atew a denied {read} and a denied {map}

Hi,
I found a link to this project in section 7 of the RHEL 7 Security Guide. Trying to setup the lab failed with the message:

Sorry, there are no available GUIDs for lab SECURITYMA3, please double check that you selected the correct lab code or contact a lab assistant.

Is this why the lab is not public available for everybody or any other reason? I couldn'd find any information about the availabilty whether in the documentation nor in this repo.

Regards,
Tronde

In the following page:

https://github.com/RedHatDemos/SecurityDemos/blob/master/2019Labs/CustomSecurityContent/documentation/lab1_introduction.adoc

Step 1.2.1 description refers to ssg-rhel8-guide-ospp.html
Step 1.2.1 item v refers to ssg-rhel8-guide-ospp-rhel8.html, and then has a screen shot that does not match.

Suggested Fix: All references should be to ssg-rhel8-guide-ospp-rhel8.html

What it says.

Lab 4.3 at point 2, the third command fails:

$ scp ipsec2.example.com.p12 /root/oe-cert.conf [email protected]:/root/
ipsec2.example.com.p12                                         100% 3750     5.3MB/s   00:00    
/root/oe-cert.conf: Permission denied

This is because we are logged into the woirkstation as lab-user, while the command seems to imply we should be logged in the ipsec1 machine.

Lab 4.4 at point 4:
the ping command returns 100% packet loss

Lab 4.4 at point 5:
presumambly because of the above only outBytes reports non-zero.

Lab 4.5 at point 4:
the tcpdump command won't work, it references eth0 when the interface on these VMs is called ens3 (also tcpdump is not installed on ipsec2)

I was not able to disagnose the issue, the troubleshooting lab doesn't point out what to look at and the amount output spewed by ipsec status wasa lot but cryptic to the uninitiated

• Lab 8.1 point 2:
  The first screenshot does not match actual usage, the current screenshot shows that you need to type "admin" to log in, the actual usage is that a user named "Administrator" is shown and can be clciked upon.

• Lab 8.1 point 3:
  It may be worth preparing a desktop link that opens Firefox on the correct idm page right away (better user experience).
  Also note that no login (as shown in the doc) is needed, the user is logged in automatically thanks to Kerberos SSO, this should be note d to avoid confusion.

• Lab 8.1 point 11:
  ipa-client-install failed on Idm2 but succeeded on Idm3, I suspect firewall issues, but did not investigate further on Idm2.
  I used Idm3 instead of Idm2 for the following steps.

• Lab 8.5 point 16:
  this point is wrong and makes the exercise fail
  The rule need to add a Whom section of "RunAs users" then add an external "root" user as the user to run the comamnd as.
  The "RunAs group" part is completely useless and should be removed.

• RHEL8 recommends yum, not dnf

• it would be good to explicitly mention in text, that for second terminal you need right click the icon

• in Build 2. "For reference" this does not make sense - we just used it' what is there to refer to? :) For reference, if you build following official project guide, instead of ./build_product, you build all content.

• in Examine the guides I would prefer not to use "love". "appreciate" is more humble and more appropriate :)

• first save in gedit, I would mention top right part has the save button (just to be sure)

• I would mention how to get ID of the rule (taking a look at ref url - ugly, but for posterity. We can also mentioned it will get better)

• When setting TMOUT, go for 5 minutes, so there is difference between this and default (which is 10 minutes)

• last bit about addition of 20 minutes could be put into a NOTE:

• In OVAL section - opening shared.xml in nautilus is NOT simple (Text Editor is not one of the options, it has to be selected from "other applications"). Firefox, which is default, will fail to open it.

• In Remediation, I don't like wording "... Ansible, which is preferred over puppet" Why? I would refrain from judgements like this :) Ansible is simply the recommended way to configure RHEL, and as such has higher coverage. Project would happily accept puppet remediations in case there would be some interest.

• Doc style is not in line with the rest of the labs, numbered sections are missing for example.

• at the third(?) step we get a failure, can;t enable cockpit:

[root@sessionrecording ~]# systemctl start cockpit.socket
Failed to start cockpit.socket: Unit cockpit.socket not found.

This is because cockpit is not installed on the system and the previous install commands do not drag it in as a dependency

• at the fourth(?) step there are no proper instruction to log into the workstation console to open the browser (see other labs like IdM)

• again at foruth(?) step once we connect to the cockpit service we get a "this connection is not secure" warning. That SHOULD be fixed by providing the workstation with a certificate that is trusted.

• again at fourth(!) step please remind the user what are the root credentials to be used (password: r3dh4t1!)

