Linux Enterprise Professional LPIC-3 303: Security

Network Academy Eğitimlerini İnceleyin!

Linux Enterprise Professional LPIC-3 303: Security

Topic 325: Cryptography
325.1 X.509 Certificates and Public Key Infrastructures

• Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
• Understand trust chains and public key infrastructures
• Generate and manage public and private keys
• Create, operate and secure a certification authority
• Request, sign and manage server and client certificates
• Revoke certificates and certification authorities

The following is a partial list of the used files, terms and utilities:

• openssl, including relevant subcommands
• OpenSSL configuration

325.2 X.509 Certificates for Encryption, Signing and Authentication

• Understand SSL, TLS and protocol versions
• Understand common transport layer security threats, for example Man-in-the-Middle
• Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS
• Configure Apache HTTPD with mod_ssl to authenticate users using certificates
• Configure Apache HTTPD with mod_ssl to provide OCSP stapling
• Use OpenSSL for SSL/TLS client and server tests

Terms and Utilities:

• Intermediate certification authorities
• Cipher configuration (no cipher-specific knowledge)
• httpd.conf
• mod_ssl
• openssl

325.3 Encrypted File Systems

• Understand block device and file system encryption
• Use dm-crypt with LUKS to encrypt block devices
• Use eCryptfs to encrypt file systems, including home directories and
• PAM integration
• Be aware of plain dm-crypt and EncFS

Terms and Utilities:

• cryptsetup
• cryptmount
• /etc/crypttab
• ecryptfsd
• ecryptfs-* commands
• mount.ecryptfs, umount.ecryptfs
• pam_ecryptfs

325.4 DNS and Cryptography

• Understanding of DNSSEC and DANE
• Configure and troubleshoot BIND as an authoritative name server serving DNSSEC secured zones
• Configure BIND as an recursive name server that performs DNSSEC validation on behalf of its clients
• Key Signing Key, Zone Signing Key, Key Tag
• Key generation, key storage, key management and key rollover
• Maintenance and re-signing of zones
• Use DANE to publish X.509 certificate information in DNS
• Use TSIG for secure communication with BIND

Terms and Utilities:

• DNS, EDNS, Zones, Resource Records
• DO-Bit, AD-Bit
• named.conf
• dnssec-keygen
• dnssec-signzone
• dnssec-settime
• dnssec-dsfromkey
• rndc
• dig
• delv
• openssl

Topic 326: Host Security
326.1 Host Hardening

• Configure BIOS and boot loader (GRUB 2) security
• Disable useless software and services
• Use sysctl for security related kernel configuration, particularly ASLR,
• Exec-Shield and IP / ICMP configuration
• Limit resource usage
• Work with chroot environments
• Drop unnecessary capabilities
• Be aware of the security advantages of virtualization

Terms and Utilities:

• grub.cfg
• chkconfig, systemctl
• ulimit
• /etc/security/limits.conf
• chroot
• sysctl
• /etc/sysctl.conf

326.2 Host Intrusion Detection

• Use and configure the Linux Audit system
• Use chkrootkit
• Use and configure rkhunter, including updates
• Use Linux Malware Detect
• Automate host scans using cron
• Configure and use AIDE, including rule management
• Be aware of OpenSCAP

Terms and Utilities:

• auditd
• auditctl
• ausearch, aureport
• /etc/auditd/auditd.conf
• /etc/auditd/auditd.rules
• chkrootkit
• rkhunter
• /etc/rkhunter.conf
• maldet
• conf.maldet
• aide
• /etc/aide/aide.conf

326.3 User Management and Authentication

• Understand and configure NSS
• Understand and configure PAM
• Enforce password complexity policies and periodic password changes
• Lock accounts automatically after failed login attempts
• Configure and use SSSD
• Configure NSS and PAM for use with SSSD
• Configure SSSD authentication against Active Directory, IPA, LDAP,
• Kerberos and local domains
• Obtain and manage Kerberos tickets

Terms and Utilities:

• nsswitch.conf
• /etc/login.defs
• chage
• faillog
• sssd
• sssd.conf
• sss_* commands
• krb5.conf
• kinit, klist, kdestroy

