Revision of hardening guide

downstream/assemblies/aap-hardening/assembly-aap-security-use-cases.adoc

@@ -0,0 +1,37 @@
+ifdef::context[:parent-context: {context}]
+
+[id="aap-security-use-cases"]
+= {PlatformNameShort} security automation use cases
+
+:context: aap-security-enabling
+
+[role="_abstract"]
+
+{PlatformNameShort} provides organizations the opportunity to automate many of the manual tasks required to maintain a strong IT security posture. 
+Areas where security operations might be automated include security event response and remediation, routine security operations, compliance with security policies and regulations, and security hardening of IT infrastructure.
+
+include::aap-hardening/con-security-operations-center.adoc[leveloffset=+1]
+include::aap-hardening/con-patch-automation-with-aap.adoc[leveloffset=+1]
+include::aap-hardening/con-benefits-of-patch-automation.adoc[leveloffset=+2]
+include::aap-hardening/con-patching-examples.adoc[leveloffset=+2]
+include::aap-hardening/ref-keep-up-to-date.adoc[leveloffset=+3]
+include::aap-hardening/ref-install-security-updates.adoc[leveloffset=+3]
+include::aap-hardening/ref-specify-package-versions.adoc[leveloffset=+3]
+include::aap-hardening/ref-complex-patching-scenarios.adoc[leveloffset=+2]
+
+
+
+
+
+
+
+
+////
+Consider adding a link to future Builder docs here
+[role="_additional-resources"]
+.Additional resources
+* A bulleted list of links to other material closely related to the contents of the concept module.
+* Currently, modules cannot include xrefs, so you cannot include links to other content in your collection. If you need to link to another assembly, add the xref to the assembly that includes this module.
+* For more details on writing concept modules, see the link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide].
+* Use a consistent system for file names, IDs, and titles. For tips, see _Anchor Names and File Names_ in link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide].
+////

downstream/assemblies/aap-hardening/assembly-hardening-aap.adoc

@@ -7,7 +7,8 @@ ifdef::context[:parent-context: {context}]
 
 [role="_abstract"]
 
-This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for the installation phase. As this guide specifically covers {PlatformNameShort} running on Red Hat Enterprise Linux, hardening guidance for Red Hat Enterprise Linux will be covered where it affects the automation platform components.
+This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for the installation phase. 
+As this guide specifically covers {PlatformNameShort} running on {RHEL}, hardening guidance for {RHEL} is covered where it affects the automation platform components.
 
