LinuC Level 3 303Security

このエントリーをはてなブックマークに追加

Exam 303 Objectives

Each item of the objectives is weighted for its importance.The weight is approximately in the range 1 to 10, and indicates the relative importance of the topic covered. Questions on topics with higher weight appear more often in the exams.

Topic 325: Cryptography

325.1 X.509 Certificates and public key infrastructures
Weight 5
Description Candidates should understand X.509 certificates and public key infrastructures. They should also know how to configure and use OpenSSL to create certification authorities, and issue SSL certificates for various purposes.
Scope of Key Knowledge
  • Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
  • Understand trust chains and public key infrastructures
  • Generate and manage public and private keys
  • Create and operate a secure certification authority
  • Request, sign, and manage server and client certificates/li>
  • Revoke certificates and certification authorities
Important files, terms, and utilities:
  • openssl, including subcommands
  • OpenSSL configuration
  • PEM, DER, PKCS
  • CSR
  • CRL
  • OCSP
325.2 X.509 Certificates for encryption, signing, and authentication
Weight 4
Description Candidates should know how to use X.509 certificates for both server and client authentication. They should be able to implement user and server authentication for Apache HTTPD.The version of Apache HTTPD covered is 2.4 or higher.
Scope of Key Knowledge
  • Understand SSL, TLS, and protocol versions
  • Understand common transport layer security threats, for example knowledge of the Man-in-the-Middle threat
  • Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS
  • Configure Apache HTTPD with mod_ssl to authenticate user certificates
  • Configure Apache HTTPD with mod_ssl to provide OCSP stapling
  • Use SSL for SSL/TLS client and server tests
Important files, terms, and utilities:
  • Intermediate certification authorities
  • Cipher configuration (no cipher-specific knowledge)
  • httpd.conf
  • mod_ssl
  • openssl
325.3 Encrypted file systems
Weight 3
Description Candidates should be able to configure encrypted file systems.
Scope of Key Knowledge
  • Understand block device and file system encryption
  • Use dm-crypt with LUKS to encrypt block devices
  • Use eCryptfs to encrypt file systems. This includes home directories and PAM integration
  • Knowledge of plain dm-crypt and EncFS
Important files, terms, and utilities:
  • cryptsetup
  • cryptmount
  • /etc/crypttab
  • ecryptfsd
  • ecryptfs-* command
  • mount.ecryptfs, umount.ecryptfs
  • pam_ecryptfs
325.4 DNS and cryptography
Weight 5
Description Candidates should have experience and knowledge of cryptography in the context of DNS and its implementation using BIND. The version of BIND covered is 9.7 or higher.
Scope of Key Knowledge
  • Understanding of DNSSEC and DANE
  • Configure and troubleshoot BIND as an authoritative name server serving DNSSEC secured zones
  • Configure BIND as a recursive name server that performs DNSSEC validation on behalf of its clients
  • Key Signing Key, Zone Signing Key, and Key Tag
  • Key generation, key storage, key management, and key rollover
  • Maintenance and re-signing of zones
  • Use DANE to publish X.509 certificate information in DNS
  • Use TSIG for secure communication with BIND
Important files, terms, and utilities:
  • DNS, EDNS, Zones, Resource Records
  • DNS resource records: DS, DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, TLSA
  • DO-Bit, AD-Bit
  • TSIG
  • named.conf
  • dnssec-keygen
  • dnssec-signzone
  • dnssec-settime
  • dnssec-dsfromkey
  • rndc
  • dig
  • delv
  • openssl

