Added new lab 'enhance-rhel-with-selinux' & SSO integration

instruqt-tracks/enhance-rhel-with-selinux/01-join-red-hat-developer-portal/assignment.md

@@ -0,0 +1,17 @@
+---
+slug: join-red-hat-developer-portal
+id: 4hgm3l0ym300
+type: challenge
+title: Join Red Hat Developer at no cost
+teaser: Join Red Hat Developer at no cost
+tabs:
+- title: Red Hat Login
+  type: browser
+  hostname: rhd-login
+difficulty: ""
+---
+Before you proceed with the next challenge, please take a moment to register for Red Hat Developer. If you already have a Red Hat account, you can use the same login credentials.
+
+This will help us assess user satisfaction and enable us to provide more curated content.
+
+Click on the `Check` button at the bottom once you have registered or logged in.

instruqt-tracks/enhance-rhel-with-selinux/01-join-red-hat-developer-portal/check-rhd-login

@@ -0,0 +1,41 @@
+#!/bin/bash
+set -euxo pipefail
+echo 'logincheck'
+if [ "${LOGGEDIN-0}" = "1" ]; then
+    echo 'loggedin'
+    exit 0
+fi
+
+rm -f /home/user/checkResult.json
+rm -f /home/user/checkAssets.json
+rm -f /home/user/checkError.txt
+
+
+echo 'dropdown check'
+echo '{"location":{"conditions":[{"url":"redhat.com","condition":"contains"}]},"innerText":[{"selector":"html \u003e body","value":"Please click on Check button in the bottom right of your screen to continue with the Lab."}]}' > /home/user/checkAssets.json
+until [ -f /home/user/checkResult.json ]; do
+    sleep 1
+done
+if grep "SUCCESS" /home/user/checkResult.json; then
+    echo 'account dropdown'
+    exit 0
+fi
+
+
+rm -f /home/user/checkResult.json
+rm -f /home/user/checkAssets.json
+rm -f /home/user/checkError.txt
+
+
+echo 'email check'
+echo '{"location":{"conditions":[]},"innerText":[{"selector":"html \u003e body","value":"Email address verification"}]}' > /home/user/checkAssets.json
+until [ -f /home/user/checkResult.json ]; do
+    sleep 1
+done
+cat /home/user/checkResult.json
+if grep "SUCCESS" /home/user/checkResult.json; then
+    echo 'email validation'
+    exit 0
+fi
+fail-message "Please login and click 'Check' button."
+exit 1

instruqt-tracks/enhance-rhel-with-selinux/02-selinux-modes/assignment.md

@@ -0,0 +1,76 @@
+---
+slug: selinux-modes
+id: 0eodsxi9otyv
+type: challenge
+title: SELinux modes
+notes:
+- type: text
+  contents: '## Register RHEL host using ''subscription-manager'' and verify status
+    of SELinux.'
+tabs:
+- title: Terminal
+  type: terminal
+  hostname: rhel
+- title: Console
+  type: browser
+  hostname: console
+difficulty: ""
+---
+## Add Red Hat Subscription to host
+- To view the current subscription status of host.
+ ```
+ subscription-manager status
+ ```
+- Register the host using following command.
+```
+subscription-manager register
+```
+> [!IMPORTANT]
+> If the subscription-manager registration fails, please proceed to the **console** tab, log in, and complete the form.
+> Thereafter, attempt to register the host with subscription-manager again.
+
+- Attach the subscription to the server using the command below.
+```
+subscription-manager attach
+```
+## Explore SELinux modes
+SELinux operates in three distinct modes: Enforcing, Permissive, and Disabled.
+
+- **Enforcing**: In this mode, SELinux actively enforces the defined security policies. Any violation triggers an immediate response, such as blocking unauthorized access or generating an alert.
+- **Permissive**: In permissive mode, SELinux logs violations while enforcing policies and without actively blocking them. This mode is useful for identifying policy gaps before transitioning to full enforcement.
+- **Disabled**: SELinux is turned off in disabled mode, and DAC becomes the primary access control mechanism. While this might be necessary for specific legacy applications, it's not recommended for systems requiring strong security.
+
+To check the current SELinux status
+```
+sestatus
+```
+
+You will receive similar results on your terminal as shown below.
+```
+SELinux status:                 enabled
+SELinuxfs mount:                /sys/fs/selinux
+SELinux root directory:         /etc/selinux
+Loaded policy name:             targeted
+Current mode:                   enforcing
+Mode from config file:          enforcing
+```
+
+To make permanent changes, you have to configure the file located at /etc/selinux/config.
+```
+cat /etc/selinux/config
+```
+By default, SELinux in RHEL is set to **enforcing** mode, and the type is set to **targeted**, as shown below
+```
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - No SELinux policy is loaded.
+SELINUX=enforcing
+# SELINUXTYPE= can take one of these two values:
+#       targeted - Targeted processes are protected,
+#       mls - Multi Level Security protection.
+SELINUXTYPE=targeted
+```
+
+After successful registration and exploration of SELinux modes, click on the **check** button.

