| |
| GL-550
- Enterprise Linux Security Administration |
| |
| |
| This highly technical course focuses on properly
securing machines running the Linux operating systems.
A broad range of general security techniques such
as user/group policies, and file integrity checking
are covered. Advanced security technologies
are taught such as Kerberos, SELinux, and the hardening
of popular applications such as Apache, databases,
and email systems. At the end of the course,
students have an excellent understanding of the
potential security vulnerabilities -- know how to
audit existing machines, and best practices how
to securely deploy new Linux servers. |
| |
| Prerequisites |
| |
| Individuals planning to take this class should
have strong Linux system administration experience.
Students should be comfortable with concepts and
tasks such as editing text files in UNIX and starting
and stopping services/daemons. A good grasp of networking
concepts will be helpful |
| |
| |
| Related Courses |
| |
| Before: |
| |
- GL-120: Linux Fundamentals
- GL-250:
Enterprise Linux Systems
Administration
- GL-275: Enterprise Linux Network Services
- GL-314: Linux Troubleshooting
- GL-510: Linux Network Security
|
| |
| |
| Course Content |
| |
Module 1 – Security Concepts
|
|
| |
- Basic Security Principles
- RHEL/FC/SLES/SL Default Install
- RH/SUSE Firewall Options and File Security
- Minimization – Discovery
- Service Discovery
- Hardening
- Security Concepts
|
| |
| |
Module 1 Lab: Security Concepts
|
|
| |
- Discovering what software packages are installed
and removing unneeded packages
- Using lokkit for firewall configuration
- Identification of running services and removing
unneeded services
- Increasing security using system calls and
chroot
|
| |
Module 2 - Probing, Mapping and Scanning for Vulnerabilities
|
|
| |
- The Security Environment
- Stealth Reconnaissance
- The WHOIS database
- Interrogating DNS
- Discovering Available Hosts and Applications
- Reconnaissance with SNMP
- Discovery of RPC Services
- Enumerating NFS Shares
- Nessus Insecurity Scanner and Installation
|
| |
Module 2 Lab: Probing, Mapping and Nessus
|
|
| |
- Discovery of listening services and remote
stack fingerprinting
- Installing, configuring and testing Nessus
insecurity scannere
|
| |
Module 3 - Password Security and PAM
|
|
| |
- Unix Passwords
- Password Aging
- Auditing Passwords
- PAM Implementation, Management, and Control
Statements
- PAM Modules
- pam_stack.so, pam_unix.so, pam_unix2.so,
pam_cracklib.so, pam_pwcheck.so,
- pam_env.so,
- pam_xauth..so, pam_tally.so, pam_wheel.so,
pam_limits.so, pam_nologin.so,
- pam_deny.so,
- pam_securetty.so, pam_time.so, pam_access.so,
pam_listfile.so, pam_lastlog.so,
- pam_warn.so,
- pam_console.so, pam_resmgr.so, and pam_devperm.so
- User Device Access: resmgr
|
| |
Module 3 Lab: Pluggable Authentication Modules
|
|
| |
- Auditing user password quality
- Creating additional dictionaries for use
with cracklib
- Working with PAM modules
- Limiting access activities of users and accounts
|
| |
Module 4 -Secure network time protocol (NTP)
|
|
| |
- The Importance of Time
- Time Measurements and Synchronization Methods
- NTP Evolution
- Time Server Hierarchy
- Operational Modes
- NTP Clients
- Configuring NTP Clients and Servers
- Securing NTP
- NTP Packet Integrity
- Useful NTP Commands
|
| |
Module 4 Lab: Secure NTP
|
|
| |
- Configuring NTP peering
- Configuring strong authentication on a NTP
server
- Defining Access Control Lists (ACLs) for
secure access to NTP server
|
| |
Module 5 - Kerberos Concepts
|
|
| |
- The Computing Landscape
- Common Security Problems
- Account Proliferation
- The Kerberos Solution
- Kerberos History, Implementations, and Concepts
- Kerberos Principals, Safeguards, and Components
- Authentication Process and Identification
Types
- Logging In
- Gaining and Using Privileges
|
| |
Module 6 - Kerberos Components
|
|
| |
- Kerberos Components
- Kerberos Principal Review
- Kerberized Services Review and Clients
- KDC Server Daemons
- Configuration Files
- Utilities Overview
- Kerberos SysV Init Scripts
|
| |
| |
Module 7 - Implementing Kerberos
|
|
| |
- Plan Topology and Implementation
- Kerberos 5 Client and Server Software
- Synchronize Clocks
- Creating and Configuring the Master KDC
- KDC Logging
- Specifying [realms] and [domain_realm]
- Allow Administrative Access
- Create KDC Databases and Administrators
- Install Keys for Services and Start Services
- Add Host Principals and Common Service Principals
- Configure Slave KDCs
- Client Configuration
- Install krb5.conf on Clients
- Client PAM Configuration
- Install Client Host Keys
|
| |
Module 7 Lab: Implementing Kerberos
|
|
| |
- Configuring a master KDC
- Configuring a slave KDC
- Configuring a Kerberos client
|
| |
Module 8 - Administrating and Using Kerberos
|
|
| |
- Administrative Tasks
- Key Tables
- Managing Keytabs
- Principals and Managing Principals
- MIT Principal Policy
- Viewing Principals
- MIT Managing Policies
- Goals for Users
- Signing Into Kerberos
