This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such as user/group policies, and file integrity checking are covered. Advanced security technologies are taught such as Kerberos, SELinux, and the hardening of popular applications such as Apache, databases, and email systems. At the end of the course, students have an excellent understanding of the potential security vulnerabilities -- know how to audit existing machines, and best practices how to securely deploy new Linux servers.
Prerequisites: Individuals planning to take this class should have strong Linux system administration experience. Students should be comfortable with concepts and tasks such as editing text files in UNIX and starting and stopping services/daemons. A good grasp of networking concepts is also helpful.
This course is currently taught using Fedora Core 3.
Express Interest in this Course
Detailed Course Outline
Section 1 Security ConceptsBasic Security Principles
RHEL/FC/SLES/SL Default Install
RH/SUSE Firewall Options and File Security
Minimization - Discovery
Service Discovery
Hardening
Security Concepts
Lab 1 - Security ConceptsRHEL/FC/SLES/SL Default Install
RH/SUSE Firewall Options and File Security
Minimization - Discovery
Service Discovery
Hardening
Security Concepts
Discovering what software packages are installed and removing unneeded packages
Using lokkit for firewall configuration
Identification of running services and removing unneeded services
Increasing security using system calls and chroot
Section 2 Probing, Mapping and Scanning for VulnerabilitiesUsing lokkit for firewall configuration
Identification of running services and removing unneeded services
Increasing security using system calls and chroot
The Security Environment
Stealth Reconnaissance
The WHOIS database
Interrogating DNS
Discovering Available Hosts and Applications
Reconnaissance with SNMP
Discovery of RPC Services
Enumerating NFS Shares
Nessus Insecurity Scanner and Installation
Lab 2 - Probing, Mapping and NessusStealth Reconnaissance
The WHOIS database
Interrogating DNS
Discovering Available Hosts and Applications
Reconnaissance with SNMP
Discovery of RPC Services
Enumerating NFS Shares
Nessus Insecurity Scanner and Installation
Discovery of listening services and remote stack fingerprinting
Installing, configuring and testing Nessus insecurity scanner
Section 3 Password Security and PAMInstalling, configuring and testing Nessus insecurity scanner
Unix Passwords
Password Aging
Auditing Passwords
PAM Implementation, Management, and Control Statements
PAM Modules
pam_stack.so, pam_unix.so, pam_unix2.so, pam_cracklib.so, pam_pwcheck.so, pam_env.so, pam_xauth..so, pam_tally.so, pam_wheel.so, pam_limits.so, pam_nologin.so, pam_deny.so, pam_securetty.so, pam_time.so, pam_access.so, pam_listfile.so, pam_lastlog.so, pam_warn.so, pam_console.so, pam_resmgr.so, and pam_devperm.so
User Device Access: resmgr
Lab 3 - Pluggable Authentication ModulesPassword Aging
Auditing Passwords
PAM Implementation, Management, and Control Statements
PAM Modules
pam_stack.so, pam_unix.so, pam_unix2.so, pam_cracklib.so, pam_pwcheck.so, pam_env.so, pam_xauth..so, pam_tally.so, pam_wheel.so, pam_limits.so, pam_nologin.so, pam_deny.so, pam_securetty.so, pam_time.so, pam_access.so, pam_listfile.so, pam_lastlog.so, pam_warn.so, pam_console.so, pam_resmgr.so, and pam_devperm.so
User Device Access: resmgr
Auditing user password quality
Creating additional dictionaries for use with cracklib
Working with PAM modules
Limiting access activities of users and accounts
Section 4 Secure network time protocol (NTP)Creating additional dictionaries for use with cracklib
Working with PAM modules
Limiting access activities of users and accounts
The Importance of Time
Time Measurements and Synchronization Methods
NTP Evolution
Time Server Hierarchy
Operational Modes
NTP Clients
Configuring NTP Clients and Servers
Securing NTP
NTP Packet Integrity
Useful NTP Commands
Lab 4 - Secure NTPTime Measurements and Synchronization Methods
NTP Evolution
Time Server Hierarchy
Operational Modes
NTP Clients
Configuring NTP Clients and Servers
Securing NTP
NTP Packet Integrity
Useful NTP Commands
Configuring NTP peering
Configuring strong authentication on a NTP server
Defining Access Control Lists (ACLs) for secure access to NTP server
Section 5 Kerberos ConceptsConfiguring strong authentication on a NTP server
Defining Access Control Lists (ACLs) for secure access to NTP server
The Computing Landscape
Common Security Problems
Account Proliferation
The Kerberos Solution
Kerberos History, Implementations, and Concepts
Kerberos Principals, Safeguards, and Components
Authentication Process and Identification Types
Logging In
Gaining and Using Privileges
Section 6 Kerberos ComponentsCommon Security Problems
Account Proliferation
The Kerberos Solution
Kerberos History, Implementations, and Concepts
Kerberos Principals, Safeguards, and Components
Authentication Process and Identification Types
Logging In
Gaining and Using Privileges
Kerberos Components
Kerberos Principal Review