 include::aap-hardening/con-planning-considerations.adoc[leveloffset=+1]
 include::aap-hardening/ref-architecture.adoc[leveloffset=+2]
@@ -16,35 +17,35 @@ include::aap-hardening/con-dns-ntp-service-planning.adoc[leveloffset=+2]
 include::aap-hardening/ref-dns.adoc[leveloffset=+3]
 include::aap-hardening/ref-dns-load-balancing.adoc[leveloffset=+3]
 include::aap-hardening/ref-ntp.adoc[leveloffset=+3]
-include::aap-hardening/con-user-authentication-planning.adoc[leveloffset=+2]
-include::aap-hardening/ref-automation-controller-authentication.adoc[leveloffset=+3]
-include::aap-hardening/ref-private-automation-hub-authentication.adoc[leveloffset=+3]
+//include::aap-hardening/con-user-authentication-planning.adoc[leveloffset=+2]
+include::aap-hardening/ref-aap-authentication.adoc[leveloffset=+3]
+//include::aap-hardening/ref-private-automation-hub-authentication.adoc[leveloffset=+3]
 include::aap-hardening/con-credential-management-planning.adoc[leveloffset=+2]
-include::aap-hardening/ref-automation-controller-operational-secrets.adoc[leveloffset=+3]
+//include::aap-hardening/ref-automation-controller-operational-secrets.adoc[leveloffset=+3]
 include::aap-hardening/con-automation-use-secrets.adoc[leveloffset=+3]
 include::aap-hardening/con-logging-log-capture.adoc[leveloffset=+2]
 include::aap-hardening/ref-auditing-incident-detection.adoc[leveloffset=+2]
 include::aap-hardening/con-rhel-host-planning.adoc[leveloffset=+2]
 include::aap-hardening/con-aap-additional-software.adoc[leveloffset=+3]
 include::aap-hardening/con-installation.adoc[leveloffset=+1]
 include::aap-hardening/con-install-secure-host.adoc[leveloffset=+2]
-include::aap-hardening/ref-security-variables-install-inventory.adoc[leveloffset=+2]
+//include::aap-hardening/ref-security-variables-install-inventory.adoc[leveloffset=+2]
 include::aap-hardening/proc-install-user-pki.adoc[leveloffset=+2]
 include::aap-hardening/ref-sensitive-variables-install-inventory.adoc[leveloffset=+2]
-include::aap-hardening/con-controller-stig-considerations.adoc[leveloffset=+2]
-include::aap-hardening/proc-fapolicyd.adoc[leveloffset=+3]
-include::aap-hardening/proc-file-systems-mounted-noexec.adoc[leveloffset=+3]
-include::aap-hardening/proc-namespaces.adoc[leveloffset=+3]
-include::aap-hardening/ref-sudo-nopasswd.adoc[leveloffset=+3]
+//include::aap-hardening/con-controller-stig-considerations.adoc[leveloffset=+2]
+//include::aap-hardening/proc-fapolicyd.adoc[leveloffset=+3]
+//include::aap-hardening/proc-file-systems-mounted-noexec.adoc[leveloffset=+3]
+//include::aap-hardening/proc-namespaces.adoc[leveloffset=+3]
+//include::aap-hardening/ref-sudo-nopasswd.adoc[leveloffset=+3]
 include::aap-hardening/ref-initial-configuration.adoc[leveloffset=+1]
 include::aap-hardening/ref-infrastructure-as-code.adoc[leveloffset=+2]
 include::aap-hardening/con-controller-configuration.adoc[leveloffset=+2]
-include::aap-hardening/proc-configure-centralized-logging.adoc[leveloffset=+3]
-include::aap-hardening/proc-configure-external-authentication.adoc[leveloffset=+3]
+//include::aap-hardening/proc-configure-centralized-logging.adoc[leveloffset=+3]
+//include::aap-hardening/proc-configure-external-authentication.adoc[leveloffset=+3]
 include::aap-hardening/con-external-credential-vault.adoc[leveloffset=+3]
 include::aap-hardening/con-day-two-operations.adoc[leveloffset=+1]
 include::aap-hardening/con-rbac.adoc[leveloffset=+2]
 include::aap-hardening/ref-updates-upgrades.adoc[leveloffset=+2]
-include::aap-hardening/proc-controller-stig-considerations.adoc[leveloffset=+3]
+//include::aap-hardening/proc-controller-stig-considerations.adoc[leveloffset=+3]
 include::aap-hardening/proc-disaster-recovery-operations.adoc[leveloffset=+3]
 

downstream/assemblies/aap-hardening/assembly-intro-to-aap-hardening.adoc

@@ -10,15 +10,29 @@ ifdef::context[:parent-context: {context}]
 
 This document provides guidance for improving the security posture (referred to as “hardening” throughout this guide) of your {PlatformName} deployment on {RHEL}.
 
-Other deployment targets, such as OpenShift, are not currently within the scope of this guide. {PlatformNameShort} managed services available through cloud service provider marketplaces are also not within the scope of this guide.
+The following are not currently withoin the scope of this guide:
 
-This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for installation, initial configuration, and day two operations. As this guide specifically covers {PlatformNameShort} running on {RHEL}, hardening guidance for {RHEL} will be covered where it affects the automation platform components. Additional considerations with regards to the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) are provided for those organizations that integrate the DISA STIG as a part of their overall security strategy.
+* Other deployment targets for {PlatformNameShort}, such as OpenShift.
+* {PlatformNameShort} managed services available through cloud service provider marketplaces.
+* Additional considerations with regards to the _Defense Information Systems Agency_ (DISA) _Security Technical Implementation Guides_ (STIGs)
 
 [NOTE]
 ====
-These recommendations do not guarantee security or compliance of your deployment of {PlatformNameShort}. You must assess security from the unique requirements of your organization to address specific threats and risks and balance these against implementation factors.
+Hardening and compliance for {PlatformNameShort} 2.4 includes additional considerations with regards to the DISA STIGs, but this guidance does not apply to {PlatformNameShort} {PlatformVers}.
+====
+
+This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for installation, initial configuration, and day 2 operations. 
+As this guide specifically covers {PlatformNameShort} running on {RHEL}, hardening guidance for {RHEL} will be covered where it affects the automation platform components. 
+//Additional considerations with regards to the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) are provided for those organizations that integrate the DISA STIG as a part of their overall security strategy.
+
+[NOTE]
+====
+These recommendations do not guarantee security or compliance of your deployment of {PlatformNameShort}. 
+You must assess security from the unique requirements of your organization to address specific threats and risks and balance these against implementation factors.
 ====
 
 include::aap-hardening/con-hardening-guide-audience.adoc[leveloffset=+1]
 include::aap-hardening/con-product-overview.adoc[leveloffset=+1]
+
+include::aap-hardening/con-deployment-methods.adoc[leveloffset=+2]
 include::aap-hardening/con-platform-components.adoc[leveloffset=+2]

downstream/modules/aap-hardening/.platform

@@ -0,0 +1 @@
+../platform

downstream/modules/aap-hardening/con-aap-additional-software.adoc

@@ -7,6 +7,9 @@
 
 [role="_abstract"]
 
