LinuC Level 2

LinuC-2

このエントリーをはてなブックマークに追加

Exam 202 Objectives (Version 10.0)

LinuC Level 2 certification is awarded after passing both Exam 201 and Exam 202 and having an active LinuC Level 1 certification. The exams may be taken in any order. The objectives of level 2 cover the advanced technology necessary for Linux engineers common to Linux distributions.

Each item of the objectives is weighted for its importance. The weight is approximately in the range 1 to 10, and indicates the relative importance of the topic covered. Questions on topics with higher weight appear more often in the exams.

Topic 2.07: Network client management

2.07.1 DHCP server configuration and management
Weight 2
Overview Candidates can set up a DHCP server. This includes setting default and per-client options, as well as adding static and BOOTP hosts. It also includes setting up a DHCP relay agent and maintaining a DHCP server.
Details
  • DHCP configuration files, terms, utilities
    • arp, dhcpd, dhcpd.conf, dhcpd.leases
    • DHCP log messages in syslog and systemd journals
  • Subnet and dynamic allocation range settings
  • Know about DHCPv6 and IPv6 router advertisements.
    • radvd, radvd.conf
2.07.2 PAM authentication
Weight 3
Overview Candidates can configure PAM to support authentication in various ways. This includes basic SSSD (System Security Services Daemon) functions.
Details
  • PAM configuration files, terms, utilities
    • /etc/pam.d/, pam.conf, nsswitch.conf, sssd.conf
    • pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss
2.07.3 How to use LDAP client
Weight 2
Overview Candidates can query and update LDAP server. It also includes adding and importing items and adding and managing users.
Details
  • LDAP utility for data management
    • ldapadd, ldapdelete, ldapmodify
  • Query the LDAP directory.
    • ldapsearch
  • Change the user password.
    • ldappasswd
2.07.4 OpenLDAP server settings
Weight 2
Overview Candidates set up a basic OpenLDAP server, including knowledge of the LDIF format and important access controls.
Details
  • OpenLDAP
    • slapadd, slapcat, slapindex, slapd, /var/lib/ldap/
  • Directory-based settings
    • slapd-config
  • Access control
    • slapd.access
  • Distinguished Name (DN)
  • LDIF
  • directory
  • Work with entries
  • Schema
    • Object ID, attribute, class
  • White page

Topic 2.08: Domain Name Server

2.08.1 BIND configuration and management
Weight 3
Overview Candidates can configure BIND to act as an authoritative server, a recursive server, or a cache-only DNS server. This includes managing running servers and setting up logging.
Details
  • BIND configuration files, terms, utilities
    • named.conf, host, dig, nslookup
  • Define the location of the BIND zone file by the BIND configuration file.
    • named.conf
  • Reload the changed configuration file and zone file.
    • rndc, named-checkconf
  • Know about dnsmasq, Unbound, NSD, and PowerDNS as alternative nameservers.
2.08.2 Management of zone information
Weight 2
Overview Candidates can create forward and reverse lookup zone files and root hint files. This includes setting appropriate values in the record, adding the host to the zone, and adding the zone to DNS. It also includes performing zone delegation to other DNS servers.
Details
  • BIND zone file layout, contents, file layout
    • Zone file format, resource record format
  • How to check when adding a new host to a zone file, including reverse zones
    • named-compilezone, named-checkzone
2.08.3 Realization of secure DNS server
Weight 2
Overview Candidates can configure the DNS server to run in a chroot environment as a non-root user. This includes the secure exchange of data between DNS servers.
Details
  • Set up BIND to run in a chroot environment.
  • Split BIND configuration using forwarders statement.
    • named.conf
  • Know about DNSSEC and basic tools.
    • dnssec-keygen, dnssec-signzone, TSIG(Transaction Signature)
  • Know about DANE and related records.

Topic 2.09: HTTP Server and Proxy Server

2.09.1 Apache HTTP server configuration and management
Weight 3
Overview Candidates can install and configure Apache HTTP Server. This includes monitoring server load and performance, limiting user access from clients, settings that support scripting languages as modules, and client user authentication settings. It also includes limiting resource usage through server option settings. Candidates can configure Apache HTTP Server to use a virtual host and customize access to files.
Details
  • Apache HTTP Server configuration files, terms, utilities
    • httpd, apache2
    • httpd.conf, mod_auth_basic, mod_authz_host
    • apachectl, apache2ctl
  • Apache HTTP Server log file settings and contents
    • Access log and error log
  • Access restriction methods and files
    • .htaccess, AuthUserFile, AuthGroupFile
  • Files and utilities to authenticate client users
    • htpasswd
  • Maximum number of requests, minimum/maximum number of servers and number of clients
  • Virtual host implementation in Apache HTTP Server
  • Use the Redirect statement in the Apache HTTP Server configuration file to customize access to the file.
2.09.2 OpenSSL and HTTPS settings
Weight 3
Overview Candidates can configure the Apache HTTP Server to provide HTTPS.
Details
  • SSL configuration file, tool
    • /etc/ssl/, /etc/pki/
    • Apache HTTP server configuration file
    • SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
    • SSLProtocol, SSLCipherSuite
  • Generate a private key for the server and a CSR for a commercial CA.
    • openssl
  • Generate a self-signed certificate.
    • openssl
  • Install keys and certificates that include intermediate CAs.
    • SSLCACertificateFile, SSLCACertificatePath
  • Disable security issues with using SSL and insecure protocols and ciphers.
2.09.3 Nginx configuration and management
Weight 3
Overview Candidates can install and configure the reverse proxy server, nginx. This includes configuring nginx as an HTTP server.
Details
  • nginx configuration and management
    • /etc/nginx/, nginx
  • nginx SSL settings
    • ssl, ssl_certificate, ssl_certificate_key, ssl_ciphers, ssl_protocols
  • Setting as a reverse proxy server
    • proxy_pass, proxy_http_version, proxy_set_header
  • Redirect with nginx.
2.09.4 Squid configuration and management
Weight 2
Overview Candidates can install and configure a proxy server. This includes access policies, authentication and resource usage.
Details
  • Squid 3.x configuration files, terms and utilities
    • squid.conf, squidclient
  • How to restrict access
    • http_access
  • Client user authentication method
  • ACL layout and contents in Squid configuration file
    • acl

Topic 2.10: E-Mail Services

2.10.1 Postfix configuration and management
Weight 3
Overview Candidates can manage email servers. This includes email aliases, access restrictions, and virtual domain settings. It also includes setting up internal email relays and monitoring email servers.
Details
  • Postfix configuration files, spools, log files
    • /etc/postfix/, /etc/aliases, /var/spool/postfix/, /var/log/ mail related logs
  • Postfix basic TLS configuration
  • SMTP authentication settings
  • Basic knowledge of the SMTP protocol
  • Know exim
2.10.2 Dovecot settings and management
Weight 2
Overview Candidates can install and configure POP and IMAP daemons.
Details
  • Dovecot POP and IMAP configuration and management
    • /etc/dovecot/, dovecot.conf , doveconf, doveadm
  • Basic TLS configuration for Dovecot

Topic 2.11: File Sharing Services

2.11.1 Samba configuration and management
Weight 4
Overview Candidates can set up a Samba server for various clients. This includes setting up Samba for clients to log in to, workgroups for servers to join, defining shared directories, and troubleshooting installation.
Details
  • Samba configuration and log files
    • /etc/samba/, /var/log/samba/
  • Samba utilities and daemons
    • samba, smbd, nmbd, winbindd
    • smbcontrol, smbstatus, testparm, smbpasswd, nmblookup, net, smbclient, samba-tool
  • Map Windows usernames to Linux usernames.
  • ACL and AD security
    • getfacl, setfacl
2.11.2 NFS server configuration and management
Weight 3
Overview Candidates can use NFS to export the file system. This includes access restrictions, mounting NFS file systems on clients, and NFS protection.
Details
  • NFS configuration file
    • /etc/exports
  • NFS utilities and daemons
    • exportfs, showmount, nfsstat, rpcinfo
    • mountd, portmapper
  • Restrict access to specific hosts or subnets
  • Mount options on server and client
    • /etc/fstab, /proc/mounts

Topic 2.12: System Security

2.12.1 Packet filtering with iptables and firewalld
Weight 3
Overview Candidates can protect the network by configuring your system to forward IP packets or perform network address translation (NAT or IP masquerading). This includes setting port redirection, managing filter rules, and evading attacks.
Details
  • iptables and ip6tables tools
    • iptables, ip6tables
  • IP packet forwarding
    • /proc/sys/net/ipv4/, /proc/sys/net/ipv6/
  • Tools for managing the routing table
  • Port redirection
  • View and save filters and rules that accept and deny IP packets based on source and destination protocols, ports, and addresses
    • /etc/services
  • Save and reload filter settings
    • iptables-save, iptables-restore
  • Check and change the settings with firewalld.
    • firewalld, firewall-cmd
  • Can check and change the settings with ufw.
    • ufw
2.12.2 OpenSSH server configuration and management
Weight 4
Overview Candidates can configure and protect the SSH daemon. This includes key management and configuring SSH for users.
Details
  • OpenSSH server configuration file and daemon
    • sshd, /etc/ssh/sshd_config
    • /etc/ssh/ssh_host_*_key and ssh_host_*_key.pub
  • Restrict login for super users and general users.
    • PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication
2.12.3 OpenVPN configuration and management
Weight 2
Overview Candidates can set up VPN (Virtual Private Network) and secure point-to-point or site-to-site connections.
Details
  • Understand the functional outline of OpenVPN.
  • OpenVPN configuration files and tools
    • /etc/openvpn/, openvpn
2.12.4 Security work
Weight 3
Overview Candidates can collect security alerts from various sources. Candidates can install, configure, and run an intrusion detection system. Candidates can apply security patches and bug fixes.
Details
  • Utility to test and scan server ports
    • netcat(nc, ncat), nmap, iptables, firewalld
  • Knowledge of the organizations that report Bugtraq, CERT, CIAC and other security alerts and their addresses
  • A utility that implements IDS (Intrusion Detection System)
    • fail2ban, snort
  • Know about OpenVAS and OpenSCAP.

Topic 2.13: System Architecture

2.13.1 Realization method of high availability system
Weight 2
Overview Candidates understand the system configuration that achieves the required level of availability.
Details
  • Understand the events that affect availability.
    • Failure/fault patterns, maintenance stoppages (planned, emergency), etc.
    • Physical and logical failures
    • SPoF, recoverability (difficulty, time)
  • Know how to assess availability. However, the calculation formula is not included.
    • MTBF, MTTR, availability, SLA
    • RPO 、 RTO
  • Know the system configuration that realizes high availability (HA).
    • Realization of HA by redundancy
    • Pacemaker, Corosync
    • Be familiar with the concepts of clusters and load balancing as HA configuration types.
  • Know the difference in availability levels due to physical and geographical distribution.
2.13.2 Ensure capacity planning and scalability
Weight 2
Overview
  • Candidates know how to extend the system in the near future in a system that can predict the required amount of resources in advance.
  • In a system where the amount of resources required in the future cannot be easily predicted, candidates can continuously grasp the current resource usage status.
Details
  • Viewpoints and items of system resources that should be understood in order to create a capacity plan
  • Know how to increase or decrease resources and what to be done.
    • Scale up/down
    • Scale out in
  • Candidates know how to scale up.
    • Reconfiguring a machine with the required amount of resources
  • Candidates know how to scale out.
    • Application configuration that can support scale-out (stateless configuration-DB, session, etc.)
    • Increase or decrease nodes using configuration management tools or virtual machine images
    • Access distributed load balancer, DNS round robin
2.13.3 System configuration on cloud services
Weight 2
Overview
  • Candidates understand the characteristics of the system configuration centered on IaaS on cloud services.
  • Candidates understand that IaaS resources can be increased or decreased as needed.
Details
  • Understand the types of cloud storage.
    • Storage that can be used only during instance operation (ephemeral storage)
    • Storage that can be used across instance stop/start (persistent storage)
  • Understand cloud network types.
    • Fixed IP address, floating IP address
  • Understand cloud network security.
    • Tenant network, firewall (security group)
  • Understand the key technologies and services that support the cloud.
    • Object storage, messaging system (queue), autoscaler
2.13.4 Typical system architecture
Weight 3
Overview Candidates understand the system configuration patterns for ensuring high availability and scalability.
Details
  • Know typical system configuration patterns and their characteristics.
    • LAPP/LAMP configuration with PHP/Apache HTTP Server + PostgreSQL/MySQL
    • Web 3-tier model with Web server + AP server + DB server
    • Web 3-tier model that ensures redundancy by load balancer, HA configuration, and database replication
    • Scalable web system by load balancer/DNS round robin + web server scale-out
    • A scalable Web system that uses a proxy server cache and CDN
    • Asynchronous data processing system utilizing messaging queue
Page top