|
Section 1 Security Concepts Basic Security Principles
|
|
|
- RHEL/FC/SLES/SL Default Install
- RH/SUSE Firewall Options and File Security
- Minimization - Discovery
- Service Discovery
- Hardening
- Security Concepts
- Lab 1 - Security Concepts Discovering what software packages are installed and removing unneeded packages
- Using lokkit for firewall configuration
- Identification of running services and removing unneeded services
- Increasing security using system calls and chroot
|
|
|
|
Section 2 Probing, Mapping and Scanning for Vulnerabilities The Security Environment
|
|
|
- Stealth Reconnaissance
- The WHOIS database
- Interrogating DNS
- Discovering Available Hosts and Applications
- Reconnaissance with SNMP
- Discovery of RPC Services
- Enumerating NFS Shares
- Nessus Insecurity Scanner and Installation
- Lab 2 - Probing, Mapping and Nessus Discovery of listening services and remote stack fingerprinting
- Installing, configuring and testing Nessus insecurity scanner
|
|
|
|
Section 3 Password Security and PAM Unix Passwords
|
|
|
- Password Aging
- Auditing Passwords
- PAM Implementation, Management, and Control Statements
- PAM Modules
- pam_stack.so, pam_unix.so, pam_unix2.so, pam_cracklib.so, pam_pwcheck.so, pam_env.so, pam_xauth..so, pam_tally.so, pam_wheel.so, pam_limits.so, pam_nologin.so, pam_deny.so, pam_securetty.so, pam_time.so, pam_access.so, pam_listfile.so, pam_lastlog.so, pam_warn.so, pam_console.so, pam_resmgr.so, and pam_devperm.so
- User Device Access: resmgr
- Lab 3 - Pluggable Authentication Modules Auditing user password quality
- Creating additional dictionaries for use with cracklib
- Working with PAM modules
- Limiting access activities of users and accounts
|
|
|
|
Section 4 Secure network time protocol (NTP) The Importance of Time
|
|
|
- Time Measurements and Synchronization Methods
- NTP Evolution
- Time Server Hierarchy
- Operational Modes
- NTP Clients
- Configuring NTP Clients and Servers
- Securing NTP
- NTP Packet Integrity
- Useful NTP Commands
- Lab 4 - Secure NTP Configuring NTP peering
- Configuring strong authentication on a NTP server
- Defining Access Control Lists (ACLs) for secure access to NTP server
|
|
|
|
Section 5 Kerberos Concepts The Computing Landscape
|
|
|
- Common Security Problems
- Account Proliferation
- The Kerberos Solution
- Kerberos History, Implementations, and Concepts
- Kerberos Principals, Safeguards, and Components
- Authentication Process and Identification Types
- Logging In
- Gaining and Using Privileges
|
|
|
|
Section 6 Kerberos Components Kerberos Components
|
|
|
- Kerberos Principal Review
- Kerberized Services Review and Clients
- KDC Server Daemons
- Configuration Files
- Utilities Overview
- Kerberos SysV Init Scripts
|
|
|
|
Section 7 Implementing Kerberos Plan Topology and Implementation
|
|
|
- Kerberos 5 Client and Server Software
- Synchronize Clocks
- Creating and Configuring the Master KDC
- KDC Logging
- Specifying [realms] and [domain_realm]
- Allow Administrative Access
- Create KDC Databases and Administrators
- Install Keys for Services and Start Services
- Add Host Principals and Common Service Principals
- Configure Slave KDCs
- Client Configuration
- Install krb5.conf on Clients
- Client PAM Configuration
- Install Client Host Keys
- Lab 7-Implementing Kerberos Configuring a master KDC
- Configuring a slave KDC
- Configuring a Kerberos client
|
|
|
|
Section 8 Administrating and Using Kerberos Administrative Tasks
|
|
|
- Key Tables
- Managing Keytabs
- Principals and Managing Principals
- MIT Principal Policy
- Viewing Principals
- MIT Managing Policies
- Goals for Users
- Signing Into Kerberos
- Ticket types and Viewing Tickets
- GUI Kerberos Ticket Management
- Removing Tickets
- Passwords and Changing Passwords
- Giving Others Access
- Using Kerberized Services
- Kerberized FTP
- Enabling Kerberized Services
- OpenSSH and Kerberos
- Lab 8 - Using Kerberized Clients System configuration for use of kerberized client and server applications
- Using the kerberized telnet to connect via a ticket and encrypt the data for the session
- Exploring the utility and behavior of forwardable tickets
- Configuring an OpenSSH server and client to accept and use Kerberos Authentication
- Testing Kerberos authentication with OpenSSH
|
|
|
|
Section 9 Securing the filesystem Filesystem Mount Options
