Follow these steps to prepare and apply a Red Hat Ansible Core playbook to configure a remote logging solution. In this playbook, one or more clients take logs from systemd-journal and forward them to a remote server. The server receives remote input from remote_rsyslog and remote_files and outputs the logs to local files in directories named by remote host names. The logging System Role processes these variables with additional options to configure the logging system. The Rsyslog application enables you to configure a system to receive logging information from remote systems.
Next, enable BIOS password & also protect GRUB with password to restrict physical access of your system. This procedure creates a private key and certificate, and configures TLS on all hosts in the server group in the Ansible inventory. As an administrator, you can use the logging RHEL System Role to configure a secure transfer of logs using Red Hat Ansible Automation Platform.
2. LUKS versions in RHEL
You can set USBGuard to authorize and block a USB device by using the usbguard command in your terminal. Follow the steps to prepare and apply an Ansible playbook containing your Clevis client settings. You can use an analogous procedure when using a TPM 2.0 policy instead of a Tang server. The following commands demonstrate the basic functionality provided by Clevis on examples containing plain-text files. You can also use them for troubleshooting your NBDE or Clevis+TPM deployments. Alternatively, you can rotate Tang keys by using the nbde_server RHEL system role.
- If a service needs to be accessible to other systems via the network, control the access with strict firewall rules and configure authentication, authorization and encryption whenever possible.
- The registrar is the Keylime component that contains a database of all agents, and it hosts the public keys of the TPM vendors.
- This passphrase unlocks the bulk encryption key that decrypts your partition.
- However, consult the manual for the computer or motherboard before attempting to disconnect the CMOS battery.
- Together with AllowUsers, AllowGroups is also supported as a config switch/keyword.
- Encrypt transmitted data whenever possible with password or using keys / certificates.
File systems used for data should always be mounted with nodev, nosuid and noexec. You may also encrypt a drive with the key stored in a TPM, although it has had vulnerabilites in the past and the key can be extracted by a bus sniffing attack. Once the computer is powered on and the drive is mounted, however, its data becomes just as vulnerable as an unencrypted drive.
4. Setting up a Keylime server by using System Roles
Some of the authors even don’t have a full understanding of the tips they advocate. For that reason, we suggest working with authoritative sources of linux hardening and security lessons high quality. A good way to monitor log activity is to use third-party log monitoring software, such as LogWatch, for log analysis and notifications.