Revision of hardening guide

downstream/assemblies/aap-hardening/assembly-aap-security-use-cases.adoc

@@ -0,0 +1,37 @@
+ifdef::context[:parent-context: {context}]
+
+[id="aap-security-use-cases"]
+= {PlatformNameShort} security automation use cases
+
+:context: aap-security-enabling
+
+[role="_abstract"]
+
+{PlatformNameShort} provides organizations the opportunity to automate many of the manual tasks required to maintain a strong IT security posture. 
+Areas where security operations might be automated include security event response and remediation, routine security operations, compliance with security policies and regulations, and security hardening of IT infrastructure.
+
+include::aap-hardening/con-security-operations-center.adoc[leveloffset=+1]
+include::aap-hardening/con-patch-automation-with-aap.adoc[leveloffset=+1]
+include::aap-hardening/con-benefits-of-patch-automation.adoc[leveloffset=+2]
+include::aap-hardening/con-patching-examples.adoc[leveloffset=+2]
+include::aap-hardening/ref-keep-up-to-date.adoc[leveloffset=+3]
+include::aap-hardening/ref-install-security-updates.adoc[leveloffset=+3]
+include::aap-hardening/ref-specify-package-versions.adoc[leveloffset=+3]
+include::aap-hardening/ref-complex-patching-scenarios.adoc[leveloffset=+2]
+
+
+
+
+
+
+
+
+////
+Consider adding a link to future Builder docs here
+[role="_additional-resources"]
+.Additional resources
+* A bulleted list of links to other material closely related to the contents of the concept module.
+* Currently, modules cannot include xrefs, so you cannot include links to other content in your collection. If you need to link to another assembly, add the xref to the assembly that includes this module.
+* For more details on writing concept modules, see the link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide].
+* Use a consistent system for file names, IDs, and titles. For tips, see _Anchor Names and File Names_ in link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide].
+////

downstream/assemblies/aap-hardening/assembly-hardening-aap.adoc

@@ -7,7 +7,8 @@ ifdef::context[:parent-context: {context}]
 
 [role="_abstract"]
 
-This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for the installation phase. As this guide specifically covers {PlatformNameShort} running on Red Hat Enterprise Linux, hardening guidance for Red Hat Enterprise Linux will be covered where it affects the automation platform components.
+This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for the installation phase. 
+As this guide specifically covers {PlatformNameShort} running on {RHEL}, hardening guidance for {RHEL} is covered where it affects the automation platform components.
 
 include::aap-hardening/con-planning-considerations.adoc[leveloffset=+1]
 include::aap-hardening/ref-architecture.adoc[leveloffset=+2]
@@ -17,8 +18,8 @@ include::aap-hardening/ref-dns.adoc[leveloffset=+3]
 include::aap-hardening/ref-dns-load-balancing.adoc[leveloffset=+3]
 include::aap-hardening/ref-ntp.adoc[leveloffset=+3]
 include::aap-hardening/con-user-authentication-planning.adoc[leveloffset=+2]
-include::aap-hardening/ref-automation-controller-authentication.adoc[leveloffset=+3]
-include::aap-hardening/ref-private-automation-hub-authentication.adoc[leveloffset=+3]
+include::aap-hardening/ref-aap-authentication.adoc[leveloffset=+3]
+//include::aap-hardening/ref-private-automation-hub-authentication.adoc[leveloffset=+3]
 include::aap-hardening/con-credential-management-planning.adoc[leveloffset=+2]
 include::aap-hardening/ref-automation-controller-operational-secrets.adoc[leveloffset=+3]
 include::aap-hardening/con-automation-use-secrets.adoc[leveloffset=+3]
@@ -31,11 +32,11 @@ include::aap-hardening/con-install-secure-host.adoc[leveloffset=+2]
 include::aap-hardening/ref-security-variables-install-inventory.adoc[leveloffset=+2]
 include::aap-hardening/proc-install-user-pki.adoc[leveloffset=+2]
 include::aap-hardening/ref-sensitive-variables-install-inventory.adoc[leveloffset=+2]
-include::aap-hardening/con-controller-stig-considerations.adoc[leveloffset=+2]
-include::aap-hardening/proc-fapolicyd.adoc[leveloffset=+3]
-include::aap-hardening/proc-file-systems-mounted-noexec.adoc[leveloffset=+3]
-include::aap-hardening/proc-namespaces.adoc[leveloffset=+3]
-include::aap-hardening/ref-sudo-nopasswd.adoc[leveloffset=+3]
+//include::aap-hardening/con-controller-stig-considerations.adoc[leveloffset=+2]
+//include::aap-hardening/proc-fapolicyd.adoc[leveloffset=+3]
+//include::aap-hardening/proc-file-systems-mounted-noexec.adoc[leveloffset=+3]
+//include::aap-hardening/proc-namespaces.adoc[leveloffset=+3]
+//include::aap-hardening/ref-sudo-nopasswd.adoc[leveloffset=+3]
 include::aap-hardening/ref-initial-configuration.adoc[leveloffset=+1]
 include::aap-hardening/ref-infrastructure-as-code.adoc[leveloffset=+2]
 include::aap-hardening/con-controller-configuration.adoc[leveloffset=+2]
@@ -45,6 +46,6 @@ include::aap-hardening/con-external-credential-vault.adoc[leveloffset=+3]
 include::aap-hardening/con-day-two-operations.adoc[leveloffset=+1]
 include::aap-hardening/con-rbac.adoc[leveloffset=+2]
 include::aap-hardening/ref-updates-upgrades.adoc[leveloffset=+2]
-include::aap-hardening/proc-controller-stig-considerations.adoc[leveloffset=+3]
+//include::aap-hardening/proc-controller-stig-considerations.adoc[leveloffset=+3]
 include::aap-hardening/proc-disaster-recovery-operations.adoc[leveloffset=+3]
 