Topic 326: Host Security

326.1 Host hardening
Weight 3
Description Candidates should be able to secure computers running Linux against common threats.
Scope of Key Knowledge
  • Configure BIOS and boot loader (GRUB 2) security
  • Disable useless software and services
  • Use sysctl for security related kernel configuration, particularly ASLR, Exec-Shield and IP / ICMP configuration
  • Limit resource usage
  • Work with chroot environments
  • Drop unnecessary capabilities
  • Knowledge of the security advantages of virtualization
Important files, terms, and utilities:
  • grub.cfg
  • chkconfig, systemctl
  • ulimit
  • /etc/security/limits.conf
  • pam_limits.so
  • chroot
  • sysctl
  • /etc/sysctl.conf
326.2 Host intrusion detection
Weight 4
Description Candidates should be familiar with the use and configuration of common host intrusion detection software. This includes updates and maintenance as well as automated host scans.
Scope of Key Knowledge
  • Use and configure the Linux Audit system
  • Use chkrootkit
  • Use and configure rkhunter, including updates
  • Use Linux Malware Detect
  • Automate host scans using cron
  • Configure and use AIDE, including rule management
  • Knowledge of OpenSCAP
Important files, terms, and utilities:
  • auditd
  • auditctl
  • ausearch, aureport
  • /etc/auditd/auditd.conf
  • /etc/auditd/audit.rules
  • pam_tty_audit.so
  • chkrootkit
  • rkhunter
  • /etc/rkhunter.conf
  • maldet
  • conf.maldet
  • aide
  • /etc/aide/aide.conf
326.3 User management and authentication
Weight 5
Description Candidates should be familiar with management and authentication of user accounts. This includes configuration and use of NSS, PAM, SSSD and Kerberos for both local and remote directories and authentication mechanisms as well as enforcing a password policy.
Scope of Key Knowledge
  • Understand and configure NSS
  • Understand and configure PAM
  • Enforce password complexity policies and periodic password changes
  • Lock accounts automatically after failed login attempts
  • Configure and use SSSD
  • Configure NSS and PAM for use with SSSD
  • Configure SSSD authentication against Active Directory, IPA, LDAP, Kerberos and local domains
  • Obtain and manage Kerberos tickets
Important files, terms, and utilities:
  • nsswitch.conf
  • /etc/login.defs
  • pam_cracklib.so
  • chage
  • pam_tally.so, pam_tally2.so
  • faillog
  • pam_sss.so
  • sssd
  • sssd.conf
  • sss_* command
  • krb5.conf
  • kinit, klist, kdestroy
326.4 FreeIPA installation and Samba integration
Weight 4
Description Candidates should be familiar with FreeIPA v4.x. This includes installation and maintenance of a server instance with a FreeIPA domain as well as integration of FreeIPA with Active Directory.
Scope of Key Knowledge
  • Understand FreeIPA, including its architecture and components
  • Understand system and configuration prerequisites for installing FreeIPA
  • Install and manage a FreeIPA server and domain
  • Understand and configure Active Directory replication and Kerberos cross-realm trusts
  • Knowledge of sudo, autofs, SSH and SELinux integration in FreeIPA
Important files, terms, and utilities:
  • 389 Directory Server, MIT Kerberos, Dogtag Certificate System, NTP, DNS, SSSD, certmonger
  • ipa, including relevant subcommands
  • ipa-server-install, ipa-client-install, ipa-replica-install
  • ipa-replica-prepare, ipa-replica-manage

