Convert draft Hardening Guide to asciidoc (#3271) (#3335)

* Convert draft Hardening Guide to asciidoc

Update and add new sections to existing content

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert draft Hardening Guide to asciidoc.

Added two new parts. Not sure if required yet.

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert draft Hardening Guide to asciidoc

Removed admonition

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert Hardening Guide to asciidoc

Added hub variables and removed section 3.

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert draft Hardening Guide to asciidoc

Corrections

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert draft Hardening Guide to asciidoc

Removed section 3

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert draft Hardening Guide to asciidoc

Correction

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert draft hardening guide to asciidoc

Correction to level

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

* Convert draft Hardening Guide to asciidoc

Added new attribute

Complete asciidoc conversion of v3 Hardening Guide

https://issues.redhat.com/browse/AAP-43908

Author: ianf77

downstream/assemblies/aap-hardening/assembly-hardening-aap.adoc

@@ -17,20 +17,22 @@ include::aap-hardening/con-dns-ntp-service-planning.adoc[leveloffset=+2]
 include::aap-hardening/ref-dns.adoc[leveloffset=+3]
 include::aap-hardening/ref-dns-load-balancing.adoc[leveloffset=+3]
 include::aap-hardening/ref-ntp.adoc[leveloffset=+3]
-//include::aap-hardening/con-user-authentication-planning.adoc[leveloffset=+2]
-include::aap-hardening/ref-aap-authentication.adoc[leveloffset=+3]
+//include::aap-hardening/ref-aap-authentication.adoc[leveloffset=+3]
 //include::aap-hardening/ref-private-automation-hub-authentication.adoc[leveloffset=+3]
 include::aap-hardening/con-credential-management-planning.adoc[leveloffset=+2]
 include::aap-hardening/ref-aap-operational-secrets.adoc[leveloffset=+3]
 include::aap-hardening/con-automation-use-secrets.adoc[leveloffset=+3]
 include::aap-hardening/con-protect-sensitive-data-no-log.adoc[leveloffset=+3]
+include::aap-hardening/con-user-authentication-planning.adoc[leveloffset=+2]
+include::aap-hardening/ref-infrastructure-server-account-planning.adoc[leveloffset=+3]
+include::aap-hardening/ref-aap-account-planning.adoc[leveloffset=+3]
 include::aap-hardening/con-logging-log-capture.adoc[leveloffset=+2]
 include::aap-hardening/ref-auditing-incident-detection.adoc[leveloffset=+2]
 include::aap-hardening/con-rhel-host-planning.adoc[leveloffset=+2]
 include::aap-hardening/con-aap-additional-software.adoc[leveloffset=+3]
 include::aap-hardening/con-installation.adoc[leveloffset=+1]
 include::aap-hardening/con-install-secure-host.adoc[leveloffset=+2]
-//include::aap-hardening/ref-security-variables-install-inventory.adoc[leveloffset=+2]
+include::aap-hardening/ref-security-variables-install-inventory.adoc[leveloffset=+2]
 include::aap-hardening/proc-install-user-pki.adoc[leveloffset=+2]
 include::aap-hardening/ref-sensitive-variables-install-inventory.adoc[leveloffset=+2]
 //include::aap-hardening/con-controller-stig-considerations.adoc[leveloffset=+2]
@@ -43,7 +45,7 @@ include::aap-hardening/ref-sudo-nopasswd.adoc[leveloffset=+3]
 include::aap-hardening/ref-initial-configuration.adoc[leveloffset=+1]
 include::aap-hardening/ref-infrastructure-as-code.adoc[leveloffset=+2]
 //include::aap-hardening/con-controller-configuration.adoc[leveloffset=+2]
-include::aap-hardening/proc-configure-centralized-logging.adoc[leveloffset=+3]
+include::aap-hardening/proc-configure-centralized-logging.adoc[leveloffset=+2]
 //include::aap-hardening/proc-configure-external-authentication.adoc[leveloffset=+3]
 include::aap-hardening/con-external-credential-vault.adoc[leveloffset=+2]
 include::aap-hardening/con-day-two-operations.adoc[leveloffset=+1]

downstream/modules/aap-hardening/con-aap-additional-software.adoc

@@ -11,5 +11,5 @@ When installing the {PlatformNameShort} components on {RHEL} servers, the {RHEL}
 Additional server capabilities must not be installed in addition to {PlatformNameShort}, as this is an unsupported configuration and might affect the security and performance of the {PlatformNameShort} software.
 