- Ticket types and Viewing Tickets
- GUI Kerberos Ticket Management
- Removing Tickets
- Passwords and Changing Passwords
- Giving Others Access
- Using Kerberized Services
- Kerberized FTP
- Enabling Kerberized Services
- OpenSSH and Kerberos
|
| |
Module 8 Lab: Using Kerberized Clients
|
|
- System configuration for use of kerberized
client and server applications
- Using the kerberized telnet to connect via
a ticket and encrypt the data for the session
- Exploring the utility and behavior of forwardable
tickets
- Configuring an OpenSSH server and client
to accept and use Kerberos Authentication
- Testing Kerberos authentication with OpenSSH
|
| |
Module 9 - Securing the filesystem
|
|
| |
- Filesystem Mount Options
- NFS Properties and NFS Export Option
- NFSv4 and GSSAPI Auth
- Implementing NFSv4
- File Encryption with GPG and OpenSSL
- Encrypted Loopback FS
|
| |
Module 9 Lab: Filesystem Security, and File Encryption
|
|
| |
- Modification of filesystem mounting options
to increase system security
- Configuring and securing an NFS share
- Encrypting and decrypting files using GPG
and openssl
- Setting up a NFSv4 share with GSSAPI/Kerberos
authentication
|
| |
Module 10 - Tripwire
|
|
| |
- Host Intrusion Detection
- Using RPM as an IDS
- TripWire History and Concepts
- TripWire Installation, Policies, and Configuration
- TripWire Commands and General Operation
|
| |
Module 10 Lab: File integrity checking with rpm
/ TripWire
|
|
| |
- Modification of filesystem mounting options
to increase system security
- Verifying the integrity of files on the system
and files in a directory
- Configuring TripWire to monitor files and
report changes
|
| |
Module 11 - Securing Apache
|
|
| |
- Apache Overview
- RH/SUSE Default Configuration
- Configuring CGI
- Turning off unneeded modules
- Configuration Delegation and Scope
- ACL by IP Address
- HTTP User Authentication
- Standard Auth Modules
- HTTP Digest Authentication
- Authentication via SQL, LDAP, and Kerberos
- Scrubbing HTTP Headers
- Metering HTTP Bandwidth
|
| |
| |
Module 11 Lab: Securing Apache
|
|
| |
- Configuring TripWire to monitor files and
report changes
- Increasing security and optimizing Apache
by disabling unneeded modules
- Removing Apache and PHP version from HTTP
headers
- Setting up virtual hosts
- Creating CGI scripts to "deface"
another's files and setting permissions against
exploit
- Showing files can be read by virtual host
users and employing "suexec" to protect
against access
- Configuring and testing mod_auth_kerb
|
| |
Module 12 - Securing PostgreSQL
|
|
| |
- PostgreSQL Overview and Default Configuration
- Configuring SSL
- Authentication Methods and Advanced Authentication
- Ident-based Authentication
|
| |
Module 12 Lab: Securing PostgreSQL
|
|
| |
- Configuring PostgreSQL to accept remote TCP
connections
- Configuring PostgreSQL to support strong
authentication via SSL
- Configuring PostgreSQL to support Kerberos
- Setting up and configuring a web based multi-user
PHP calendaring application that uses
PostgreSQL
- Configuring Apache to support Kerberos authentication
and to require SSL
|
| |
Module 13 - Securing EMail Systems
|
|
| |
- Configuring a system to use Postfix
- Configuring Postfix to listen on the network
and accept mail
- Modifying Postfix’s SysV Init script to setup
and maintain the proper environment for hrooting
- Postfix daemons each time it starts
- Configuring Postfix to chroot some of its
daemons
- Configuring Postfix to use SMTP AUTH via
PAM for secure relaying
- Configuring Postfix to support STARTTLS to
secure SMTP AUTH
- Configuring Cyrus IMAP with SSL/TLS for IMAPS
and POP3 access
- Configuring Postfix to deliver mail to Cyrus
IMAP
- Setting up Evolution to test Postfix and
Cyrus IMAP
- Generating Kerberos principals for Cyrus
IMAP and Postfix
- Re-Configuring Cyrus IMAP and Postfix to
perform GSSAPI/Kerberos authentication
- Re-Configuring Evolution to perform GSSAPI/Kerberos
authentication
|
| |
Module 14
- SELinux Concepts
|
|
| |
- DAC vs. MAC
- Shortcomings of Traditional UNIX Security
- SELinux Goals, Terms, and Logical Architecture
- SELinux in Action
- Activating and Interfacing SELinux
- SELinux Commands and Roles
- Modified System Utilities
|
| |
Module 14 Lab: SELinux Concepts
|
|
| |
- Installing and initializing SELinux
- Working with several SELinux management commands
to see how roles and contexts are used on the
system
|
| |
Module 15 – SELinux Policy
|
|
| |
- SELinux Policies Review
- Choosing a Policy
- Compiled Policy Files
- Policy Source Files
- M4 Macro Language
- File Context Files (*.fc)
- Type Enforcement Files (*.te)
- Booleans
- Graphical Policy Tools
- Policy Analysis
- Policy Customization
- Troubleshooting SELinux Problems
|
| |
Module 15 Lab: SELinux Policy
|
|
| |
- Enabling Strict Policy
- Changing roles on the system
- Understanding the difference between how
context labels are treated with the cp and mv
- Commands
- Setting SELinux Boolean Values
- Modifying the default policy so that users
can do a directory listing in /var/log
|
| |
