LinuC Level 2

LinuC-2

このエントリーをはてなブックマークに追加

Exam 202 Objectives

LinuC Level 2 certification is awarded after passing both Exam 201 and Exam 202 and must have an active LinuC level 1 certification. The exams may be taken in any order. The objectives of level 2 cover the advanced technology necessary for Linux engineers common to Linux distributions.

Each item of the objectives is weighted for its importance. The weight is approximately in the range 1 to 10, and indicates the relative importance of the topic covered. Questions on topics with higher weight appear more often in the exams.

Topic 207: Domain Name Server

207.1 Basic DNS server configuration
Weight 3
Description Candidates should be able to configure BIND to function as an authoritative server, recursive server, or caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
Scope of Key Knowledge
  • BIND 9.x configuration files, terms, and utilities
  • Defining the location of the BIND zone files in BIND configuration files
  • Reloading modified configuration and zone files
  • Awareness of dnsmasq, djbdns, and PowerDNS as alternate name servers
Important files, terms, and utilities:
  • /etc/named.conf
  • /var/named/*
  • rndc
  • named-checkconf
  • kill
  • host
  • dig
207.2 Create and maintain DNS zones
Weight 3
Description Candidates should be able to create a zone file for forward and reverse zones, or for root level servers. This objective includes setting appropriate values for records, adding hosts in zones, and adding zones to the DNS. Candidates should also be able to delegate zones to another DNS server.
Scope of Key Knowledge
  • BIND 9 configuration files, terms, and utilities
  • Utilities to request information from the DNS server
  • Layout, content, and file location of the BIND zone files
  • Various methods to add a new host in the zone files, including reverse zones
Important files, terms, and utilities:
  • /var/named/*
  • zone file formats
  • resource record formats
  • named-checkzone
  • named-compilezone
  • masterfile-format
  • dig
  • nslookup
  • host
207.3 Securing a DNS server
Weight 2
Description Candidates should be able to configure a DNS server to run as a non-root user in the chroot jail environment. This objective includes secure exchange of data between DNS servers.
Scope of Key Knowledge
  • BIND 9 configuration files
  • Configuring BIND to run in the chroot jail environment
  • Split configuration of BIND using the forwarders statement
  • Configuring and using Transaction Signatures (TSIG)
  • Awareness of DNSSEC and basic tools
  • Awareness of DANE and related records
Important files, terms, and utilities:
  • /etc/named.conf
  • /etc/passwd
  • DNSSEC
  • dnssec-keygen
  • dnssec-signzone

Topic 208: HTTP Services

208.1 Basic Apache configuration
Weight 4
Description Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
Scope of Key Knowledge
  • Apache 2.4 configuration files, terms, and utilities
  • Apache log files configuration and content
  • Access restriction methods and files
  • mod_perl and PHP configuration
  • Client user authentication files and utilities
  • Configuration of maximum requests, minimum and maximum servers and clients
  • Apache 2.4 virtual host implementation (with and without dedicated IP addresses)
  • Using redirect statements in Apache's configuration files to customize file access
Important files, terms, and utilities:
  • access logs and error logs
  • .htaccess
  • httpd.conf
  • mod_auth_basic, mod_authz_host and mod_access_compat
  • htpasswd
  • htgroup
  • apachectl, apache2ctl
  • httpd, apache2
208.2 Apache configuration for HTTPS
Weight 3
Description Candidates should be able to configure a web server to provide HTTPS.
Scope of Key Knowledge
  • SSL configuration files, tools, and utilities
  • Generate a server private key and CSR for a commercial CA
  • Generate a self-signed certificate
  • Install the key and certificate, including intermediate CAs
  • Configure virtual hosting using SNI
  • Awareness of the issues with virtual hosting and use of SSL
  • Security issues in SSL use, disable insecure protocols and ciphers
Important files, terms, and utilities:
  • Apache2 configuration files
  • /etc/ssl/*, /etc/pki/*
  • openssl, CA.pl
  • SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
  • SSLCACertificateFile, SSLCACertificatePath
  • SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
208.3 Implementation of squid as a caching proxy
Weight 2
Description Candidates should be able to install and configure a proxy server. This includes access policies, authentication, and resource usage.
Scope of Key Knowledge
  • Squid 3.x configuration files, terms, and utilities
  • Access restriction methods
  • Client user authentication methods
  • Layout and content of ACL in the Squid configuration files
Important files, terms, and utilities:
  • squid.conf
  • acl
  • http_access
208.4 Implementing Nginx as a web server and a reverse proxy
Weight 2
Description Candidates should be able to install and configure Nginx as a reverse proxy server. This includes configuration of Nginx as an HTTP server.
Scope of Key Knowledge
  • Nginx
  • Reverse proxy
  • Basic web server
Important files, terms, and utilities:
  • /etc/nginx/
  • nginx