Topic 327: Access Control

327.1 Discretionary access control
Weight 3
Description Candidates are required to understand Discretionary Access Control and know how to implement it using Access Control Lists. Additionally, they are required to understand how to use Extended Attributes.
Scope of Key Knowledge
  • Understand and manage file ownership and access permissions. Including SUID and SGID
  • Understand and manage access control lists
  • Understand and manage extended attributes and attribute classes
Important files, terms, and utilities:
  • getfacl
  • setfacl
  • getfattr
  • setfattr
327.2 Mandatory access control
Weight 4
Description Candidates should be familiar with Mandatory Access Control systems for Linux. Specifically, they should have a thorough understanding of SELinux. Also, they should be aware of other Mandatory Access Control for Linux. This includes major features of these systems but not configuration and use.
Scope of Key Knowledge
  • Understand the concepts of TE, RBAC, MAC and DAC
  • Configure, manage and use SELinux
  • Knowledge of AppArmor and Smack
Important files, terms, and utilities:
  • getenforce, setenforce, selinuxenabled
  • getsebool, setsebol, togglesebool
  • fixfiles, restorecon, setfiles
  • newrole, runcon
  • semanage
  • sestatus, seinfo
  • apol
  • seaudit, seaudit-report, audit2why, audit2allow
  • /etc/selinux/*
327.3 Network file systems
Weight 3
Description Candidates should have experience and knowledge of security issues in use and configuration of NFSv4 clients and servers as well as CIFS client services. Knowledge of earlier versions of NFS is not required.
Scope of Key Knowledge
  • Understand NFSv4 security issues and improvements
  • Configure NFSv4 servers and clients
  • Understand and use NFSv4 authentication mechanisms (LIPKEY, SPKM, Kerberos)
  • Understand and use NFSv4 pseudo file system
  • Understand and use NFSv4 ACLs
  • Configure CIFS clients
  • Understand and use CIFS Unix Extensions
  • Understand and configure CIFS security modes (NTLM, Kerberos)
  • Understand and manage mapping and handling of CIFS ACLs and SIDs in a Linux system
Important files, terms, and utilities:
  • /etc/exports
  • /etc/idmap.conf
  • nfs4acl
  • mount.cifs parameters related to ownership, permissions and security modes
  • winbind
  • getcifsacl, setcifsacl

Topic 328: Network Security

328.1 Network hardening
Weight 4
Description Candidates should be able to secure networks against common threats. This includes verification of the effectiveness of security measures.
Scope of Key Knowledge
  • Configure FreeRADIUS to authenticate network nodes
  • Use nmap to scan networks and hosts. This includes different scan methods
  • Use Wireshark to analyze network traffic. This includes filters and statistics
  • Identify and deal with rogue RA (Router Advertisements) and DHCP messages
Important files, terms, and utilities:
  • radiusd
  • radmin
  • radtest, radclient
  • radlast, radwho
  • radiusd.conf
  • /etc/raddb/*
  • nmap
  • wireshark
  • tshark
  • tcpdump
  • ndpmon
328.2 Network intrusion detection
Weight 4
Description Candidates should be familiar with the use and configuration of network security scanning, network monitoring and network intrusion detection software. This includes updating and maintaining the security scanners.
Scope of Key Knowledge
  • Implement bandwidth usage monitoring
  • Configure and use Snort. This includes rule management
  • Configure and use OpenVAS. This includes NASL
Important files, terms, and utilities:
  • ntop
  • Cacti
  • snort
  • snort-stat
  • /etc/snort/*
  • openvas-adduser, openvas-rmuser
  • openvas-nvt-sync
  • openvassd
  • openvas-mkcert
  • /etc/openvas/*
328.3 Packet filtering
Weight 5
Description Candidates should be familiar with the use and configuration of packet filters. This includes netfilter, iptables, and ip6tables as well as nftables, nft, and ebtables.
Scope of Key Knowledge
  • Understand common firewall architectures. This includes DMZ
  • Understand and use netfilter, iptables, and ip6tables. This includes standard modules, tests, and targets
  • Implement packet filtering for both IPv4 and IPv6
  • Implement connection tracking and NAT
  • Define IP sets and use them in netfilter rules
  • Basic knowledge of nft
  • Basic knowledge of ebtables
  • Awareness of conntrackd
Important files, terms, and utilities:
  • iptables
  • ip6tables
  • iptables-save, iptables-restore
  • ip6tables-save, ip6tables-restore
  • ipset
  • nft
  • ebtables
328.4 Virtual Private Networks (VPN)
Weight 4
Description Candidates should be proficient in the use of OpenVPN and IPsec.
Scope of Key Knowledge
  • Configure and operate OpenVPN server and clients for both bridged and routed VPN networks
  • Configure and operate IPsec server and clients for routed VPN networks using IPsec-Tools / racoon
  • Awareness of L2TP
Important files, terms, and utilities:
  • /etc/openvpn/*
  • openvpn server and client
  • setkey
  • /etc/ipsec-tools.conf
  • /etc/racoon/racoon.conf
Page top