326.4 FreeIPA Installation and Samba Integration

• Understand FreeIPA, including its architecture and components
• Understand system and configuration prerequisites for installing FreeIPA
• Install and manage a FreeIPA server and domain
• Understand and configure Active Directory replication and Kerberos cross-realm trusts
• Be aware of sudo, autofs, SSH and SELinux integration in FreeIPA

Terms and Utilities:

• 389 Directory Server, MIT Kerberos, Dogtag Certificate System, NTP, DNS, SSSD, certmonger
• ipa, including relevant subcommands
• ipa-server-install, ipa-client-install, ipa-replica-install
• ipa-replica-prepare, ipa-replica-manage

Topic 327: Access Control
327.1 Discretionary Access Control

• Understand and manage file ownership and permissions, including SUID and SGID
• Understand and manage access control lists
• Understand and manage extended attributes and attribute classes
Terms and Utilities:

• getfacl
• setfacl
• getfattr
• setfattr
327.2 Mandatory Access Control

• Understand the concepts of TE, RBAC, MAC and DAC
Configure, manage and use SELinux
Be aware of AppArmor and Smack

Terms and Utilities:

• getenforce, setenforce, selinuxenabled
• getsebool, setsebol, togglesebool
• fixfiles, restorecon, setfiles
• newrole, runcon
• semanage
• sestatus, seinfo
• apol
• seaudit, seaudit-report, audit2why, audit2allow
• /etc/selinux/*

327.3 Network File Systems

• Understand NFSv4 security issues and improvements
• Configure NFSv4 server and clients
• Understand and configure NFSv4 authentication mechanisms (LIPKEY, SPKM, Kerberos)
• Understand and use NFSv4 pseudo file system
• Understand and use NFSv4 ACLs
• Configure CIFS clients
• Understand and use CIFS Unix Extensions
• Understand and configure CIFS security modes (NTLM, Kerberos)
• Understand and manage mapping and handling of CIFS ACLs and SIDs in a Linux system

Terms and Utilities:

• /etc/exports
• /etc/idmap.conf
• nfs4acl
• mount.cifs parameters related to ownership, permissions and security modes
• winbind
• getcifsacl, setcifsacl

Topic 328: Network Security
328.1 Network Hardening

• Configure FreeRADIUS to authenticate network nodes
• Use nmap to scan networks and hosts, including different scan methods
• Use Wireshark to analyze network traffic, including filters and statistics
• Identify and deal with rogue router advertisements and DHCP messages

Terms and Utilities:

• radiusd
• radmin
• radtest, radclient
• radlast, radwho
• radiusd.conf
• /etc/raddb/*
• nmap
• wireshark
• tshark
• tcpdump
• ndpmon

328.2 Network Intrusion Detection

• Implement bandwidth usage monitoring
• Configure and use Snort, including rule management
• Configure and use OpenVAS, including NASL

Terms and Utilities:

• ntop
• Cacti
• snort
• snort-stat
• /etc/snort/*
• openvas-adduser, openvas-rmuser
• openvas-nvt-sync
• openvassd
• openvas-mkcert
• /etc/openvas/*

328.3 Packet Filtering

• Understand common firewall architectures, including DMZ
• Understand and use netfilter, iptables and ip6tables, including standard modules, tests and targets
• Implement packet filtering for both IPv4 and IPv6
• Implement connection tracking and network address translation
• Define IP sets and use them in netfilter rules
• Have basic knowledge of nftables and nft
• Have basic knowledge of ebtables
• Be aware of conntrackd

Terms and Utilities:

• iptables
• ip6tables
• iptables-save, iptables-restore
• ip6tables-save, ip6tables-restore
• ipset
• nft
• ebtables

328.4 Virtual Private Networks

• Configure and operate OpenVPN server and clients for both bridged and routed VPN networks
• Configure and operate IPsec server and clients for routed VPN networks using IPsec-Tools / racoon
• Awareness of L2TP

Terms and Utilities:

• /etc/openvpn/*
• openvpn server and client
• setkey
• /etc/ipsec-tools.conf