Enterprise Linux Security Administration
CLASS DATE(s):
8/2/2021 - 8/6/2021
10/11/2021 - 10/18/2021

COURSE LENGTH: 5 Days

COURSE COST: $2495

COURSE TIMES: 9:00am - 4:30pm

Printable version of this course
print
Register for this course
register

COURSE OVERVIEW

This 5-day, highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such as packet filtering, password policies, and file integrity checking are covered. Advanced security technologies such as Kerberos and SELinux are taught. Special attention is given to securing commonly deployed network services. At the end of the course, students have an excellent understanding of the potential security vulnerabilities - know how to audit existing machines, and how to securely deploy new network services.

AUDIENCE AND PREREQUISITES

System and network administrators working with wide network security and authentication.

This class covers advanced security topics and is intended for experienced systems administrators. Candidates should have current Linux or UNIX systems administration experience equivalent to the "Linux Fundamentals", "Enterprise Linux Systems Administration", and "Enterprise Linux Network Services"

PREREQUISITE COURSES  

*Course Cost listed does not include the cost of courseware. Course is subject to a minimum enrollment to run. Course may run virtually as a Virtual Instructor-Led (VILT) class if the minimum enrollment is not met. For more information, please contact learn@vtec.org or call 207-775-0244.

COURSE TOPICS:


Security Concepts
Basic Security Principles
RHEL7 Default Install
RHEL7 Firewall,
SUSE Basic Firewall Configuration
SLES12: File Security
Minimization Discovery
Service Discovery, Hardening, Security Concepts
LAB TASKS: Removing Packages Using RPM,
Firewall Configuration, Process Discovery
Operation of the setuid() and capset() System Calls
Operation of the chroot() System Call

Scanning, Probing and Mapping Vulnerabilities
The Security Environment
Stealth Reconnaissance
The WHOIS database
Interrogating DNS
Discovering Hosts
Discovering Reachable Services
Reconnaissance with SNMP
Discovery of RPC Services
Ennumerating NFS Shares
Nessus Insecurity Scanner
Configuring OpenVAS, Intrusion Detection Systems, Snort Rules,Writing Snort Rules
LAB TASKS: NMAP, OpenVAS, Advanced nmap Options

Password Security and PAM
UNIX Passwords, Password Aging, Auditing Passwords
PAM Overview, PAM Module Types, PAM Order of Processing, PAM Control Statements
PAM Modules, pam_unix, pam_cracklib.so, pam_pwcheck.so
pam_env.so, pam_xauth.so,pam_tally2.so, pam_wheel.so
pam_limits.so, pam_nologin.so
pam_deny.so, pam_warn.so, pam_securetty.so, pam_time.so
pam_access.so, pam_listfile.so, pam_lastlog.so
pam_console.so
LAB TASKS: John the Ripper, Cracklib, Using pam_listfile to Implement Arbitrary ACLs
Using pam_limits to Restrict Simultaneous Logins
Using pam_nologin to Restrict Logins
Using pam_access to Restrict Logins,su & pam

Secure Network Time Protocol (NTP)
The Importance of Time
Hardware and System Clock, Time Measurements
NTP Terms and Definitions, Synchronization Methods
NTP Evolutions, Time Server Hierarchy
Operational Modes, NTP Clients
Configuring NTP Clients and Servers
Securing NTP, NTP Packet Integrity
Useful NTP Commands
LAB TASKS: Configuring and Securing NTP
Peering NTP with Multiple Systems

Kerberos Concepts and Components
Common Security Problems, Account Proliferation
The Kerberos Solution, Kerberos History
Kerberos Implementation
Kerberos Concepts, Kerberos Principals
Kerberos Safeguards, Kerberos Components
Authenitcation Process, Identification Types
Logging In, Gaining Privileges
Using Privileges, Kerberos Components and the KDC
Kerberized Services Review
KDC Server Daemons
Configuration Files
Utilities Overview

Implementing Kerberos
Plan Topology and Implementation, Kerberos 5 Client Software
Kerberos 5 Server Software, Synchronize Clocks
Create Master KDC, Configuring the Master KDC
KDC Logging, Kerberos Realm Defaults,
Specifying [realms], Specifying [domain_realm]
Allow Administrative Access, Create KDC Databases
Create Administrators, Install Keys for Services, Start Services
Add Host Principals, Add Common Service Principals,
Configure Slave KDCs, Create Principals for Slaves, Define Slaves as KDCs
Copy Configuration to Slaves, Install Principals on Slaves, Synchronization of Database
Propagate Data to Slaves, Create Stash on Slaves, Start Slave Daemons
Client Configuration, Install krb5.conf on Clients, Client PAM Configuration,Install Client Host Keys, LAB TASKS - Implementing Kerberos