|
|
|
- NFS Properties and NFS Export Option
- NFSv4 and GSSAPI Auth
- Implementing NFSv4
- File Encryption with GPG and OpenSSL
- Encrypted Loopback FS
- Lab 9 - Filesystem Security, and File Encryption Modification of filesystem mounting options to increase system security
- Configuring and securing an NFS share
- Encrypting and decrypting files using GPG and openssl
- Setting up a NFSv4 share with GSSAPI/Kerberos authentication
|
|
|
|
Section 10 Tripwire Host Intrusion Detection
|
|
|
- Using RPM as an IDS
- TripWire History and Concepts
- TripWire Installation, Policies, and Configuration
- TripWire Commands and General Operation
- Lab 10 - File integrity checking with rpm / TripWire Verifying the integrity of files on the system and files in a directory
- Configuring TripWire to monitor files and report changes
|
|
|
|
Section 11 Securing Apache Apache Overview
|
|
|
- RH/SUSE Default Configuration
- Configuring CGI
- Turning off unneeded modules
- Configuration Delegation and Scope
- ACL by IP Address
- HTTP User Authentication
- Standard Auth Modules
- HTTP Digest Authentication
- Authentication via SQL, LDAP, and Kerberos
- Scrubbing HTTP Headers
- Metering HTTP Bandwidth
- Lab 11- Securing Apache Increasing security and optimizing Apache by disabling unneeded modules
- Removing Apache and PHP version from HTTP headers
- Setting up virtual hosts
- Creating CGI scripts to "deface" another's files and setting permissions against exploit
- Showing files can be read by virtual host users and employing "suexec" to protect against access
- Configuring and testing mod_auth_kerb
|
|
|
|
Section 12 Securing PostgreSQL PostgreSQL Overview and Default Configuration
|
|
|
- Configuring SSL
- Authentication Methods and Advanced Authentication
- Ident-based Authentication
- Lab 12- Securing PostgreSQL Configuring PostgreSQL to accept remote TCP connections
- Configuring PostgreSQL to support strong authentication via SSL
- Configuring PostgreSQL to support Kerberos
- Setting up and configuring a web based multi-user PHP calendaring application that uses PostgreSQL
- Configuring Apache to support Kerberos authentication and to require SSL
|
|
|
|
Section 13 Securing EMail Systems SMTP Overview and Implementations
|
|
|
- Selecting an MTA
- Security Considerations
- Postfix Overview
- Chrooting Postfix
- Connections and Relays
- SMTP AUTH & StartTLS/SSL
- Secure Cyrus IMAP Config
- Using GSSAPI/Kerberos Auth
- Lab 13 - Securing Email Configuring a system to use Postfix
- Configuring Postfix to listen on the network and accept mail
- Modifying Postfix’s SysV Init script to setup and maintain the proper environment for chrooting Postfix daemons each time it starts
- Configuring Postfix to chroot some of its daemons
- Configuring Postfix to use SMTP AUTH via PAM for secure relaying
- Configuring Postfix to support STARTTLS to secure SMTP AUTH
- Configuring Cyrus IMAP with SSL/TLS for IMAPS and POP3 access
- Configuring Postfix to deliver mail to Cyrus IMAP
- Setting up Evolution to test Postfix and Cyrus IMAP
- Generating Kerberos principals for Cyrus IMAP and Postfix
- Re-Configuring Cyrus IMAP and Postfix to perform GSSAPI/Kerberos authentication
- Re-Configuring Evolution to preform GSSAPI/Kerberos authentication
|
|
|
|
Section 14 SELinux Concepts DAC vs. MAC
|
|
|
- Shortcomings of Traditional UNIX Security
- SELinux Goals, Terms, and Logical Architecture
- SELinux in Action
- Activating and Interfacing SELinux
- SELinux Commands and Roles
- Modified System Utilities
- Lab 14 - SELinux Concepts Installing and initializing SELinux
- Working with several SELinux management commands to see how roles and contexts are used on the system
|
|
|
|
Section 15 SELinux Policy SELinux Policies Review
|
|
|
- Choosing a Policy
- Compiled Policy Files
- Policy Source Files
- M4 Macro Language
- File Context Files (*.fc)
- Type Enforcement Files (*.te)
- Booleans
- Graphical Policy Tools
- Policy Analysis
- Policy Customization
- Troubleshooting SELinux Problems
- Lab 15 - SELinux Policy Enabling Strict Policy
- Changing roles on the system
- Understanding the difference between how context labels are treated with the cp and mv commands
- Setting SELinux Boolean Values
- Modifying the default policy so that users can do a directory listing in /var/log
|
