GL550 Enterprise Linux Security Administration Course Outline

GL550 Enterprise Linux Security Administration Course Outline

Section 1 Security Concepts Basic Security Principles
	RHEL/FC/SLES/SL Default Install RH/SUSE Firewall Options and File Security Minimization - Discovery Service Discovery Hardening Security Concepts Lab 1 - Security Concepts Discovering what software packages are installed and removing unneeded packages Using lokkit for firewall configuration Identification of running services and removing unneeded services Increasing security using system calls and chroot

Section 2 Probing, Mapping and Scanning for Vulnerabilities The Security Environment
	Stealth Reconnaissance The WHOIS database Interrogating DNS Discovering Available Hosts and Applications Reconnaissance with SNMP Discovery of RPC Services Enumerating NFS Shares Nessus Insecurity Scanner and Installation Lab 2 - Probing, Mapping and Nessus Discovery of listening services and remote stack fingerprinting Installing, configuring and testing Nessus insecurity scanner

Section 3 Password Security and PAM Unix Passwords
	Password Aging Auditing Passwords PAM Implementation, Management, and Control Statements PAM Modules pam_stack.so, pam_unix.so, pam_unix2.so, pam_cracklib.so, pam_pwcheck.so, pam_env.so, pam_xauth..so, pam_tally.so, pam_wheel.so, pam_limits.so, pam_nologin.so, pam_deny.so, pam_securetty.so, pam_time.so, pam_access.so, pam_listfile.so, pam_lastlog.so, pam_warn.so, pam_console.so, pam_resmgr.so, and pam_devperm.so User Device Access: resmgr Lab 3 - Pluggable Authentication Modules Auditing user password quality Creating additional dictionaries for use with cracklib Working with PAM modules Limiting access activities of users and accounts

Section 4 Secure network time protocol (NTP) The Importance of Time
	Time Measurements and Synchronization Methods NTP Evolution Time Server Hierarchy Operational Modes NTP Clients Configuring NTP Clients and Servers Securing NTP NTP Packet Integrity Useful NTP Commands Lab 4 - Secure NTP Configuring NTP peering Configuring strong authentication on a NTP server Defining Access Control Lists (ACLs) for secure access to NTP server

Section 5 Kerberos Concepts The Computing Landscape
	Common Security Problems Account Proliferation The Kerberos Solution Kerberos History, Implementations, and Concepts Kerberos Principals, Safeguards, and Components Authentication Process and Identification Types Logging In Gaining and Using Privileges

Section 6 Kerberos Components Kerberos Components
	Kerberos Principal Review Kerberized Services Review and Clients KDC Server Daemons Configuration Files Utilities Overview Kerberos SysV Init Scripts

Section 7 Implementing Kerberos Plan Topology and Implementation
	Kerberos 5 Client and Server Software Synchronize Clocks Creating and Configuring the Master KDC KDC Logging Specifying [realms] and [domain_realm] Allow Administrative Access Create KDC Databases and Administrators Install Keys for Services and Start Services Add Host Principals and Common Service Principals Configure Slave KDCs Client Configuration Install krb5.conf on Clients Client PAM Configuration Install Client Host Keys Lab 7-Implementing Kerberos Configuring a master KDC Configuring a slave KDC Configuring a Kerberos client

Section 8 Administrating and Using Kerberos Administrative Tasks
	Key Tables Managing Keytabs Principals and Managing Principals MIT Principal Policy Viewing Principals MIT Managing Policies Goals for Users Signing Into Kerberos Ticket types and Viewing Tickets GUI Kerberos Ticket Management Removing Tickets Passwords and Changing Passwords Giving Others Access Using Kerberized Services Kerberized FTP Enabling Kerberized Services OpenSSH and Kerberos Lab 8 - Using Kerberized Clients System configuration for use of kerberized client and server applications Using the kerberized telnet to connect via a ticket and encrypt the data for the session Exploring the utility and behavior of forwardable tickets Configuring an OpenSSH server and client to accept and use Kerberos Authentication Testing Kerberos authentication with OpenSSH

