- Linux Säkerhetsadministration
Utveckla din förmåga att administrera säkerheten i din Linux miljö!
Den här tekniskt praktiska kursen fokuserar på hur man går tillväga för att noggrant säkra system som kör Linux Operativssystem.
Du får en mycket bra genomgång av olika säkerhetstekniker som t.ex. paketfiltrering, policies för lösenord och hur filintegritetskontroll går till. Avancerad tekniker som Kerberos och SELinux gås igenom. Du får också gå igenom hur man säkrar gemensamma nätverkstjänster.
Innehåll i kurs
Supportade distributioner:
Red Hat Enterprise Linux, Fedora Core, SUSE Linux Enterprise Server, SUSE Linux
- Security Concepts: Basic Security Principles, Linux Default Install, Installer Firewall Options, Post-Install Firewall, Minimization ? Discovery, Service Discovery, Hardening, Security Concepts
Laboration: Removing Packages Using RPM, Firewall Configuration, Process Discovery, Operation of the setuid() and capset() System Calls, Operation of the chroot() System Call
- Scanning, Probing, and Mapping Vulnerabilities: The Security Environment, Stealth Reconnaissance, The WHOIS database, Interrogating DNS, Discovering Available Hosts and Apps, Reconnaissance with SNMP, Discovery of RPC Services, Enumerating NFS Shares, Nessus Insecurity Scanner, Configuring OpenVAS
Laboration: NMAP, OpenVAS, Advanced NMAP Options
- Password Security and PAM: Unix Passwords, Password Aging, Auditing Passwords, PAM Implementation, Management, and Control Statements, PAM Modules, pam_unix.so, pam_cracklib.so, pam_pwcheck.so, pam_env.so, pam_xauth.so, pam_tally.so, pam_wheel.so, pam_limits.so, pam_nologin.so, pam_deny.so, pam_securetty.so, pam_time.so, pam_access.so, pam_listfile.so, pam_lastlog.so, pam_warn.so, pam_console.so, pam_resmgr.so, pam_devperm.so
Laboration: John the Ripper, Cracklib, Using pam_listfile to Implement Arbitrary, ACLs, Using pam_limits to Restrict Simultaneous Logins, Using pam_nologin to Restrict Logins, Using pam_access to Restrict Logins, su & pam
- Secure Network Time Protocol (NTP): The Importance of Time, Time Measurements, Terms and Definitions, Synchronization Methods, NTP Evolution, Time Server Hierarchy, Operational Modes, NTP Clients, Configuring NTP Clients and Servers, Securing NTP, NTP Packet Integrity, Useful NTP Commands
Laboration: Configuring and Securing NTP, Peering NTP With Multiple Systems
- Kerberos Concepts: Common Security Problems, Account Proliferation, The Kerberos Solution, Kerberos History, Implementations, and Concepts, Kerberos Principals, Safeguards, and Components, Authentication Process, Identification Types, Logging In, Gaining and Using Privileges, Kerberos Components
- Kerberos Components: KDC, Kerberos Principal Review, Kerberized Services Review, Kerberized Clients, KDC Server Daemons, Configuration Files, Utilities Overview, Kerberos SysV Init Scripts
- Implementing Kerberos: Plan Topology, Plan Implementation Kerberos, Client Software, Kerberos, Server Software, Synchronize Clocks, Creating and Configuring the Master KDC, KDC Logging, Kerberos Realm Defaults, Specifying [realms], Specifying [domain_realm], Allow Administrative Access, Create KDC Databases and Administrators, Install Keys for Services, Start Services, Add Host Principals, Add Common Service Principals, Configure Slave KDCs, Create Principals for Slaves, Define Slaves as KDCs, Copy Configuration to Slaves, Install Principals on Slaves, Synchronization of Database, Propagate Data to Slaves, Create Stash on Slaves, Start Slave Daemons, Client Configuration, Install krb5.conf on Clients, Client PAM Configuration, Install Client Host Keys
Laboration: Implementing Kerberos
- Administrating and Using Kerberos: Administrative Tasks, Key Tables, Managing Keytabs, Principals, Managing Principals, Principal Policy, Viewing Principals, Managing Policies, Overall Goals for Users, Signing Into Kerberos, Ticket types, Viewing Tickets, Removing Tickets, Passwords, Changing Passwords, Giving Others Access, Using Kerberized Services, Kerberized FTP, Enabling Kerberized Services, OpenSSH and Kerberos
Laboration: Using Kerberized Clients, Forwarding Kerberos Tickets, OpenSSH with Kerberos
- Securing The Filesystem: Filesystem Mount Options, NFS Properties, NFS Export Option, NFSv4 and GSSAPI Auth, Implementing NFSv4, File Encryption with GPG and OpenSSL, Linux Unified Key Setup (LUKS)
Laboration: Securing Filesystems, Securing NFS, Implementing NFSv4, File Encryption With GPG
- File Encryption With OpenSSL: LUKS-on-disk format Encrypted Filesystem
APPENDIX (extra uppgifter i mån av tid för deltagaren, dokumentation medföljer)
-
SELinux Concepts: DAC vs. MAC, Shortcomings of Traditional Unix Security, SELinux Goals, Evolution, and Modes, Gathering Information, SELinux Virtual Filesystem, SELinux Contexts, Managing Contexts, SELinux Troubleshooting
Laboration: Exploring SELinux Modes, SELinux Contexts in Action, SELinux Policy
-
The SELinux Policy: Choosing a Policy, Policy Layout, Tuning and Adapting Policy, Booleans, Managing Booleans, Managing File Contexts, Managing Port Contexts, Managing SELinux graphically, Examining Policy,
Laboration: Managing SELinux Booleans [RHEL], Creating Policy with Audit2allow [RHEL], Creating & Compiling Policy from Source [RHEL]
Kurs intressant för
Erfarna systemadministratörer, produkt eller systemutvecklare som behöver utveckla sin kompetens inom säkerhetsområdet för Linuxsystem.
Föreläsare
- Tomasz Staszewski, Unipipe
Förkunskaper
Kursen täcker avancerade säkerhetsområden och är inriktad mot erfarna System Administratörer och du som deltagare bör ha erfarenhet från aktuella Linux distributioner och Linux systemadministration motsvarande våra kurser Linux Fundamentals, Enterprise Linux Systems Administration, Enterprise Linux Network Services
Kursens mål
Efter kursen kommer du att ha en utvecklad förmåga att arbeta med potentiella säkerhetsrisker och förmågan att analysera existerande implementationer av Linuxoperativ och hur man säkert implementerar nätverkstjänster.