 Similarly, when {PlatformNameShort} is deployed on a {RHEL} host, it installs software like the nginx web server, the Pulp software repository, and the PostgreSQL database server (unless a user-provided external database is used). 
-This software should not be modified or used in a more generic fashion (for example, do not use nginx to serve additional website content or PostgreSQL to host additional databases) as this is an unsupported configuration and may affect the security and performance of {PlatformNameShort}. 
-The configuration of this software is managed by the {PlatformNameShort} installer, and any manual changes might be undone when performing upgrades.
+This software should not be modified or used in a more generic fashion (for example, do not use nginx to serve additional website content or PostgreSQL to host additional databases) as this is an unsupported configuration and might affect the security and performance of {PlatformNameShort}. 
+The configuration of this software is managed by the {PlatformNameShort} {Installer}, and any manual changes might be undone when performing upgrades.

downstream/modules/aap-hardening/con-credential-management-planning.adoc

@@ -7,7 +7,9 @@
 
 [role="_abstract"]
 
-{PlatformName} uses credentials to authenticate requests to jobs against machines, synchronize with inventory sources, and import project content from a version control system. {ControllerNameStart} manages three sets of secrets:
+{PlatformName} uses credentials to authenticate requests to jobs against machines, synchronize with inventory sources, and import project content from a version control system. 
+
+{ControllerNameStart} manages three sets of secrets:
 
 * User passwords for *local {PlatformNameShort} users*. 
 //See the xref:con-user-authentication-planning_{context}[User Authentication Planning] section of this guide for additional details.

downstream/modules/aap-hardening/con-deployment-methods.adoc

@@ -9,7 +9,7 @@ There are three different installation methods for {PlatformNameShort}:
 * Operator-based on {OCP}  
 
 This document offers guidance on hardening {PlatformNameShort} when installed using either of the first two installation methods (RPM-based or container-based).  
-This document further recommends using the container-based installation method for new deployments, as the RPM-based installer will be deprecated in a future release. 
+This document further recommends using the container-based installation method for new deployments, as the RPM-based {Installer} will be deprecated in a future release. 
 
 For further information, see link:{URLReleaseNotes}/aap-2.5-deprecated-features#aap-2.5-deprecated-features[Deprecated features].
 

downstream/modules/aap-hardening/con-install-secure-host.adoc

@@ -7,14 +7,16 @@
 
 [role="_abstract"]
 
-The {PlatformNameShort} installer can be run from one of the infrastructure servers, such as an {ControllerName}, or from an external system that has SSH access to the {PlatformNameShort} infrastructure servers. 
-The {PlatformNameShort} installer is also used not just for installation, but for subsequent day-two operations, such as backup and restore, as well as upgrades. 
+The {PlatformNameShort} {Installer} can be run from one of the infrastructure servers, such as an {ControllerName}, or from an external system that has SSH access to the {PlatformNameShort} infrastructure servers. 
+The {PlatformNameShort} {Installer} is also used not just for installation, but for subsequent day-two operations, such as backup and restore, as well as upgrades. 
 This guide recommends performing installation and day-two operations from a dedicated external server, hereafter referred to as the installation host. 
-Doing so eliminates the need to log in to one of the infrastructure servers to run these functions. The installation host must only be used for management of {PlatformNameShort} and must not run any other services or software.
+Doing so eliminates the need to log in to one of the infrastructure servers to run these functions. 
+The installation host must only be used for management of {PlatformNameShort} and must not run any other services or software.
 
 The installation host must be a {RHEL} server that has been installed and configured in accordance with link:{BaseURL}/red_hat_enterprise_linux/9/html/security_hardening/index[Security hardening for Red Hat Enterprise Linux] and any security profile requirements relevant to your organization (CIS, STIG, and so on). 
 Obtain the {PlatformNameShort} installer as described in the link:{URLPlanningGuide}/choosing_and_obtaining_a_red_hat_ansible_automation_platform_installer[Planning your installation], and create the installer inventory file as described in the link:{URLInstallationGuide}/assembly-platform-install-scenario#proc-editing-installer-inventory-file_platform-install-scenario[Editing the Red Hat Ansible Automation Platform installer inventory file]. 
-This inventory file is used for upgrades, adding infrastructure components, and day-two operations by the installer, so preserve the file after installation for future operational use.
+This inventory file is used for upgrades, adding infrastructure components, and day-two operations by the {Installer}, so preserve the file after installation for future operational use.
 