Kerberized Services Review and Clients
KDC Server Daemons
Configuration Files
Utilities Overview
Kerberos SysV Init Scripts
Section 7 Implementing KerberosKerberos Principal Review
Kerberized Services Review and Clients
KDC Server Daemons
Configuration Files
Utilities Overview
Kerberos SysV Init Scripts
Plan Topology and Implementation
Kerberos 5 Client and Server Software
Synchronize Clocks
Creating and Configuring the Master KDC
KDC Logging
Specifying [realms] and [domain_realm]
Allow Administrative Access
Create KDC Databases and Administrators
Install Keys for Services and Start Services
Add Host Principals and Common Service Principals
Configure Slave KDCs
Client Configuration
Install krb5.conf on Clients
Client PAM Configuration
Install Client Host Keys
Lab 7-Implementing KerberosKerberos 5 Client and Server Software
Synchronize Clocks
Creating and Configuring the Master KDC
KDC Logging
Specifying [realms] and [domain_realm]
Allow Administrative Access
Create KDC Databases and Administrators
Install Keys for Services and Start Services
Add Host Principals and Common Service Principals
Configure Slave KDCs
Client Configuration
Install krb5.conf on Clients
Client PAM Configuration
Install Client Host Keys
Configuring a master KDC
Configuring a slave KDC
Configuring a Kerberos client
Section 8 Administrating and Using KerberosConfiguring a slave KDC
Configuring a Kerberos client
Administrative Tasks
Key Tables
Managing Keytabs
Principals and Managing Principals
MIT Principal Policy
Viewing Principals
MIT Managing Policies
Goals for Users
Signing Into Kerberos
Ticket types and Viewing Tickets
GUI Kerberos Ticket Management
Removing Tickets
Passwords and Changing Passwords
Giving Others Access
Using Kerberized Services
Kerberized FTP
Enabling Kerberized Services
OpenSSH and Kerberos
Lab 8 - Using Kerberized ClientsKey Tables
Managing Keytabs
Principals and Managing Principals
MIT Principal Policy
Viewing Principals
MIT Managing Policies
Goals for Users
Signing Into Kerberos
Ticket types and Viewing Tickets
GUI Kerberos Ticket Management
Removing Tickets
Passwords and Changing Passwords
Giving Others Access
Using Kerberized Services
Kerberized FTP
Enabling Kerberized Services
OpenSSH and Kerberos
System configuration for use of kerberized client and server applications
Using the kerberized telnet to connect via a ticket and encrypt the data for the session
Exploring the utility and behavior of forwardable tickets
Configuring an OpenSSH server and client to accept and use Kerberos Authentication
Testing Kerberos authentication with OpenSSH
Section 9 Securing the filesystemUsing the kerberized telnet to connect via a ticket and encrypt the data for the session
Exploring the utility and behavior of forwardable tickets
Configuring an OpenSSH server and client to accept and use Kerberos Authentication
Testing Kerberos authentication with OpenSSH
Filesystem Mount Options
NFS Properties and NFS Export Option
NFSv4 and GSSAPI Auth
Implementing NFSv4
File Encryption with GPG and OpenSSL
Encrypted Loopback FS
Lab 9 - Filesystem Security, and File EncryptionNFS Properties and NFS Export Option
NFSv4 and GSSAPI Auth
Implementing NFSv4
File Encryption with GPG and OpenSSL
Encrypted Loopback FS
Modification of filesystem mounting options to increase system security
Configuring and securing an NFS share
Encrypting and decrypting files using GPG and openssl
Setting up a NFSv4 share with GSSAPI/Kerberos authentication
Section 10 TripwireConfiguring and securing an NFS share
Encrypting and decrypting files using GPG and openssl
Setting up a NFSv4 share with GSSAPI/Kerberos authentication
Host Intrusion Detection
Using RPM as an IDS
TripWire History and Concepts
TripWire Installation, Policies, and Configuration
TripWire Commands and General Operation
Lab 10 - File integrity checking with rpm / TripWireUsing RPM as an IDS
TripWire History and Concepts
TripWire Installation, Policies, and Configuration
TripWire Commands and General Operation
Verifying the integrity of files on the system and files in a directory
Configuring TripWire to monitor files and report changes
Section 11 Securing ApacheConfiguring TripWire to monitor files and report changes
Apache Overview
RH/SUSE Default Configuration
Configuring CGI
Turning off unneeded modules
Configuration Delegation and Scope
ACL by IP Address
HTTP User Authentication
Standard Auth Modules
HTTP Digest Authentication
Authentication via SQL, LDAP, and Kerberos
Scrubbing HTTP Headers
Metering HTTP Bandwidth
Lab 11- Securing ApacheRH/SUSE Default Configuration
Configuring CGI
Turning off unneeded modules
Configuration Delegation and Scope
ACL by IP Address
HTTP User Authentication
Standard Auth Modules
HTTP Digest Authentication
Authentication via SQL, LDAP, and Kerberos
Scrubbing HTTP Headers
Metering HTTP Bandwidth
Increasing security and optimizing Apache by disabling unneeded modules
Removing Apache and PHP version from HTTP headers
Setting up virtual hosts
Creating CGI scripts to "deface" another's files and setting permissions against exploit