-When installing the {PlatformNameShort} components on {RHEL} servers, the {RHEL} servers should be dedicated to that use alone. Additional server capabilities should not be installed in addition to {PlatformNameShort}, as this is an unsupported configuration and may affect the security and performance of the {PlatformNameShort} software.
+When installing the {PlatformNameShort} components on {RHEL} servers, the {RHEL} servers should be dedicated to that use alone. 
+Additional server capabilities must not be installed in addition to {PlatformNameShort}, as this is an unsupported configuration and may affect the security and performance of the {PlatformNameShort} software.
 
-Similarly, when {PlatformNameShort} is deployed on a {RHEL} host, it installs software like the nginx web server, the Pulp software repository, and the PostgreSQL database server. This software should not be modified or used in a more generic fashion (for example, do not use nginx to server additional website content or PostgreSQL to host additional databases) as this is an unsupported configuration and may affect the security and performance of {PlatformNameShort}. The configuration of this software is managed by the {PlatformNameShort} installer, and any manual changes might be undone when performing upgrades.
+Similarly, when {PlatformNameShort} is deployed on a {RHEL} host, it installs software like the nginx web server, the Pulp software repository, and the PostgreSQL database server (unless a user-provided exyternal database is used). 
+This software should not be modified or used in a more generic fashion (for example, do not use nginx to server additional website content or PostgreSQL to host additional databases) as this is an unsupported configuration and may affect the security and performance of {PlatformNameShort}. 
+The configuration of this software is managed by the {PlatformNameShort} installer, and any manual changes might be undone when performing upgrades.

downstream/modules/aap-hardening/con-benefits-of-patch-automation.adoc

@@ -0,0 +1,10 @@
+[id="con-benefits-of-patch-automation"]
+
+= Benefits of patch automation
+
+Automating the patching process provides a number of benefits:
+
+* Reduces error-prone manual effort.
+* Decreases time to deploy patches at scale.
+* Ensures consistency of patches across similar systems. Manual patching of similar systems can result in human error (forgetting one or more, patching using different versions) that impacts consistency.
+* Enables orchestration of complex patching scenarios where an update mightmay require taking a system snapshot before applying a patch, or might require additional configuration changes when the patch is applied.

downstream/modules/aap-hardening/con-credential-management-planning.adoc

@@ -7,9 +7,10 @@
 
 [role="_abstract"]
 
-{ControllerNameStart} uses credentials to authenticate requests to jobs against machines, synchronize with inventory sources, and import project content from a version control system. {ControllerNameStart} manages three sets of secrets:
+{PlatformName} uses credentials to authenticate requests to jobs against machines, synchronize with inventory sources, and import project content from a version control system. {ControllerNameStart} manages three sets of secrets:
 
-* User passwords for *local automation controller users*. See the xref:con-user-authentication-planning_{context}[User Authentication Planning] section of this guide for additional details.
+* User passwords for *local automation controller users*. 
+//See the xref:con-user-authentication-planning_{context}[User Authentication Planning] section of this guide for additional details.
 * Secrets for automation controller *operational use* (database password, message bus password, and so on).
 * Secrets for *automation use* (SSH keys, cloud credentials, external password vault credentials, and so on).
 

downstream/modules/aap-hardening/con-day-two-operations.adoc

@@ -7,4 +7,4 @@
 
 [role="_abstract"]
 
-Day 2 Operations include Cluster Health and Scaling Checks, including Host, Project, and environment level Sustainment. You should continually analyze configuration and security drift.
+Day 2 Operations include Cluster Health and Scaling Checks, including Host, Project, and environment level Sustainment. You must continually analyze configuration and security drift.

downstream/modules/aap-hardening/con-deployment-methods.adoc

@@ -0,0 +1,16 @@
+[id="con-deployment-methods"]
+
+= {PlatformName} deployment methods
+
+There are three different installation methods for {PlatformNameShort}: 
+
+* RPM-based on {RHEL}
+* Container-based on {RHEL}
+* Operator-based on {OCP}  
+
+This document offers guidance on hardening {PlatformNameShort} when installed using either of the first two installation methods (RPM-based or container-based).  
+This document further recommends using the container-based installation method for new deployments, as the RPM-based installer will be deprecated in a future release. 
+
+For further information, see link:{URLReleaseNotes}/aap-2.5-deprecated-features#aap-2.5-deprecated-features[Deprecated features].
+
+Operator-based deployments are out of scope for this document.