 Access to the installation host must be restricted only to those personnel who are responsible for managing the {PlatformNameShort} infrastructure. 
-Over time, it will contain sensitive information, such as the installer inventory (which contains the initial login credentials for {PlatformNameShort}), copies of user-provided PKI keys and certificates, backup files, and so on. The installation host must also be used for logging in to the {PlatformNameShort} infrastructure servers through SSH when necessary for infrastructure management and maintenance.
+Over time, it will contain sensitive information, such as the installation inventory (which contains the initial login credentials for {PlatformNameShort}), copies of user-provided PKI keys and certificates, backup files, and so on. 
+The installation host must also be used for logging in to the {PlatformNameShort} infrastructure servers through SSH when necessary for infrastructure management and maintenance.

downstream/modules/aap-hardening/con-user-authentication-planning.adoc

@@ -5,18 +5,10 @@
 
 = User authentication planning
 
-[role="_abstract"]
+There are two types of user accounts to consider in an {PlatformNameShort} environment:
+
+* Infrastructure accounts: user accounts on the RHEL servers that run the {PlatformNameShort} services.
+* Application accounts: user accounts for the {PlatformNameShort} web UI and API.
 
-When planning for access to the {PlatformNameShort} user interface or API, be aware that user accounts can either be local or mapped to an external authentication source such as LDAP. 
-This guide recommends that where possible, all primary user accounts should be mapped to an external authentication source. 
-Using external account sources eliminates a source of error when working with permissions in this context and minimizes the amount of time devoted to maintaining a full set of users exclusively within {PlatformNameShort}. This includes accounts assigned to individual persons as well as for non-person entities such as service accounts used for external application integration. 
-Reserve any local administrator accounts such as the default "admin" account for emergency access or "break glass" scenarios where the external authentication mechanism is not available.
 
-For user accounts on the {RHEL} servers that run the {PlatformNameShort} services, follow your organizational policies to determine if individual user accounts should be local or from an external authentication source. 
-Only users who have a valid need to perform maintenance tasks on the {PlatformNameShort} components themselves should be granted access to the underlying {RHEL} servers, as the servers will have configuration files that contain sensitive information such as encryption keys and service passwords. 
-Because these individuals must have privileged access to maintain {PlatformNameShort} services, minimizing the access to the underlying {RHEL} servers is critical. Do not grant sudo access to the root account or local {PlatformNameShort} service accounts (awx, pulp, postgres) to untrusted users.
 
-[NOTE]
-====
-The local {PlatformNameShort} service accounts such as awx, pulp, and postgres are created and managed by the {PlatformNameShort} installer. These particular accounts on the underlying {RHEL} hosts cannot come from an external authentication source.
-====

downstream/modules/aap-hardening/proc-configure-centralized-logging.adoc

@@ -98,7 +98,7 @@ When availability is an overriding concern, other approved actions in response t
 . If log records are sent to a centralized collection server and communication with this server is lost or the server fails, the application must queue log records locally until communication is restored or until the log records are retrieved manually. 
 Upon restoration of the connection to the centralized collection server, action must be taken to synchronize the local log data with the collection server. 
 +
-The following steps implment the security control:
+The following steps implement the security control:
 
 .. Open a web browser and navigate to the logging API, `/api/v2/settings/logging/`
 +
@@ -110,7 +110,7 @@ Ensure that you are authenticated as an {ControllerName} administrator.
 ..Click btn:[PUT].
 
 {ControllerNameStart} must generate the appropriate log records. 
-{ControllerNameStarts}'s web server must log all details related to user sessions in support of troubleshooting, debugging, and forensic analysis. 
+{ControllerNameStart}'s web server must log all details related to user sessions in support of troubleshooting, debugging, and forensic analysis. 
 Without a data logging feature, the organization loses an important auditing and analysis tool for event investigations.
 
 To implement the security control as a System Administrator, for each {ControllerName} host:

downstream/modules/aap-hardening/proc-disaster-recovery-operations.adoc

@@ -7,7 +7,7 @@
 
 [role="_abstract"]
 
-Taking regular backups of {PlatformNameShort} is a critical part of disaster recovery planning. Both backups and restores are performed using the installer, so these actions should be performed from the dedicated installation host described earlier in this document. Refer to the link:https://docs.ansible.com/automation-controller/latest/html/administration/backup_restore.html[Backing Up and Restoring] section of the {ControllerName} documentation for further details on how to perform these operations.
+Taking regular backups of {PlatformNameShort} is a critical part of disaster recovery planning. Both backups and restores are performed using the {Installer}, so these actions should be performed from the dedicated installation host described earlier in this document. Refer to the link:https://docs.ansible.com/automation-controller/latest/html/administration/backup_restore.html[Backing Up and Restoring] section of the {ControllerName} documentation for further details on how to perform these operations.
 