downstream/assemblies/aap-hardening/assembly-intro-to-aap-hardening.adoc

@@ -12,13 +12,17 @@ This document provides guidance for improving the security posture (referred to
 
 Other deployment targets, such as OpenShift, are not currently within the scope of this guide. {PlatformNameShort} managed services available through cloud service provider marketplaces are also not within the scope of this guide.
 
-This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for installation, initial configuration, and day two operations. As this guide specifically covers {PlatformNameShort} running on {RHEL}, hardening guidance for {RHEL} will be covered where it affects the automation platform components. Additional considerations with regards to the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) are provided for those organizations that integrate the DISA STIG as a part of their overall security strategy.
+This guide takes a practical approach to hardening the {PlatformNameShort} security posture, starting with the planning and architecture phase of deployment and then covering specific guidance for installation, initial configuration, and day two operations. As this guide specifically covers {PlatformNameShort} running on {RHEL}, hardening guidance for {RHEL} will be covered where it affects the automation platform components. 
+//Additional considerations with regards to the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) are provided for those organizations that integrate the DISA STIG as a part of their overall security strategy.
 
 [NOTE]
 ====
-These recommendations do not guarantee security or compliance of your deployment of {PlatformNameShort}. You must assess security from the unique requirements of your organization to address specific threats and risks and balance these against implementation factors.
+These recommendations do not guarantee security or compliance of your deployment of {PlatformNameShort}. 
+You must assess security from the unique requirements of your organization to address specific threats and risks and balance these against implementation factors.
 ====
 
 include::aap-hardening/con-hardening-guide-audience.adoc[leveloffset=+1]
 include::aap-hardening/con-product-overview.adoc[leveloffset=+1]
+
+include::aap-hardening/con-deployment-methods.adoc[leveloffset=+2]
 include::aap-hardening/con-platform-components.adoc[leveloffset=+2]

downstream/modules/aap-hardening/.platform

@@ -0,0 +1 @@
+../platform

downstream/modules/aap-hardening/con-aap-additional-software.adoc

@@ -7,6 +7,9 @@
 
 [role="_abstract"]
 
-When installing the {PlatformNameShort} components on {RHEL} servers, the {RHEL} servers should be dedicated to that use alone. Additional server capabilities should not be installed in addition to {PlatformNameShort}, as this is an unsupported configuration and may affect the security and performance of the {PlatformNameShort} software.
+When installing the {PlatformNameShort} components on {RHEL} servers, the {RHEL} servers should be dedicated to that use alone. 
+Additional server capabilities must not be installed in addition to {PlatformNameShort}, as this is an unsupported configuration and may affect the security and performance of the {PlatformNameShort} software.
 