• Please split in numbered bullet points the actions, hard to refer to individual items otherwise (again see other docs)

PREFERED -> PREFERRED

• remind user to press Save after changing SSSD configureation item

• vim is not installed (although vi is, users that are familiar with it will almost always prefer to use vim)

• OPTIONAL FEEDBACK: I would remove the alternative shell version explanation, it is confusing

"In practise" -> "In practice" (but to be honest I would find a different title)

• password is not provided for user "q" in any place
  but then the user "q" doesn't even exist, and no instructions to create it is provided ...

• $ sudo yum install mc nginx
  obviously as the user didn;t even exist

• mc is not installed:

[q@sessionrecording ~]$ mc
-bash: mc: command not found

At this point I stopped trying to complete the lab.

As it current stands, IdM lab will take attendee quite a big chunk of the lab time, when 8.4 (groups) is (From the perspective of learning potential) carbon copy of 8.3 (users) and 8.5 has just slight alternations. I was struggling a bit to keep focused during 8.5 :)

My proposal is to remove both 8.4 and 8.5 to make lab more approachable. This will enable attendee to check other cool technologies as well.

@simo5 mentioned lack of command line approach to configuration, that could be potential way how to make 8.4 or 8.5 interesting again - not clicking, but using CLI.

What do you think, @pbeniari ?

People often ask about scanning with customized profile using oscap.

And a tricky part of it is that the ID of the customized profile is different from original profile.
Should this be considered in the scope of the labs?

If yes, I would suggest to put more emphasis during customization, or add another exercise in which a scan with customized profile is done.

@lkerner

Lab 1: ~10 minutes
Lab 2: ~15 minutes
Lab 3: ~12 minutes
Lab 4: ~8 minutes
Lab 5: ~11-12 minutes
Lab 6: ~10 minutes
Lab 7: ~10 minutes
Lab 8: ~12 minutes
Lab 9: ~11-12 minutes
Lab 10: ~13 minutes
Lab 11: ~14 minutes
Lab 12: ~11 minutes

VM should have OVAL degraded to the old pre-jinja level to work as intended, this command does that:

wget -O linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml https://raw.githubusercontent.com/ComplianceAsCode/content/3ab5db43ca2c3253127959fc38bdbbd851f23d18/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml

Should get incorporated into Ansible Playbook

I did not realize I was looking at the "pre-configured for you steps" initially however I will report anyway the issues I found:

Can't install ansible:

# yum install ansible -y
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
RHEL8                                                            2.9 kB/s | 2.9 kB     00:01    
RHEL8-APPSTREAM                                                  1.3 MB/s | 2.9 kB     00:00    
No match for argument: ansible
Error: Unable to find a match

1st error trying ansible:

[root@selinux1 ~]# ansible all -i inventory -m ping -u root
 [WARNING]: Unable to parse /root/inventory as an inventory source

 [WARNING]: No inventory was parsed, only implicit localhost is available

 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit
localhost does not match 'all'

This is because of missing instruction to cd into /root/selinux_scripts, but after that is done we get another error:

[root@selinux1 ~]# cd selinux_scripts/
[root@selinux1 selinux_scripts]# ansible all -i inventory -m ping -u root
selinux3 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
selinux2 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
selinux5 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ssh: connect to host selinux5 port 22: No route to host",
    "unreachable": true
}

And that showed me that indeed:

# ssh root@selinux5
ssh: connect to host selinux5 port 22: No route to host

However looking at the console I do see a machine called 7SELinux5, and can get a text console to it.

@lkerner

I was required to update expired admin password in the web UI. I updated it keeping it the same = r3dh4t1!

It is not clear how to format shell sessions. The ideal way would be to use the pygments highlighting backend that is supported by asciidoc, and use the

$ command1
output1
output2
$ command2
...

syntax.
This seems to be a good choice even when pygments are not supported on the Gitlab instance that we get later.

• Check whether pygments are supported, so the [code,shell-session] could be used with snippets.
• Unify shell session listings to one style. The style should copy the snippet above - prompt before commands, always include stdout output. Depending on the previous subtask, optionally specify the listing style to shell-session - handled by #128

• in the "Hands on" section "before you start" the instructions say:

cd /home/lab-user/labs/lab1_introduction/content

There is no lab1_introduction directory, there is a lab0_introduction one though

• in "Build the content" section instructions say: "Run make to compile content for all applicable products. A product may be either an OS s.a. RHEL8, RHEL7, Fedora etc"
  running make RHEL8, make RHEL7 or make Fedora, each fail because the Makefile targets are lowercase and not uppercase as stated.

• Using shortcuts like ctrl+f should not be suggested because in ravello it is extremely cumbersome to use modifiers like ctrl (I found it can only be done by using the on display keyboard with firefox)

• In "Associated Content" the user is directed to open a directory in nautilus "linux_os/...../accounts_tmout" and then told there is a shared.sh file there.
  There is no such file, however there is a shared.sh file in a subdirectory called "bash". The user should be told to look into that subdirectory.