Topic209: File Sharing

209.1 Samba server configuration
Weight 5
Description Candidates should be able to set up a Samba server for various clients. This includes configuring a Samba server for client login, setting up workgroups which the server will join, and defining shared directories and printers. This also includes configuring a Linux client to use a Samba server. This also includes installation troubleshooting.
Scope of Key Knowledge
  • Samba 4 documentation
  • Samba 4 configuration files
  • Samba 4 tools and utilities and daemons
  • Mounting CIFS shares on Linux
  • Mapping Windows user names to Linux user names
  • User-Level, Share-Level and AD security
Important files, terms, and utilities:
  • smbd, nmbd, winbindd
  • smbcontrol, smbstatus, testparm, smbpasswd, nmblookup
  • samba-tool
  • net
  • smbclient
  • mount.cifs
  • /etc/samba/
  • /var/log/samba/
209.2 NFS server configuration
Weight 3
Description Candidates should be able to export filesystems using NFS. This objective also includes access restrictions, mounting an NFS filesystem on a client, and securing NFS.
Scope of Key Knowledge
  • NFS version 3 configuration files
  • NFS tools and utilities
  • Access restrictions to certain hosts and/or subnets
  • Mount options on server and client
  • TCP Wrappers
  • Awareness of NFSv4
Important files, terms, and utilities:
  • /etc/exports
  • exportfs
  • showmount
  • nfsstat
  • /proc/mounts
  • /etc/fstab
  • rpcinfo
  • mountd
  • portmapper

Topic210: Network Client Management

210.1 DHCP configuration
Weight 2
Description Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, as well as adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
Scope of Key Knowledge
  • DHCP configuration files, terms, and utilities
  • Subnet and dynamically-allocated range setup
  • Awareness of DHCPv6 and IPv6 Router Advertisements
Important files, terms, and utilities:
  • dhcpd.conf
  • dhcpd.leases
  • DHCP log messages in syslog or systemd journal
  • arp
  • dhcpd
  • radvd
  • radvd.conf
210.2 PAM authentication
Weight 3
Description Candidates should be able to configure PAM to support authentication using various methods. This includes basic SSSD (System Security Services Daemon) functionality.
Scope of Key Knowledge
  • PAM configuration files, terms, and utilities
  • passwd and shadow passwords
Important files, terms, and utilities:
  • /etc/pam.d
  • pam.conf
  • nsswitch.conf
  • pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss
  • sssd.conf
210.3 LDAP client usage
Weight 2
Description Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
Scope of Key Knowledge
  • LDAP utilities for data management and queries
  • Change user passwords
  • Querying the LDAP directory
Important files, terms, and utilities:
  • ldapsearch
  • ldappasswd
  • ldapadd
  • ldapdelete
210.4 Configuring an OpenLDAP server
Weight 4
Description Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
Scope of Key Knowledge
  • OpenLDAP
  • Directory based configuration
  • Access control
  • Distinguished names
  • Changetype operations
  • Schemas and white pages
  • Directories
  • Object IDs, attributes, and classes
Important files, terms, and utilities:
  • slapd
  • slapd-config
  • LDIF
  • slapadd
  • slapcat
  • slapindex
  • /var/lib/ldap/*
  • loglevel