-Similarly, when {PlatformNameShort} is deployed on a {RHEL} host, it installs software like the nginx web server, the Pulp software repository, and the PostgreSQL database server. This software should not be modified or used in a more generic fashion (for example, do not use nginx to server additional website content or PostgreSQL to host additional databases) as this is an unsupported configuration and may affect the security and performance of {PlatformNameShort}. The configuration of this software is managed by the {PlatformNameShort} installer, and any manual changes might be undone when performing upgrades.
+Similarly, when {PlatformNameShort} is deployed on a {RHEL} host, it installs software like the nginx web server, the Pulp software repository, and the PostgreSQL database server (unless a user-provided exyternal database is used). 
+This software should not be modified or used in a more generic fashion (for example, do not use nginx to server additional website content or PostgreSQL to host additional databases) as this is an unsupported configuration and may affect the security and performance of {PlatformNameShort}. 
+The configuration of this software is managed by the {PlatformNameShort} installer, and any manual changes might be undone when performing upgrades.

downstream/modules/aap-hardening/con-benefits-of-patch-automation.adoc

@@ -0,0 +1,10 @@
+[id="con-benefits-of-patch-automation"]
+
+= Benefits of patch automation
+
+Automating the patching process provides a number of benefits:
+
+* Reduces error-prone manual effort.
+* Decreases time to deploy patches at scale.
+* Ensures consistency of patches across similar systems. Manual patching of similar systems can result in human error (forgetting one or more, patching using different versions) that impacts consistency.
+* Enables orchestration of complex patching scenarios where an update mightmay require taking a system snapshot before applying a patch, or might require additional configuration changes when the patch is applied.

downstream/modules/aap-hardening/con-credential-management-planning.adoc

@@ -7,7 +7,7 @@
 
 [role="_abstract"]
 
-{ControllerNameStart} uses credentials to authenticate requests to jobs against machines, synchronize with inventory sources, and import project content from a version control system. {ControllerNameStart} manages three sets of secrets:
+{PlatformName} uses credentials to authenticate requests to jobs against machines, synchronize with inventory sources, and import project content from a version control system. {ControllerNameStart} manages three sets of secrets:
 
 * User passwords for *local automation controller users*. See the xref:con-user-authentication-planning_{context}[User Authentication Planning] section of this guide for additional details.
 * Secrets for automation controller *operational use* (database password, message bus password, and so on).

downstream/modules/aap-hardening/con-day-two-operations.adoc

@@ -7,4 +7,4 @@
 
 [role="_abstract"]
 
-Day 2 Operations include Cluster Health and Scaling Checks, including Host, Project, and environment level Sustainment. You should continually analyze configuration and security drift.
+Day 2 Operations include Cluster Health and Scaling Checks, including Host, Project, and environment level Sustainment. You must continually analyze configuration and security drift.

downstream/modules/aap-hardening/con-deployment-methods.adoc

@@ -0,0 +1,16 @@
+[id="con-deployment-methods"]
+
+= {PlatformName} deployment methods
+
+There are three different installation methods for {PlatformNameShort}: 
+
+* RPM-based on {RHEL}
+* Container-based on {RHEL}
+* Operator-based on {OCP}  
+
+This document offers guidance on hardening {PlatformNameShort} when installed using either of the first two installation methods (RPM-based or container-based).  
+This document further recommends using the container-based installation method for new deployments, as the RPM-based installer will be deprecated in a future release. 
+
+For further information, see link:{URLReleaseNotes}/aap-2.5-deprecated-features#aap-2.5-deprecated-features[Deprecated features].
+
+Operator-based deployments are out of scope for this document.

downstream/modules/aap-hardening/con-install-secure-host.adoc

@@ -7,8 +7,14 @@
 
 [role="_abstract"]
 