instruqt-tracks/enhance-rhel-with-selinux/02-selinux-modes/check-rhel

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+output=$(subscription-manager status)
+
+search_string="Unknown"
+
+if echo "$output" | grep -q "$search_string"; then
+  FAIL "Host is not registered using subscription-manager. Please redo the steps for registration."
+  exit -1
+else
+  exit 0
+fi

instruqt-tracks/enhance-rhel-with-selinux/03-deploy-sample-app/assignment.md

@@ -0,0 +1,76 @@
+---
+slug: deploy-sample-app
+id: ehrptptf6ius
+type: challenge
+title: Deploy sample app
+notes:
+- type: text
+  contents: '## Deploy sample Red Hat Developers website with httpd server'
+tabs:
+- title: Terminal
+  type: terminal
+  hostname: rhel
+- title: Sample App
+  type: service
+  hostname: rhel
+  path: /
+  port: 80
+difficulty: ""
+---
+Install the httpd server on the RHEL system  using the following command:
+```
+dnf install httpd -y
+```
+Enable the httpd server and verify the status to ensure it's running.
+```
+systemctl start httpd &&  systemctl status httpd
+```
+
+Press **q** to exit from status check mode on terminal
+
+Create a new **index.html** file in the following directory for the static website, effectively setting it up as a sample application.
+
+```
+ cd /var/www/html/
+```
+Run the following command to create a index.html file with required content.
+```
+cat << 'EOF' > index.html
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Red Hat Developers</title>
+</head>
+<body>
+    <header>
+        <h1>Welcome to Red Hat Developers portal</h1>
+        <a href="https://developers.redhat.com">
+            <img src="https://github.com/nageshredhat/local-openshift/blob/main/rh-dev.jpg?raw=true" alt="Red Hat Developers Logo" width="250" height="250">
+        </a>
+    </header>
+    <main>
+        <p>
+            Red Hat Developers is a platform for developers to access resources, tools, and information about Red Hat technologies.
+        </p>
+        <p>
+            Visit the <a href="https://developers.redhat.com">Red Hat Developers</a> website to learn more.
+        </p>
+    </main>
+    <footer>
+        <p>&copy; 2023 Red Hat, Inc. All rights reserved.</p>
+    </footer>
+</body>
+</html>
+EOF
+```
+Visit the `Sample App` tab beside of terminal tab to check the running app trhought httpd server.
+> [!NOTE]
+> If the Red Hat Developers website is not visible, Kidly refresh the page ↻
+
+Check the labels of the file using the following command.
+```
+ls -lZ
+```
+After successful deloyment of web page, click on the **check** button.

instruqt-tracks/enhance-rhel-with-selinux/03-deploy-sample-app/check-rhel

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+output=$(http://localhost:80)
+
+search_string="Red Hat Developers"
+
+if echo "$output" | grep -q "$search_string"; then
+  FAIL "The website is running Red Hat Developers."
+  exit 1
+else
+  exit 0
+fi
+
+
+# #!/bin/bash
+# # check
+
+# output=$(http://localhost:80)
+
+# search_string="Red Hat Developers"
+
+# echo "Checking the solution of the challenge"
+# if [ echo "$output" | grep -q "$search_string" ]; then
+#   echo "FAIL: Your challenge failed because of [The website is running Red Hat Developers clone.]"
+#   exit 1
+# fi

instruqt-tracks/enhance-rhel-with-selinux/04-untitled-challenge-juhe0f/assignment.md