Administering and Using Kerberos
Administrative Tasks, Key Tables
Managing Keytypes, Managing Prinicpals
Viewing Principals
Adding, Deleting and Modifying Principals
Principal Policy, Overall Goals for Users
Signing into Kerberos
Ticket Types, Viewing Tickets
Removing Tickets, Passwords, Changing Passwords, Giving Others Access
Using Kerberized Services, Kerberized FTP,
Enabling Kerberized Services, OpenSSH and Kerberos
LAB TASKS - Using Kerberized Clients, Forwarding Kerberos Tickets
OpenSSH with Kerberos, Wireshark and Kerberos

Securing the Filesystem
Filesystem Mount Options
NFS Properties, NFS Export Option
NFSv4 and GSSAPI Auth
Implementing NFSv4
Implementing Kerberos with NFS
GPG GNU Privacy Guard
File Encryption with OpenSSL, File Encryption With encfs
Linux Unified Key Setup (LUKS)
LAB TASKS: Securing Filesystems, Securing NFS
Implementing NFSv4, File Encryption with GPG
File Encryption With OpenSSL
LUKS-on-disk format Encrypted Filesystem

AIDE
Host Intrusion Detection Systems
Using RPM as a HIDS
Introduction to AIDE
AIDE installation
AIDE Policies
AIDE Usage Chapter Selection
LAB TASKS:
File Integrity Checking with RPM
File Integrity Checking with AIDE

Accountablility with Kernel Audit
Accountability and Auditing
Simple Session Auditing
Simple Process Accounting and Command History
Kernel-Level Auditing
Configuring the Audit Daemon
Controlling Kernel Audit System
Creating Audit Rules
Searching Audit Logs
Generating Audit Log Reports
Audit Log Analysis
LAB TASKS: Auditing Login/Logout, Auditing File Access
Auditing Command Execution

SE Linux
DAC vs. MAC, Shortcomings of Traditional Unix Security
AppArmor, SELinux Goals, SELinux Evolution
SELinux Modes, Gathering SELinux Information, SELinux Virtual Filesystem
SELinux Contexts, Managing Contexts, The SELinux Policy
Choosing an SELinux Policy, Policy Layout, Tuning and Adapting Policy
Booleans, Permissive Domains, Managing File Context Database
Managing Port Contexts, SELinux Policy Tools, Examining Policy
SELinux Troubleshooting, SELinux Troubleshooting Continued
LAB TASKS: Exploring SELinux Modes, Exploring AppArmor Modes
SELinux Contexts in Action, Exploring AppArmor
Managing SELinux Booleans, Creating Policy with Audit2allow
Creating & Compiling Policy from Source

Security Apache
Apache Overview, httpd.conf - Server Settings
Configuring CGI, Turning off Unneeded Modules
Delegating Administration
Apache Access Controls (mod_access)
HTTP User Authenication, Standard Auth Modules
HTTP Digest Authentication
Authentication via SQL, Authentication via LDAP
Authentication via Kerberos
Scrubbing HTTP Headers, Metering HTTP Bandwidth
LAB TASKS: - Hardening Apache by Minimizing Loaded Modules, Scrubbing Apache & PHP Version Headers
Protecting Web Content, Using the suexec Mechanism, Create a TLS CA key pair, Using SSL CA Certificates with Apache
Enable Apache SSL Client Certificate Authentication, Enabling SSO in Apache with mod_auth_kerb

Securing PostgreSQL
PostgreSQL Overview, Postgre SQL Default Config
Configuring TLS, Client Authentication Basics
Client Authentication Basics
Advanced Authentication, Ident-based Authentication
LAB TASKS: Configure PostgreSQL
PostgreSQL with TLS
PostgreSQL with Kerberos Authentication
Securing PostgreSQL with Web Based Applications

SECURING EMAIL SYSTEMS
SMTP Implementations
Security Considerations
chrooting Postfix
Email with GSSAPI/Kerberos Auth
LAB TASKS: Postfix In a Change Root Environment