Linux host security

Special note

The RedHat versions of the course covers the following Linux distributions:

• RedHat Enterprise Linux Advanced Server 4.0
• RedHat Enterprise Linux Enterprise Server 4.0
• Fedora Core 3.0

The SUSE versions of the course covers the following Linux distributions:

• SUSE Enterprise Linux 9.0
• SUSE Linux 9.2

Students will receive a workbook for Fedora Core 3.0 and SUSE Professional 9.2 and select which distribution to perform the labs on.

Course overview

This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such as packet filtering, password policies, and file integrity checking are covered. Advanced security technologies such as Kerberos and SELinux are taught. Special attention is given to securing commonly deployed network services. At the end of the course, students have an excellent understanding of the potential security vulnerabilities - know how to audit existing machines, and how to securely deploy new network services.

Prerequisites

• Accelerated Linux administration for experienced HP-UX or Sun Solaris administrators (U2794S) or
• Linux administration I (H7091S) AND Linux administration II (H7092S) OR
• Equivalent Linux administration experience
  

Audience

• Linux system administrators wanting to increase their knowledge and skills in Linux host security.

Ways to save

Course Objectives

At the conclusion of this course you will be able to:

• Probe, map and scan for security vulnerabilities
• Effectively configure PAM modules to strengthen security on Linux
• Secure the Network Time Protocol (NTP)
• Install, configure, and administer Kerberos
• Strengthen file system security
• Implement Tripwire file integrity checking
• Secure Apache, PostgreSQL, SMTP
• Understand and implement SELinux
  

Benefits to you

• Learn how to secure Linux using the Pluggable Authentication Modules (PAM)
• Install, configure, and administer Kerberos
• Implement the Tripwire file integrity checker
• Learn how to secure common enterprise services on Linux
• Study the concepts and configuration of Security-Enabled Linux (SELinux)

Next Steps

• View our Linux system administrator curriculum path.

Course outline

Security concepts

• Basic security principles
• RHEL/FC Linux default install
• RH installer firewall options
• RH: post-install firewall
• SLES/SL default install
• SLES/SL: firewall
• SLES/SL: file security
• Minimization - discovery
• Service discovery
• Hardening
• Security concepts
• Lab: security concepts

Probing, mapping and scanning for vulnerabilities

• The security environment
• Stealth reconnaissance
• The WHOIS database
• Interrogating DNS
• Discovering available hosts
• Discovering available apps
• Reconnaissance with SNMP
• Discovery of RPC services
• Enumerating NFS shares
• Nessus insecurity scanner
• Nessus installation
• Lab: probing, mapping and Nessus

Password security and PAM

• Unix passwords
• Password aging
• Auditing passwords
• PAM
• PAM implementation
• PAM management
• PAM control statements
• PAM modules
• pam_stack.so
• pam_unix.so & pam_unix2.so
• pam_cracklib.so
• pam_pwcheck.so
• pam_env.so
• pam_xauth.so
• pam_tally.so
• pam_wheel.so
• pam_limits.so
• pam_nologin.so
• pam_deny.so
• pam_securetty.so
• pam_time.so
• pam_access.so
• pam_listfile.so
• pam_lastlog.so
• pam_warn.so
• pam_console.so
• pam_resmgr.so
• pam_devperm.so
• Lab: pluggable authentication modules

Secure network time protocol (NTP)

• The importance of time
• Time measurements
• Synchronization methods
• NTP evolution
• Time server hierarchy
• Operational modes
• NTP clients
• Configuring NTP clients
• Configuring NTP servers
• Securing NTP
• NTP packet integrity
• Useful NTP commands
• Lab: secure NTP

Kerberos concepts

• The computing landscape
• Common security problems
• Account proliferation
• The Kerberos solution
• Kerberos history
• Kerberos implementations
• Kerberos concepts
• Kerberos principals
• Kerberos safeguards
• Kerberos components
• Authentication process
• Identification types
• Logging in
• Gaining privileges
• Using privileges

Kerberos components

• KDC
• Kerberos principal review
• Kerberized services review
• Kerberized clients
• KDC server daemons
• Configuration files
• Utilities overview
• Kerberos SysV init scripts

Implementing Kerberos

• Plan topology
• Plan implementation
• Kerberos 5 client software
• Kerberos 5 server software
• Synchronize clocks
• Create master KDC
• Configuring the master KDC
• KDC logging
• Specifying [realms]
• Specifying [domain_realm]
• Allow administrative access
• Create KDC databases
• Create administrators
• Install keys for services
• Start services
• Add host principals
• Add common service principals
• Configure slave KDCs
• Create principals for slaves
• Define slaves as KDCs
• Copy configuration to slaves
• Install principals on slaves
• Synchronization of database
• Propagate data to slaves
• Create stash on slaves
• Start slave daemons
• Client configuration
• Install krb5.conf on clients
• Client PAM configuration
• Install client host keys
• Lab: implementing Kerberos

Administrating and using Kerberos

• Administrative tasks
• Key tables
• Managing keytabs
• Principals
• Managing principals
• MIT principal policy
• Viewing principals
• MIT managing principles
• Overall goals for users
• Signing in to Kerberos
• Ticket types
• Viewing tickets
• GUI Kerberos ticket management
• Removing tickets
• Passwords
• Changing passwords
• Giving others access
• Using Kerberized services
• Kerberized FTP
• Enabling Kerberized services
• OpenSSH and Kerberos
• Lab: using Kerberized clients

Securing the file system

• File system mount options
• NFS properties
• NFS export option
• NFSv4 and GSSAPI auth
• Implementing NFSv4
• File encryption with GPG
• File encryption with OpenSSL
• Encrypted loopback FS
• Lab: file system security, and file encryption

Tripwire

• Host intrusion detection
• Using RPM as an IDS
• Tripwire history
• Tripwire concepts
• Tripwire installation
• Tripwire policies
• Tripwire configuration
• Tripwire commands
• General operation
• Lab: file integrity checking w/RPM & Tripwire

Securing Apache

• Apache overview
• RH default configuration
• SUSE default configuration
• Configuring CGI
• Turning off unneeded modules
• Configuration delegation
• Configuration scope
• ACL by IP address
• HTTP user authentication
• Standard auth modules
• HTTP digest authentication
• Authentication via SQL
• Authentication via LDAP
• Authentication via Kerberos
• Scrubbing HTTP headers
• Metering HTTP bandwidth
• Lab: securing Apache

Securing PostgreSQL

• PostgreSQL overview
• PostgreSQL default configuration
• Configuring SSL
• Authentication methods
• Advanced authentication
• Identity-based authentication
• Lab: securing PostgreSQL

Securing e-mail systems

• SMTP overview
• SMTP implementations
• Selecting an MTA
• Security considerations
• Postfix overview
• Chrooting postfix
• Connections and relays
• SMTP AUTH & STARTTLS/SSL
• Secure cyrus IMAP config
• Using GSSAPI/Kerberos auth
• Lab: securing e-mail

SELinux concepts

• DAC vs. MAC
• Shortcomings of traditional UNIX security
• SELinux goals
• SELinux terms
• SELinux logical architecture
• Example of SELinux in action
• Activating SELinux
• Interfacing with SELinux
• SELinux commands
• SELinux roles
• Modified system utilities
• Lab: SELinux concepts

SELinux policy

• SELinux policies review
• Choosing a policy
• Compiled policy files
• Policy source files
• M4 macro language
• File context files (*.fc)
• Type enforcement files (*.te)
• Booleans
• Graphical policy tools
• Policy analysis
• Policy customization
• Troubleshooting SELinux problems
• Lab: SELinux policy

U8630SD.00