Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Secure RHEL systems using Ansible Automation Platform

November 2, 2023
Nikhil Mungale
Related topics:
Automation and managementLinuxSecurity
Related products:
Red Hat Ansible Automation PlatformRed Hat Enterprise Linux

Share:

    In today's rapidly evolving cybersecurity landscape, securing your Red Hat Enterprise Linux (RHEL) system is paramount. With the rise of sophisticated threats, manual security configurations are no longer sufficient. This is where automation tools like Ansible come into play.

    In this technical article, we will explore how to use Red Hat Ansible Automation Platform to enhance the security of your RHEL servers and workstations.

    Important policies for RHEL

    Security policies for RHEL include the following:

    • Targeted: This is the default policy for RHEL. It confines a limited set of system services and daemons, providing security without affecting the overall system performance significantly. It also provides strict access controls for system services and daemons while allowing user-level processes more freedom.
    • Custom policies: Some organizations might develop their own custom SELinux policies tailored to their specific needs. These policies can be highly customized to provide granular control over access to resources and services on the system.
    • HTTPd or NGINX: This boolean allows the Apache HTTP Server (HTTPd) to make network connections. It's useful when you want to enable web applications served by Apache to communicate with external services or resources.
    • Samba server: When enabled, this boolean allows Samba to share user home directories. It's useful for setting up file sharing between Windows and Linux systems while keeping SELinux in enforcing mode.
    • MySQL database connectivity: This boolean allows MySQL to connect to any network port. Enabling this boolean can be useful if you have a MySQL server that needs to communicate with clients on various ports.

    Prerequisites and dependencies

    Before we dive into securing RHEL using Ansible, make sure you have the following prerequisites in place:

    • Ensure you have RHEL installed and configured.
    • Install Ansible Automation Platform on your management system; you can follow the article for installation instructions.
    • SSH key authentication between your automation controller node and the target RHEL systems to facilitate secure communication.
    • Familiarize yourself with Ansible playbooks, which are essential for automating tasks.
    • Understand the basics of SELinux (Security-Enhanced Linux) and its policies. SELinux is a security framework integrated into RHEL to provide mandatory access control.
    • Ensure that your RHEL system has access to the required repositories for updates and package installation.

    Secure RHEL with Ansible Automation Platform

    Ansible Automation Platform streamlines Red Hat Enterprise Linux security. It automates tasks such as SSH hardening, firewall setup, and user management, ensuring consistent security configurations. RHEL systems remain compliant with standards like CIS benchmarks, bolstering their security. This platform provides centralized control, real-time visibility, and quick responses to threats, simplifying complex security tasks. It fortifies RHEL systems while making security policy management more efficient.

    Step 1: Inventory configuration

    The Ansible inventory file is an inventory file that consists of a list of hosts that can be launched against. There are groups of inventory items, and these groups contain the actual hosts.

    1. Navigate to Inventories under Resources in the left menu.
    2. Click Add, then select Add Inventory. Provide a name for the inventory and select the organization.
    3. Access the Add Host option located in the top navigation bar (in frame), then proceed to the Hosts tab.
    4. Select Add and proceed to specify the host's IP address or URL.
    5. To save changes, click the Save button.

    Step 2: Create Ansible playbooks

    These Ansible playbooks provide policies for securing connections or setting up access to specific dedicated services on a RHEL server, such as an HTTPd server, a Samba server, FTP, custom policy, etc.

    To validate the playbook, use the ansible-lint tool. 

    ---
    - name: Linux hardening
      hosts: rhel_servers
      gather_facts: yes
     
      tasks:
        - name: Set SELinux mode to targeted
          selinux:
            policy: targeted
            state: enforcing
    
        - name: Allow Apache to connect to the network
          seboolean:
            name: httpd_can_network_connect
            state: yes
    
        - name: Allow Samba to read user home directories
          seboolean:
            name: samba_enable_home_dirs
            state: yes
    
        - name: Allow FTP to write files to home directories
          seboolean:
            name: ftpd_full_access
            state: yes
    
        - name: Copy custom policy module to the server
          copy:
            src: /path/to/custom_policy.pp
            dest: /etc/selinux/targeted/modules/active/modules/custom_policy.pp
           
        - name: Load the custom policy module
          shell: semodule -i /etc/selinux/targeted/modules/active/modules/custom_policy.pp
    
        - name: Allow cron jobs to change user content
          seboolean:
            name: cron_can_relabel
            state: yes
    
        - name: Allow MySQL to connect to the network
          seboolean:
            name: mysql_connect_any
            state: yes
    
        - name: Allow PostgreSQL to connect to the network
          seboolean:
            name: selinuxuser_postgresql_connect_enabled
            state: yes

    Step 3: Machine credentials

    The automation controller can invoke Ansible on hosts under your management using machine credentials (Figure 1). Similar to using Ansible on the command line, you can specify the SSH username, password, SSH key, and key password, or even have the automation controller ask for the password during deployment. 