• Lab 5.1.1
  the demo VM starts but it spews a bounch of errors that USBguard daemon could not be started

• Lab 5.1.2 at step 1, failure:

# systemctl enable usbguard --now
Job for usbguard.service failed because the control process exited with error code.
See "systemctl status usbguard.service" and "journalctl -xe" for details.

using journalctl-xe will yield broken output due to the VM console, using it |less makes it readbale:

Apr 10 13:41:24 localhost.localdomain usbguard-daemon[723]: [1554918084.263] (E) Policy leaks are possible with this permissions!
Apr 10 13:41:24 localhost.localdomain usbguard-daemon[723]: [1554918084.263] (E) Configuration: /etc/usbguard/rules.conf: usbguard::Exception
Apr 10 13:41:24 localhost.localdomain usbguard-daemon[723]: Configuration: /etc/usbguard/rules.conf: usbguard::Exception
Apr 10 13:41:24 localhost.localdomain systemd[1]: usbguard.service: Control process exited, code=exited status=1

Could not continue demo.

This instructions is not clear - Lab 1.1:

10. Now, go back to your Lab Information webpage from the Lab 0 setup steps and click on the console button for your workstation bastion host. Login as lab-user with r3dh4t1! as the password.

Where can I find the Lab Information webpage?

During my dry run, these are the times (focused, but taking notes for feedback, and I am not fast reader, should be fairly average)

OpenSCAP: 18 minutes
SELinux: 50 minutes
NBDE: 7 minutes (not counting waiting for auto unlock)
NBDE Cockpit: 10 minutes but not finished
IPSec: 15 minutes
USB Guard: 15 minutes
Audit: 22 minutes
AIDE: 15 minutes
IdM: I haven't re-run it, my first was, I believe, 60 minutes +
GPG: 7 minutes
FirewallD: 12 minutes
Crypto policies: 8 minutes
Session Recording: 20 minutes, but I got confused by issues :)

• Firewalld lab mentions iptables in various places (including the schematic image), but apparently RHEL8 is using nftables now..

-Lab 10.4 point 3:
output of --list-services shown differs from the machine. actual output includes cockpit:

[root@servera ~]# firewall-cmd --list-services
cockpit dhcpv6-client dns ssh

Also last pioint 4 shows no output for --list-services but should show

cockpit dhcpv6-client ssh

(same for following examples later on)

no need to edit. Even windows admins know less and more.

Some lab users are reported that it would be helpful if we described some of the SCAP terminology in more detail and that it would help them understand more what they are doing. They mentioned specifically a sentence which mentions several cryptic abbreviations: "... PCI-DSS, STIG, C2S, Common, CJIS, and others.". Having these described simply as "content" is too vague for first-time (Open)SCAP users.

1 - Custom Security Lab 0 - How to
Suggest to use Paste Text functionality from Ravello to input the password

2 - Introduction Structure suggestions:

Change the way how what is already learned and what has been done for the user is presented (from lab2):

What will you learn -> What you will learn

... what possibilities do you have for remediations of failing rules. -> what are the possibilities for remediations of failing rules.

So the general ideia here is to change the format from question to affirmative, this would have to be applied to the whole lab context.

3 - When firefox is started, it asks if the user wants to restore session which will led you with some tabs from previous exercises and github pages.

• Clean firefox history
• Clean bash history

• Lab 7.4 point 4:
  the output of the command in the "termshot" differs from what you get on the actual machine, enough to confuse users.

• Lab 7.4 point 6:
  the output of the command in the "termshot" differs from what you get on the actual machine, the cwd report is /home/student but should be /root

• Lab 7.4 point 10:
  reboots are reallly slow, students should be warned to wait

**@lkerner

Problem:**
Currently worded: "Congratulations, by completing the lab exercise, you became familiar with the leading content creation tool and largest open-source repository and in existence...."

URL:
https://github.com/RedHatDemos/SecurityDemos/blob/master/2019Labs/CustomSecurityContent/documentation/lab1_introduction.adoc

Suggested Fix:
"Congratulations, by completing the lab exercise, you became familiar with the leading content creation tool and largest open-source repository in existence."

@lkerner

problem:

[lab-user@workstation-3dcb lab5_oval]$ sudo tests/test_suite.py rule --container ssg_test_suite --datastream build/ssg-rhel7-ds.xml accounts_tmout
/usr/bin/env: ‘python2’: No such file or directory

Should specify python3 in command like this?: …lab5_oval]$ sudo python3 tests/test_suite.py rule ….