Topic211: E-mail Services

211.1 Using E-mail servers
Weight 4
Description Candidates should be able to manage an e-mail server. This includes the configuration of e-mail aliases, e-mail quotas, and virtual domains. This objective also includes configuring internal e-mail relays and monitoring e-mail servers.
Scope of Key Knowledge
  • Configuration files for postfix
  • Basic TLS configuration for postfix
  • Basic knowledge of the SMTP protocol
  • Awareness of Sendmail and exim
Important files, terms, and utilities:
  • Configuration files and commands for postfix
  • /etc/postfix/*
  • /var/spool/postfix
  • Sendmail emulation layer commands
  • /etc/aliases
  • mail-related logs in /var/log/
211.2 Managing local E-mail delivery
Weight 2
Description Candidates should be able to implement client e-mail management software to filter, sort, and monitor incoming user e-mail.
Scope of Key Knowledge
  • Understanding of Sieve functionality, syntax, and operators
  • Use Sieve to filter and sort mail with respect to sender, recipient(s), headers, and size
  • Awareness of procmail
Important files, terms, and utilities:
  • Conditions and comparison operators
  • keep, fileinto, redirect, reject, discard, stop
  • Dovecot vacation extension
211.3 Managing mailbox access
Weight 2
Description Candidates should be able to install and configure POP and IMAP daemons.
Scope of Key Knowledge
  • Dovecot IMAP and POP configuration and administration
  • Basic TLS configuration for Dovecot
  • Awareness of Courier
Important files, terms, and utilities:
  • /etc/dovecot/
  • dovecot.conf
  • doveconf
  • doveadm

Topic212: System Security

212.1 Configuring a router
Weight 3
Description Candidates should be able to configure a system to forward IP packets and perform network address translation (NAT, IP masquerading), and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
Scope of Key Knowledge
  • iptables and ip6tables configuration files, tools and utilities
  • Tools, commands, and utilities to manage routing tables
  • Private address ranges (IPv4) and Link Local Addresses as well as Unique Local Addresses (IPv6)
  • Port redirection and IP forwarding
  • List and write filtering and rules that accept, or block IP packets based on source or destination protocol, port and address
  • Save and reload filtering configurations
  • Awareness of ip6tables and filtering
Important files, terms, and utilities:
  • /proc/sys/net/ipv4
  • /proc/sys/net/ipv6/
  • /etc/services
  • iptables
  • ip6tables
212.2 Securing FTP servers
Weight 2
Description Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
Scope of Key Knowledge
  • Configuration files, tools and utilities for Pure-FTPd and vsftpd
  • Awareness of ProFTPd
  • Understanding of passive vs. active FTP connections
Important files, terms, and utilities:
  • vsftpd.conf
  • Important Pure-FTPd command line options
212.3 Secure shell (SSH)
Weight 4
Description Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
Scope of Key Knowledge
  • OpenSSH configuration files, tools, and utilities
  • Login restrictions for the superuser and regular users
  • Managing / using server and client keys to login with and without passwords
  • Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes
Important files, terms, and utilities:
  • ssh
  • sshd
  • /etc/ssh/sshd_config
  • /etc/ssh/*
  • Private and public key files
  • PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol
212.4 Security tasks
Weight 3
Description Candidates should be able to receive security alerts from various sources. Candidates should be able to install, configure, and run intrusion detection systems. Application of security patches and bugfixes is also required.
Scope of Key Knowledge
  • Tools and utilities to test and scan ports on a server
  • Organizations, and addresses that report security alerts as Bugtraq, CERT, CIAC or other sources
  • Tools and utilities to implement an Intrusion Detection System (IDS)
  • Awareness of OpenVAS
Important files, terms, and utilities:
  • telnet
  • nmap
  • fail2ban
  • nc
  • iptables
212.5 OpenVPN
Weight 2
Description Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
Scope of Key Knowledge
  • OpenVPN
Important files, terms, and utilities:
  • /etc/openvpn/*
  • openvpn
Page top