    1. From the Ansible Automation Platform console, navigate to Credentials under the Resources section in the left menu.
    2. Click the Add button, then assign a name to the credentials, specifying Machine as the Credential Type.
    3. In the Type Details section, enter the appropriate username and, if applicable, the corresponding password for your server.
    4. To add an SSH private key, you can either drag-and-drop the key file or paste its contents.
    5. In the Privilege Escalation Method drop-down menu, choose sudo and set the Privilege Escalation Username to root.
    6. Click Save.
    credentials
    Figure 1: Machine credentials of the targeted host.

    Step 4: Project

    In the controller, a Project represents a logical collection of Ansible playbooks.

    You can manage playbooks by placing them manually under the Project Base Path on your controller server or by putting them into a source code management program.

    1. To create a new project, navigate to the Project option in the left menu under the Resources section.
    2. Click the Add button to proceed.
    3. Provide a project name and designate an organization as the default. 
    4. In Source Control Type, select a Git option.
    5. Under Type Details:
      • In the Source Control URL field, add the GitHub repository URL.
      • Add the repository branch name in Source Control Branch/Tag/Commit as main. 
      • Under Options, check the box for Update Revision on Launch.
      • Click Save or Sync to fetch the remote repository locally (see Figure 2).
    template
    Figure 2: Project added to fetch the remote repo.

    Step 5: Template

    The job template defines the parameters for running an Ansible job. The use of job templates is useful for reusing the same job over and over again. As a result of job templates, Ansible playbook content can also be reused and teams can work together more effectively.

    Create a template, so that template will be responsible for executing the job.

    • From the left menu, go to Resources and choose Templates. Click Add, then select Add Job Template.
    • Provide a name for the Template.
    • Choose the inventory that was created earlier from the available options.
    • Under Credentials, select the Machine credentials.
    • Select the project.
    • Select the Ansible playbook under Playbooks: Secure_RHEL_using_Ansible_Automation_Platform/securing-rhel-using-aap.yml
    • Scroll down to the bottom, and under the Options section, check the box for Privilege Escalation.

    Finally, click Launch to execute the playbook (Figure 3).

    template2
    Figure 3: Create a Template to trigger a job.

     After the successful execution of a job on the RHEL server, you will get output on your screen as shown in Figure 4.

    succesful template run
    Figure 4: After applying security policies on RHEL server 

    Find more resources

    In this article, we have enhanced the security of Red Hat Enterprise Linux systems by implementing SELinux basics and custom policies and deployed these policies using Ansible Automation Platform.

    For a deeper and practical understanding of Red Hat Enterprise Linux, you can engage in thoughtfully curated hands-on labs by Red Hat. Red Hat Universal Base Images (UBI) are container-based operating system images with complementary runtime languages and packages. Try Red Hat UBI on the curated  Red Hat UBI hands-on lab.

    Furthermore, you have the option to obtain tailored Red Hat Enterprise Linux images designed for AWS, Google Cloud Platform, Microsoft Azure, and VMware, facilitating their seamless deployment on your chosen platform.

    Related Posts

    • How SELinux improves Red Hat Enterprise Linux security

    • How custom SELinux policies secure servers and containers

    • How to configure RHEL as a workstation during installation

    • Working with Red Hat Enterprise Linux Universal Base Images (UBI)

    • 6 steps to install Ansible Automation Platform 2.3 on RHEL

    Recent Posts

    • How to run AI models in cloud development environments

    • How Trilio secures OpenShift virtual machines and containers

    • How to implement observability with Node.js and Llama Stack

    • How to encrypt RHEL images for Azure confidential VMs

    • How to manage RHEL virtual machines with Podman Desktop

    What’s up next?

    Enhance security with automation_Share

    Configuring systems and applications manually to protect against security threats is time-consuming and requires skilled resources. Automation can help drastically reduce response times and vulnerability. Explore strategies for enhancing your security using automation in this short e-book. 

    Get the e-book
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue