GL550 - Enterprise Linux Security Administration

Start Date Time Days Price GTR Availability
July 10, 2017 10:00 (EST) 5 $3,145.00 Register
October 02, 2017 10:00 (EST) 5 $3,145.00 Register

This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such as packet filtering, password policies, and file integrity checking are covered. Advanced security technologies such as Kerberos and SELinux are taught. Special attention is given to securing commonly deployed network services. At the end of the course, students have an excellent understanding of the potential security vulnerabilities — know how to audit existing machines, and how to securely deploy new network services.

Prerequisites:
This class covers advanced security topics and is intended for experienced systems administrators. Candidates should have current Linux or UNIX systems administration experience equivalent to the GL120 “Linux Fundamentals”, GL250 “Enterprise Linux Systems Administration”, and GL275 “Enterprise Linux Network Services”

Supported Distributions:

  • Red Hat Enterprise Linux 6
  • SUSE Linux Enterprise 11

Detailed Course Outline:

SECURITY CONCEPTS
Basic Security Principles
RHEL6 Default Install
RHEL6 Firewall
SLES11 Default Install
SLES11 Firewall
SLES11: File Security
Minimization – Discovery
Service Discovery
Hardening
Security Concepts

LAB TASKS
Removing Packages Using RPM
Firewall Configuration
Process Discovery
Operation of the setuid() and capset() System Calls
Operation of the chroot() System Call

SCANNING, PROBING, AND MAPPING VULNERABILITIES
The Security Environment
Stealth Reconnaissance
The WHOIS database
Interrogating DNS
Discovering Hosts
Discovering Reachable Services
Reconnaissance with SNMP
Discovery of RPC Services
Enumerating NFS Shares
Nessus Insecurity Scanner
Configuring OpenVAS

LAB TASKS
NMAP
OpenVAS
Advanced nmap Options

PASSWORD SECURITY AND PAM
Unix Passwords
Password Aging
Auditing Passwords
PAM Overview
PAM Module Types
PAM Order of Processing
PAM Control Statements
PAM Modules
pam_unix
pam_cracklib.so
pam_pwcheck.so
pam_env.so
pam_xauth.so
pam_tally2.so
pam_wheel.so
pam_limits.so
pam_nologin.so
pam_deny.so
pam_warn.so
pam_securetty.so
pam_time.so
pam_access.so
pam_listfile.so
pam_lastlog.so
pam_console.so

LAB TASKS
John the Ripper
Cracklib
Using pam_listfile to Implement Arbitrary ACLs
Using pam_limits to Restrict Simultaneous Logins
Using pam_nologin to Restrict Logins
Using pam_access to Restrict Logins
su & pam

SECURE NETWORK TIME PROTOCOL (NTP)
The Importance of Time
Hardware and System Clock
Time Measurements
NTP Terms and Definitions
Synchronization Methods
NTP Evolution
Time Server Hierarchy
Operational Modes
NTP Clients
Configuring NTP Clients
Configuring NTP Servers
Securing NTP
NTP Packet Integrity
Useful NTP Commands

LAB TASKS
Configuring and Securing NTP
Peering NTP with Multiple Systems

KERBEROS CONCEPTS AND COMPONENTS
Common Security Problems
Account Proliferation
The Kerberos Solution
Kerberos History
Kerberos Implementations
Kerberos Concepts
Kerberos Principals
Kerberos Safeguards
Kerberos Components
Authentication Process
Identification Types
Logging In
Gaining Privileges
Using Privileges
Kerberos Components and the KDC
Kerberized Services Review
Kerberized Clients
KDC Server Daemons
Configuration Files
Utilities Overview

IMPLEMENTING KERBEROS
Plan Topology and Implementation
Kerberos 5 Client Software
Kerberos 5 Server Software
Synchronize Clocks
Create Master KDC
Configuring the Master KDC
KDC Logging
Kerberos Realm Defaults
Specifying [realms]
Specifying [domain_realm]
Allow Administrative Access
Create KDC Databases
Create Administrators
Install Keys for Services
Start Services
Add Host Principals
Add Common Service Principals
Configure Slave KDCs
Create Principals for Slaves
Define Slaves as KDCs
Copy Configuration to Slaves
Install Principals on Slaves
Create Stash on Slaves
Start Slave Daemons
Client Configuration
Install krb5.conf on Clients
Client PAM Configuration
Install Client Host Keys

LAB TASKS
Implementing Kerberos

ADMINISTERING AND USING KERBEROS
Administrative Tasks
Key Tables
Managing Keytabs
Managing Principals
Viewing Principals
Adding, Deleting, and Modifying Principals
Principal Policy
Overall Goals for Users
Signing In to Kerberos
Ticket types
Viewing Tickets
Removing Tickets
Passwords
Changing Passwords
Giving Others Access
Using Kerberized Services
Kerberized FTP
Enabling Kerberized Services
OpenSSH and Kerberos

LAB TASKS
Using Kerberized Clients
Forwarding Kerberos Tickets
OpenSSH with Kerberos

SECURING THE FILESYSTEM
Filesystem Mount Options
NFS Properties
NFS Export Option
NFSv4 and GSSAPI Auth
Implementing NFSv4
Implementing Kerberos with NFS
GPG – GNU Privacy Guard
File Encryption with OpenSSL
File Encryption With encfs
Linux Unified Key Setup (LUKS)

LAB TASKS
Securing Filesystems
Securing NFS
Implementing NFSv4
File Encryption with GPG
File Encryption With OpenSSL
LUKS-on-disk format Encrypted Filesystem

AIDE
Host Intrusion Detection Systems
Using RPM as a HIDS
Introduction to AIDE
AIDE Installation
AIDE Policies
AIDE Usage

LAB TASKS
File Integrity Checking with RPM
File Integrity Checking with AIDE

ACCOUNTABILITY WITH KERNEL AUDITD
Accountability and Auditing
Simple Session Auditing
Simple Process Accounting & Command History
Kernel-Level Auditing
Configuring the Audit Daemon
Controlling Kernel Audit System
Creating Audit Rules
Searching Audit Logs
Generating Audit Log Reports
Audit Log Analysis

LAB TASKS
Auditing Login/Logout
Auditing File Access
Auditing Command Execution

SELINUX
DAC vs. MAC
Shortcomings of Traditional Unix Security
AppArmor
SELinux Goals
SELinux Evolution
SELinux Modes
Gathering Information
SELinux Virtual Filesystem
SELinux Contexts
Managing Contexts
The SELinux Policy
Choosing an SELinux Policy
Policy Layout
Tuning and Adapting Policy
Booleans
Permissive Domains
Managing File Contexts
Managing Port Contexts
SELinux Policy Tools
Examining Policy
SELinux Troubleshooting
SELinux Troubleshooting Continued

LAB TASKS
Exploring SELinux Modes
SELinux Contexts in Action
Managing SELinux Booleans
Creating Policy with Audit2allow
Creating & Compiling Policy from Source

SECURING APACHE
Apache Overview
httpd.conf  Server Settings
Configuring CGI
Turning Off Unneeded Modules
Delegating Administration
Apache Access Controls (mod_access)
HTTP User Authentication
Standard Auth Modules
HTTP Digest Authentication
Authentication via SQL
Authentication via LDAP
Authentication via Kerberos
Scrubbing HTTP Headers
Metering HTTP Bandwidth

LAB TASKS
Hardening Apache by Minimizing Loaded Modules
Scrubbing Apache & PHP Version Headers
Protecting Web Content
Using the suexec Mechanism
Enabling SSO in Apache with mod_auth_kerb

SECURING POSTGRESQL
PostgreSQL Overview
PostgreSQL Default Config
Configuring SSL
Client Authentication Basics
Advanced Authentication
Ident-based Authentication

LAB TASKS
Configure PostgreSQL
PostgreSQL with SSL
PostgreSQL with Kerberos Authentication
Securing PostgreSQL with Web Based Applications

SECURING EMAIL SYSTEMS
SMTP Implementations
Security Considerations
chrooting Postfix
Email with GSSAPI/Kerberos Auth

LAB TASKS
Postfix In a Change Root Environment