Passed EX415 Security

The last one to attain RHCA.

EX415 Exam Experience

I took an individual exam that was based on RHEL 7.5. I had a minor network issue at the start of the exam, but it went away and luckily, made no impact.

The task list is sufficient for a 4 hour exam, but it isn’t the most challenging one. I feel that knowing Ansible and Satellite helped me a great deal. Also, EX415 is the exam where it can take more time to test and verify the solution than to implement it.

The exam score came back 235/300.

The result is fair. I solved all questions, some in full, some not so much. The exam score reflects that.

Exam Preparation in Numbers

The exam objectives cover several different topics, I spent around 45 hours going through the course and studying documentation (SELinux and auditd have a lot of material), and 40 hours labbing.

I’m not new to LUKS, but NBDE with Tang and Clevis was something that I spent a fair share of time looking into.

23 thoughts on “Passed EX415 Security

  1. Hey Tomas, What Study Material would you recommend for the exam? You Helped me greatly with RHCE and would like your advice on the EX415 it doesnt look like ill be able to obtain a subscription with redhat learning (Too expensive). And would need to self study, would it be possible to do this without the class?

    • RHEL 7 Security Guide. It covers a lot of material and, I believe, all non-Satellite related exam objectives.

      You need to know how to use Satellite with OpenSCAP, so get Foreman with Katello installed and have a play with it.

  2. Congratulations on passing the exam, and also for this site, that you have created!
    EX415 Security is different than the EX413 Server Hardening i guess. What would you recommend as a study guide?
    EX413 has similar exam objectives with LPIC-3 Security.

  3. Congrats. Please tell me, do you know how to use USBGuard to create allow rule for specified filesystem?

    • Hi, I’d suggest to deploy a couple of CentOS VMs and go through the exam objectives. VMs with 2GB RAM each should be more than plenty.

      You can practise the following.

      Deploy a Tang server on one VM and then configure Clevis service on the other. Install and configure USBGuard, try inserting a USB storage device and configure rules to block access to it. Install and configure Aide, generate a report. Configure PAM rules to check for password quality, add a fail delay. Configure STIG audit rules. Get familiar with SELinux, there are plenty of hardening guides on the Internet to help you out. Install OpenSCAP Workbench and create some SCAP reports.

  4. How to create SCAP reports without using workbench? We would only have terminals and workbench is a graphical utility.

    • Hi, you can use the oscap command to scan a system and use the resulting XML file to generate a complete report in HTML format.

  5. Hi Sparsh, you can install workbench to remote machine and connect via ssh -X serevra. then run workbench on remote machine it will pop-up in your host machine.

  6. hi i tested this exam yesterday
    but i am failed.
    I got zero score at the part of usbguard and aide.
    what happend you think?
    I did configuration about usbguard’s rule file and aide.conf.
    plz give me some hints :)

    • Hi, sorry to hear that. It’s likely that you misconfigured something, and as a result the grading script did not find what it was looking for. Practise the questions that you got zero scores for, and better luck next time!

  7. Hi,
    Do we need to enable GUI for running the scap-workbench? I am not sure how to perform the tailoring of SCAP policies without that tool.

    Any help will be appreciated.

    • Hi Don, you can enable GUI if you prefer that, or you can use X11 forwarding with SSH to run graphical applications remotely.

  8. Hi Lisenet,
    Yesterday i attempted EX415 for the 2nd time, but again scored low (or nothing) on some sections.
    I’ve had 0% on usbguard and selinux… and only 33% on auditing. I checked your notes and i have no clue what i did wrong / different.
    Any chance you can think with me (private)?
    Thanks!

    • Hi Tommy, sorry to hear you did not pass the exam. Have you got usbguard and SELinux working locally when studying for the exam? Did it actually block USB access (have you tried it with a USB stick)? Did you test your SELinux config to make sure that it was allowing/blocking access? Any any issues with auditd configuration during your exam preparation?

    • Hi Lisenet,
      For usbguard, i ran exactly the commands from the man page;

      $ sudo usbguard generate-policy > rules.conf
      $ vi rules.conf
      (review/modify the rule set)
      $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
      $ sudo systemctl restart usbguard

      I modified the rules.conf file to block/deny specific ID’s, which showed with usbguard list-devices.
      Should i have used the allow-device / block-device command instead? I mean, the result is the same right doing it “my” way or via commands…

      Afterwards i only saw 1 usb device with fdisk (which i partitioned/formatted) so i thought it was good, but i haven’t tested this at home since my instances are in the cloud and i can’t link usb devices to that. But i’ll see what i can do.

      For SElinux;
      I think i made one mistake with file context for httpd (although i managed the have the webserver work on a custom port), and also i was struggling with confined users. I did enable SELinux on all systems (enforcing) and had it relabel. Do you think just those 2 tasks (httpd/confined users) count towards the score?

      For auditd;
      I’m not sure how specific i may be on your site (given NDA and stuff), but i implemented the stig rules (with the basic and final rules) and also made sure that my custom rules (like excluding cron) where still there. auditd was enabled and running, the rules where loaded fine (changes in /etc/audit/rules.d/ reflected into /etc/audit/audit.rules).

      Thanks for your time.

  9. Hi Tomas,

    Currently one exam left to be an RHCA.
    I failed twice on this specific objective “Manage system login security using pluggable authentication modules (PAMs): 0%”.
    From what I remember, I succeed in RHLS and I think this objective is not difficult like auditing and SELinux.
    Maybe you know what did I miss, thanks.

    • Is there something about persistence that makes me failed twice?
      I want to take one exam, but I am still not sure to take EX415 (already took twice and failed) or EX447 (advanced Ansible, haven’t taken it yet).
      I think if that objective is scored 33% (probably 100% if what I assume about persistence is solved), I will pass the exam for sure.

    • It could be, but really hard to tell without getting into details which we can’t do due to NDA. I wish you good luck regardless of which exam you decide to take!

Leave a Reply

Your email address will not be published. Required fields are marked *