Showing files can be read by virtual host users and employing "suexec" to protect against access
Configuring and testing mod_auth_kerb
Section 12 Securing PostgreSQLRemoving Apache and PHP version from HTTP headers
Setting up virtual hosts
Creating CGI scripts to "deface" another's files and setting permissions against exploit
Showing files can be read by virtual host users and employing "suexec" to protect against access
Configuring and testing mod_auth_kerb
PostgreSQL Overview and Default Configuration
Configuring SSL
Authentication Methods and Advanced Authentication
Ident-based Authentication
Lab 12- Securing PostgreSQLConfiguring SSL
Authentication Methods and Advanced Authentication
Ident-based Authentication
Configuring PostgreSQL to accept remote TCP connections
Configuring PostgreSQL to support strong authentication via SSL
Configuring PostgreSQL to support Kerberos
Setting up and configuring a web based multi-user PHP calendaring application that uses PostgreSQL
Configuring Apache to support Kerberos authentication and to require SSL
Section 13 Securing EMail SystemsConfiguring PostgreSQL to support strong authentication via SSL
Configuring PostgreSQL to support Kerberos
Setting up and configuring a web based multi-user PHP calendaring application that uses PostgreSQL
Configuring Apache to support Kerberos authentication and to require SSL
SMTP Overview and Implementations
Selecting an MTA
Security Considerations
Postfix Overview
Chrooting Postfix
Connections and Relays
SMTP AUTH & StartTLS/SSL
Secure Cyrus IMAP Config
Using GSSAPI/Kerberos Auth
Lab 13 - Securing EmailSelecting an MTA
Security Considerations
Postfix Overview
Chrooting Postfix
Connections and Relays
SMTP AUTH & StartTLS/SSL
Secure Cyrus IMAP Config
Using GSSAPI/Kerberos Auth
Configuring a system to use Postfix
Configuring Postfix to listen on the network and accept mail
Modifying Postfix’s SysV Init script to setup and maintain the proper environment for chrooting Postfix daemons each time it starts
Configuring Postfix to chroot some of its daemons
Configuring Postfix to use SMTP AUTH via PAM for secure relaying
Configuring Postfix to support STARTTLS to secure SMTP AUTH
Configuring Cyrus IMAP with SSL/TLS for IMAPS and POP3 access
Configuring Postfix to deliver mail to Cyrus IMAP
Setting up Evolution to test Postfix and Cyrus IMAP
Generating Kerberos principals for Cyrus IMAP and Postfix
Re-Configuring Cyrus IMAP and Postfix to perform GSSAPI/Kerberos authentication
Re-Configuring Evolution to preform GSSAPI/Kerberos authentication
Section 14 SELinux ConceptsConfiguring Postfix to listen on the network and accept mail
Modifying Postfix’s SysV Init script to setup and maintain the proper environment for chrooting Postfix daemons each time it starts
Configuring Postfix to chroot some of its daemons
Configuring Postfix to use SMTP AUTH via PAM for secure relaying
Configuring Postfix to support STARTTLS to secure SMTP AUTH
Configuring Cyrus IMAP with SSL/TLS for IMAPS and POP3 access
Configuring Postfix to deliver mail to Cyrus IMAP
Setting up Evolution to test Postfix and Cyrus IMAP
Generating Kerberos principals for Cyrus IMAP and Postfix
Re-Configuring Cyrus IMAP and Postfix to perform GSSAPI/Kerberos authentication
Re-Configuring Evolution to preform GSSAPI/Kerberos authentication
DAC vs. MAC
Shortcomings of Traditional UNIX Security
SELinux Goals, Terms, and Logical Architecture
SELinux in Action
Activating and Interfacing SELinux
SELinux Commands and Roles
Modified System Utilities
Lab 14 - SELinux ConceptsShortcomings of Traditional UNIX Security
SELinux Goals, Terms, and Logical Architecture
SELinux in Action
Activating and Interfacing SELinux
SELinux Commands and Roles
Modified System Utilities
Installing and initializing SELinux
Working with several SELinux management commands to see how roles and contexts are used on the system
Section 15 SELinux PolicyWorking with several SELinux management commands to see how roles and contexts are used on the system
SELinux Policies Review
Choosing a Policy
Compiled Policy Files
Policy Source Files
M4 Macro Language
File Context Files (*.fc)
Type Enforcement Files (*.te)
Booleans
Graphical Policy Tools
Policy Analysis
Policy Customization
Troubleshooting SELinux Problems
Lab 15 - SELinux PolicyChoosing a Policy
Compiled Policy Files
Policy Source Files
M4 Macro Language
File Context Files (*.fc)
Type Enforcement Files (*.te)
Booleans
Graphical Policy Tools
Policy Analysis
Policy Customization
Troubleshooting SELinux Problems
Enabling Strict Policy
Changing roles on the system
Understanding the difference between how context labels are treated with the cp and mv commands
Setting SELinux Boolean Values
Modifying the default policy so that users can do a directory listing in /var/log
Changing roles on the system
Understanding the difference between how context labels are treated with the cp and mv commands
Setting SELinux Boolean Values
Modifying the default policy so that users can do a directory listing in /var/log