@@ -0,0 +1,97 @@
+---
+slug: untitled-challenge-juhe0f
+id: wulql96otgxg
+type: challenge
+title: Test SElinux security
+notes:
+- type: text
+  contents: '## Test the SELinux labeling with deployed app'
+tabs:
+- title: Terminal
+  type: terminal
+  hostname: rhel
+- title: Sample App
+  type: service
+  hostname: rhel
+  path: /
+  port: 80
+difficulty: ""
+---
+In this challenge, we will replace index.html and demonstrate SELinux's ability to block unexpected changes from causing system malfunction.
+
+Create a new index.html file and overwrite the existing one with it.
+```
+cat << 'EOF' > index.html
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Red Hat Developers </title>
+</head>
+<body>
+    <header>
+        <h1>Welcome to Red Hat Developers portal clone</h1>
+        <a href="https://developers.redhat.com">
+            <img src="https://github.com/nageshredhat/local-openshift/blob/main/rh-dev.jpg?raw=true" alt="Red Hat Developers Logo" width="250" height="250">
+        </a>
+    </header>
+    <main>
+        <p>
+            Red Hat Developers is a platform for developers to access resources, tools, and information about Red Hat technologies.
+        </p>
+        <p>
+            Visit the <a href="https://developers.redhat.com">Red Hat Developers</a> website to learn more.
+        </p>
+    </main>
+    <footer>
+        <p>&copy; 2023 Red Hat, Inc. All rights reserved.</p>
+    </footer>
+</body>
+</html>
+EOF
+```
+
+Replace the existing index.html file with a duplicate index.html file using the following **mv** command.
+```
+mv index.html /var/www/html/
+```
+Now visit the Sample App console tab again to check the app. This time web page is not visible and a **Forbidden ERROR** is shown.
+> [!NOTE]
+> Kindly refresh the page ↻. To see the changes.
+
+![image.png](..\assets\image.png)
+
+The issue is caused by the labels attached to the files. The label assigned to the previous index.html differs from the one assigned to the current index.html file.
+
+```
+cd /var/www/html/
+```
+Check the labels of this file. You may notice that the labels of this file are different compared to the last index.html.
+```
+ls -lZ
+```
+
+To fix this issue we need to check with journalctl command as shown below.
+```
+journalctl -b 0
+```
+This command will show us the root cause and necessary remediation or solution to fix this issue.
+
+Our issue is related to the index.html, so search it using following command in interactive mode of terminal.
+```
+/index.html
+```
+![](https://lh7-us.googleusercontent.com/lmB7PiVivfZkuZ6aH2RjweAbBvDhP7LmQJkAhZgKozJiXlz0ZcBtbArrolq31Y-_V4o4trSN-_xfvRNgHasx1ZlH8qpPUFa9h0xJ0VdQAoiLlcVB7VjLl98nP86byC_RHIcnYq1oFTGo_qD9mWxEcA)
+Press **q** to exit from interactive mode in the terminal.
+
+To fix the labels use following comand. (The same command is recommended in the snapshot above.)
+
+```
+/sbin/restorecon -v /var/www/html/index.html
+```
+After fixing the labels with the above command, please visit the `Sample App` tab and refresh it. You will be directed to the Red Hat Developer webpage.
+
+This lab is a good  exercise to showcase how SELinux works with labeling, especially in Enforcing mode.
+
+We are done with activities of SELInux on RHEL machine, so click on the **check** button.

instruqt-tracks/enhance-rhel-with-selinux/04-untitled-challenge-juhe0f/check-rhel

@@ -0,0 +1,26 @@
+# #!/bin/bash
+
+# output=$(http://localhost:80)
+
+# search_string="Red Hat Developers clone"
+
+# if echo "$output" | grep -q "$search_string"; then
+#   FAIL "The website is running Red Hat Developers clone."
+#   exit -1
+# else
+#   exit 0
+# fi
+
+
+#!/bin/bash
+# check
+
+output=$(http://localhost:80)
+
+search_string="Red Hat Developers clone"
+
+echo "Checking the solution of the challenge"
+if [ echo "$output" | grep -q "$search_string" ]; then
+  echo "FAIL: Your challenge failed because of [The website is running Red Hat Developers clone.]"
+  exit 1
+fi

instruqt-tracks/enhance-rhel-with-selinux/04-untitled-challenge-juhe0f/setup-rhel

@@ -0,0 +1,4 @@
+#!/bin/bash
+mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf_backup 
+# rm -f /etc/httpd/conf.d/welcome.conf
+systemctl restart httpd