Section 9 Securing the filesystem Filesystem Mount Options
	NFS Properties and NFS Export Option NFSv4 and GSSAPI Auth Implementing NFSv4 File Encryption with GPG and OpenSSL Encrypted Loopback FS Lab 9 - Filesystem Security, and File Encryption Modification of filesystem mounting options to increase system security Configuring and securing an NFS share Encrypting and decrypting files using GPG and openssl Setting up a NFSv4 share with GSSAPI/Kerberos authentication

Section 10 Tripwire Host Intrusion Detection
	Using RPM as an IDS TripWire History and Concepts TripWire Installation, Policies, and Configuration TripWire Commands and General Operation Lab 10 - File integrity checking with rpm / TripWire Verifying the integrity of files on the system and files in a directory Configuring TripWire to monitor files and report changes

Section 11 Securing Apache Apache Overview
	RH/SUSE Default Configuration Configuring CGI Turning off unneeded modules Configuration Delegation and Scope ACL by IP Address HTTP User Authentication Standard Auth Modules HTTP Digest Authentication Authentication via SQL, LDAP, and Kerberos Scrubbing HTTP Headers Metering HTTP Bandwidth Lab 11- Securing Apache Increasing security and optimizing Apache by disabling unneeded modules Removing Apache and PHP version from HTTP headers Setting up virtual hosts Creating CGI scripts to "deface" another's files and setting permissions against exploit Showing files can be read by virtual host users and employing "suexec" to protect against access Configuring and testing mod_auth_kerb

Section 12 Securing PostgreSQL PostgreSQL Overview and Default Configuration
	Configuring SSL Authentication Methods and Advanced Authentication Ident-based Authentication Lab 12- Securing PostgreSQL Configuring PostgreSQL to accept remote TCP connections Configuring PostgreSQL to support strong authentication via SSL Configuring PostgreSQL to support Kerberos Setting up and configuring a web based multi-user PHP calendaring application that uses PostgreSQL Configuring Apache to support Kerberos authentication and to require SSL

Section 13 Securing EMail Systems SMTP Overview and Implementations
	Selecting an MTA Security Considerations Postfix Overview Chrooting Postfix Connections and Relays SMTP AUTH & StartTLS/SSL Secure Cyrus IMAP Config Using GSSAPI/Kerberos Auth Lab 13 - Securing Email Configuring a system to use Postfix Configuring Postfix to listen on the network and accept mail Modifying Postfix’s SysV Init script to setup and maintain the proper environment for chrooting Postfix daemons each time it starts Configuring Postfix to chroot some of its daemons Configuring Postfix to use SMTP AUTH via PAM for secure relaying Configuring Postfix to support STARTTLS to secure SMTP AUTH Configuring Cyrus IMAP with SSL/TLS for IMAPS and POP3 access Configuring Postfix to deliver mail to Cyrus IMAP Setting up Evolution to test Postfix and Cyrus IMAP Generating Kerberos principals for Cyrus IMAP and Postfix Re-Configuring Cyrus IMAP and Postfix to perform GSSAPI/Kerberos authentication Re-Configuring Evolution to preform GSSAPI/Kerberos authentication

Section 14 SELinux Concepts DAC vs. MAC
	Shortcomings of Traditional UNIX Security SELinux Goals, Terms, and Logical Architecture SELinux in Action Activating and Interfacing SELinux SELinux Commands and Roles Modified System Utilities Lab 14 - SELinux Concepts Installing and initializing SELinux Working with several SELinux management commands to see how roles and contexts are used on the system

Section 15 SELinux Policy SELinux Policies Review
	Choosing a Policy Compiled Policy Files Policy Source Files M4 Macro Language File Context Files (.fc) Type Enforcement Files (.te) Booleans Graphical Policy Tools Policy Analysis Policy Customization Troubleshooting SELinux Problems Lab 15 - SELinux Policy Enabling Strict Policy Changing roles on the system Understanding the difference between how context labels are treated with the cp and mv commands Setting SELinux Boolean Values Modifying the default policy so that users can do a directory listing in /var/log