-The {PlatformNameShort} installer can be run from one of the infrastructure servers, such as an {ControllerName}, or from an external system that has SSH access to the {PlatformNameShort} infrastructure servers. The {PlatformNameShort} installer is also used not just for installation, but for subsequent day-two operations, such as backup and restore, as well as upgrades. This guide recommends performing installation and day-two operations from a dedicated external server, hereafter referred to as the installation host. Doing so eliminates the need to log in to one of the infrastructure servers to run these functions. The installation host must only be used for management of {PlatformNameShort} and must not run any other services or software.
+The {PlatformNameShort} installer can be run from one of the infrastructure servers, such as an {ControllerName}, or from an external system that has SSH access to the {PlatformNameShort} infrastructure servers. 
+The {PlatformNameShort} installer is also used not just for installation, but for subsequent day-two operations, such as backup and restore, as well as upgrades. 
+This guide recommends performing installation and day-two operations from a dedicated external server, hereafter referred to as the installation host. 
+Doing so eliminates the need to log in to one of the infrastructure servers to run these functions. The installation host must only be used for management of {PlatformNameShort} and must not run any other services or software.
 
-The installation host must be a {RHEL} server that has been installed and configured in accordance with link:{BaseURL}/red_hat_enterprise_linux/8/html/security_hardening/index[Security hardening for Red Hat Enterprise Linux] and any security profile requirements relevant to your organization (CIS, STIG, and so on). Obtain the {PlatformNameShort} installer as described in the link:{BaseURL}/red_hat_ansible_automation_platform/{PlatformVers}/html-single/red_hat_ansible_automation_platform_planning_guide/index#choosing_and_obtaining_a_red_hat_ansible_automation_platform_installer[Automation Platform Planning Guide], and create the installer inventory file as describe in the link:{BaseURL}/red_hat_ansible_automation_platform/{PlatformVers}/html-single/red_hat_ansible_automation_platform_installation_guide/index#proc-editing-installer-inventory-file_platform-install-scenario[Automation Platform Installation Guide]. This inventory file is used for upgrades, adding infrastructure components, and day-two operations by the installer, so preserve the file after installation for future operational use.
+The installation host must be a {RHEL} server that has been installed and configured in accordance with link:{BaseURL}/red_hat_enterprise_linux/9/html/security_hardening/index[Security hardening for Red Hat Enterprise Linux] and any security profile requirements relevant to your organization (CIS, STIG, and so on). 
+Obtain the {PlatformNameShort} installer as described in the link:{URLPlanningGuide}/choosing_and_obtaining_a_red_hat_ansible_automation_platform_installer[Planning your installation], and create the installer inventory file as described in the link:{URLInstallationGuide}/assembly-platform-install-scenario#proc-editing-installer-inventory-file_platform-install-scenario[Editing the Red Hat Ansible Automation Platform installer inventory file]. 
+This inventory file is used for upgrades, adding infrastructure components, and day-two operations by the installer, so preserve the file after installation for future operational use.
 
-Access to the installation host must be restricted only to those personnel who are responsible for managing the {PlatformNameShort} infrastructure. Over time, it will contain sensitive information, such as the installer inventory (which contains the initial login credentials for {PlatformNameShort}), copies of user-provided PKI keys and certificates, backup files, and so on. The installation host must also be used for logging in to the {PlatformNameShort} infrastructure servers through SSH when necessary for infrastructure management and maintenance.
+Access to the installation host must be restricted only to those personnel who are responsible for managing the {PlatformNameShort} infrastructure. 
+Over time, it will contain sensitive information, such as the installer inventory (which contains the initial login credentials for {PlatformNameShort}), copies of user-provided PKI keys and certificates, backup files, and so on. The installation host must also be used for logging in to the {PlatformNameShort} infrastructure servers through SSH when necessary for infrastructure management and maintenance.

downstream/modules/aap-hardening/con-installation.adoc

@@ -7,4 +7,6 @@
 
 [role="_abstract"]
 
-There are installation-time decisions that affect the security posture of {PlatformNameShort}. The installation process includes setting a number of variables, some of which are relevant to the hardening of the {PlatformNameShort} infrastructure. Before installing {PlatformNameShort}, consider the guidance in the installation section of this guide.
+There are installation-time decisions that affect the security posture of {PlatformNameShort}. 
+The installation process includes setting a number of variables, some of which are relevant to the hardening of the {PlatformNameShort} infrastructure. 
+Before installing {PlatformNameShort}, consider the guidance in the installation section of this guide.