 An important aspect of backups is that they contain a copy of the database as well as the secret key used to decrypt credentials stored in the database, so the backup files should be stored in a secure encrypted location. This means that access to endpoint credentials are protected properly. Access to backups should be limited only to {PlatformNameShort} administrators who have root shell access to {ControllerName} and the dedicated installation host.
 
@@ -18,7 +18,7 @@ The two main reasons an {PlatformNameShort} administrator needs to back up their
 
 In all cases, the recommended and safest process is to always use the same versions of PostgreSQL and {PlatformNameShort} to back up and restore the environment.
 
-Using some redundancy on the system is highly recommended. If the secrets system is down, the {ControllerName} cannot fetch the information and can fail in a way that would be recoverable once the service is restored. If you believe the SECRET_KEY {ControllerName} generated for you has been compromised and has to be regenerated, you can run a tool from the installer that behaves much like the {ControllerName} backup and restore tool.
+Using some redundancy on the system is highly recommended. If the secrets system is down, the {ControllerName} cannot fetch the information and can fail in a way that would be recoverable once the service is restored. If you believe the SECRET_KEY {ControllerName} generated for you has been compromised and has to be regenerated, you can run a tool from the {Installer} that behaves much like the {ControllerName} backup and restore tool.
 
 To generate a new secret key, perform the following steps: 
 

downstream/modules/aap-hardening/proc-file-systems-mounted-noexec.adoc

@@ -7,7 +7,7 @@
 
 [role="_abstract"]
 
-A compliance profile might require that certain file systems are mounted with the `noexec` option to prevent execution of binaries located in these file systems. The {PlatformNameShort} RPM-based installer runs a preflight check that fails if any of the following file systems are mounted with the `noexec` option:
+A compliance profile might require that certain file systems are mounted with the `noexec` option to prevent execution of binaries located in these file systems. The {PlatformNameShort} RPM-based installation program runs a preflight check that fails if any of the following file systems are mounted with the `noexec` option:
 
 * `/tmp`
 * `/var`

downstream/modules/aap-hardening/ref-aap-account-planning.adoc

@@ -0,0 +1,40 @@
+[id="ref-aap-account-planning"]
+
+= {PlatformNameShort} account planning
+
+{PlatformNameShort} user accounts for accessing the user interface or API can either be local (stored in the {PlatformNameShort} database) or mapped to an external authentication source, such as a _Lightweight Directory Access Protocol_ (LDAP) server. 
+This guide recommends that where possible, all primary user accounts should be mapped to an external authentication source. 
+Using external account sources eliminates a source of error when working with permissions in this context and minimizes the amount of time devoted to maintaining a full set of users exclusively within {PlatformNameShort}. 
+This includes accounts assigned to individual persons as well as for non-person entities, such as service accounts used for external application integration. 
+Reserve any local accounts, such as the default “admin” account, for emergency access or “break glass” scenarios where the external authentication mechanism isn't available.
+
+* LDAP
+* SAML
+* TACACS+
+* Radius
+* Azure Active Directory
+* Google OAuth
+* Generic OIDC
+* Keycloak
+* GitHub
+* GitHub Organization
+* GitHub team
+* GitHub enterprise
+* GitHub enterprise organization
+* GitHub enterprise team
+
+Choose an authentication mechanism that adheres to your organization's authentication policies and refer to link:{LinkCentralAuth} to understand the prerequisites for the relevant authentication mechanism. 
+The authentication mechanism used must ensure that the authentication-related traffic between {PlatformNameShort} and the authentication back-end is encrypted when the traffic occurs on a public or non-secure network (for example, LDAPS or LDAP over TLS, HTTPS for OAuth2 and SAML providers, etc.).
+
+In the {PlatformNameShort} UI, any “system administrator” account can edit, change, and update any inventory or automation definition. Restrict these account privileges to the minimum set of users possible for low-level automation controller configuration and disaster recovery.
+
+[NOTE]
+====
+{platformNameShort} {PlatformVers} introduces a new central authentication mechanism used by all of the platform components: 
+
+* {ControllerNameStart}
+* {PrivateHubNameStart}
+* {EDAcontroller} 
+
+Before {PlatformVers}, each of these components had their own authentication configuration.
+====