But I get a password prompt with python3 added to the command :

lab5_oval]$ sudo python3 tests/test_suite.py rule --container ssg_test_suite --datastream build/ssg-rhel7-ds.xml accounts_tmout
Setting console output to log level INFO
INFO - The DataStream contains 2 Benchmarks
INFO - 0 - scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
INFO - 1 - scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
INFO - Selected Benchmark is 0
INFO - To select a different Benchmark, use --xccdf-id-number option.
INFO - The base image option has been specified, choosing Podman-based test environment.
INFO - Logging into /home/lab-user/labs/lab5_oval/logs/rule-custom-2019-08-04-2132/test_suite.log
[email protected]'s password:

suggestion to add icmp lab exercise

These are not show-stopper, but it made me wonder :)

• 11.1.4 - mention there is message about reboot printed into the terminal, maybe a good point to dive deeper why reboot is not needed this very moment
• is it deliberate to not mention per-package overrides at all? It would be good opportunity to mention it, and warn that it strongly

This can be fixed by adding a parameter for the password of 'oc login' user1 from the jenkinsfile.

Modify the workstation VM to have gnome-tweaks installed. Even better, go further and enable some of the maximize/minimize, window list, context menus on the workstation to make it perform more friendly in ravello (easier navigation of gnome3 on RHEL8).

The last item of the last exercise proposes to try/check remediation with ansible, but it fails fue to missing python:

TASK [Gathering Facts] **************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/bin/sh: /usr/bin/python: No such file or directory\n", "module_stdout": "", "msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error", "rc": 127}
to retry, use: --limit @/root/playbook.retry

@lkerner

Problem:
Currently worded: "After the build finishes, we let’s re-examine the variable definition..."

URL:
https://github.com/RedHatDemos/SecurityDemos/blob/master/2019Labs/CustomSecurityContent/documentation/lab1_introduction.adoc

Suggested Fix:
"After the build finishes, let’s re-examine the variable definition..."

fatal: cannot create directory at '2018Labs/RHELSecurityLab/selinux_scripts/roles/linux-system-roles.selinux/test/roles/selinux/test/roles/selinux/test/roles/selinux/test/roles/selinux/test/roles/selinux/test/roles/selinux/test/roles/selinux/test/roles/selinux': Filename too long
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/'

In Before you start section there is no screenshot.

Typos: excercise

In Bash remediation section, it reads as you know from the introductory lab.
As the exercises should be independent, wording should be different, and bullet points updated with full instructions to open HTML guide.

In OVAL check section, I suggest to add comments in the snippets, or an image with arrows pointing out the two criterion mentioned.

Still in same section, there is snippet of OVAL test, object and state for test that checks /etc/profile. And right after it, there is mention of two regular expressions in shared.xml.
It can be confusing that only one of them is illustrated in the snippet.
Also, consider adding comments or making it an image with overlay arrow or text to guide the reader.

In `Tests Hands-on, command to build Fedora content is mentioned, but not the command to run the test suite. It only appears in the output snippet, it could be hard to spot and copy-paste.
I suggest making it explicit when instructing to use the test suite for the first time.

In OVAL optimization, snippet following The test has a different name and comment, plus it uses different test objects: only shows the tests, not the objects.

In Correct handling of supercompliance, should it be mentioned thattests/data reflects structure directory of linux_os?

In the same section, as previously, I suggest adding a snippet of final contents of supercompliant.pass.sh.

In Correct handling of export, I don't understand what or who is the User in first paragraph.

SSIA

• PWNME - can we make it such that we know we were successful? Maybe can it iterate until it succeeds?
• runcescape - this is quite slow - is it possible to speed it up somehow? maybe by prebaking the container?
• also - in the script there is docker used and dnf. That does not compute for me :) docker is RHEL7 tool, dnf rhel8.
• DNS record is slightly different (cat /etc/hosts), there are no IP adressess
• I recommend changing combo "ssh ; getenforce; exit" to ssh <host> getenforce. It will save some time for the attendees
• also, when I did the lab, I got tired of typing / updating those curl commandlines. Maybe I would prefer if the lab used bash expansion for these. Like curl selinux{2,3,5}{,:7070} - is it slightly magical? Maybe. But it will save a lot of time, and you can compare outcomes right away, instead of doing the same operation six times with slightly different outcomes.
• 2.3.3.1 is messy - in the paragraph above, you say we will use selinux2, and then you still touch all machines?
• during 2.4.2, when your example says there are permission denied, I have got none - it worked right away. Thus 2.4.2.{3,4,5} were not needed.

After reboot the system does not automatically unlock.
I see no evidence that tang is actually being contacted on NBDE1

Part of the link was removed during doc review thus leading to a non existent page, see link below:

9e08bfe#r35487052

Custom Security Content Lab Exercise #2:
In the "Before You Start" section:

Cannot get to the 'content' directory... it does not exist :
/home/lab-user/labs/lab2_openscap/content

@matejak @dahaic @jan-cerny : Please fix