|
Enterprise Linux Security Administration |
 |
 |
 |
|
This course teaches students how to plan and implement security on Linux servers for enterprise networks.
Course details are provided below and are also available in PDF format.
REGISTER HERE
COURSE DETAILS
Prerequisites: Linux system administration and network administration or equivalent experience.
Course Outline:
Introduction to Security:
What are the Concerns?
- Availability, Integrity, and Confidentiality
- The Tension between Security and Usability
- Social, Physical, User, and Network Security
What are the Tools?
- Designing Policies
- Keeping Software Updated withop2date
- Unix-style Ownerships and Permissions
- SELinux Types and Domains
- Pluggable Authentication Modules (PAM)
- Service Management and Access Control
System Monitoring:
Monitoring the Network
- Open Ports are Open Doors
- Using netstat to Determine Open Ports
- Using Isof to Determine Open Ports
- Using nmap to Determine Open Ports
- Managing Open Ports with chkconfig and Service
Monitoring Logs
- Review of the Syslog service
- Key Log Files
- Generating Log Summaries with Logwatch
- Log files and SELinux Auditing
Monitoring the Filesystem
- Review of the find Command
- Fingerprinting Files
- Tracking Disk Usage
- SUID and SGID Executables
- Problematic Permissions
Monitoring Processes
- Review of the ps Command
- Dynamic Process Monitoring
- Process Limits
- Process Accounting
- Implement Secure Cookies
- Harden a Web Browser
An Overview of User Authentication
- User Authentication vs. User Account Information
- Accessing User Information with getent
- Updating User Authentication with passwd
Name Service Switch: /etc/nsswitch.conf
- Introduction to the Name Service Switch
- Name Service Switch Databases
- Managing NSS with system-config-auth
The Pluggable Authentication Modules
- Introduction to PAM
- PAM Libraries: /lib/security/*.so
- PAM Configuration: /etc/pam.d/
- Exploring PAM Syntax: login
Selected PAM Modules
- PAM Documentation: /usr/share/doc/pam-*/
- Controlling User Access with pam_access.so
- The Console User pam_console.so
- Allowing Groups: pam_group.so
- Limiting by Time: pam_time.so
- The wheel Groups: pam_wheel.so
The Network Information Service
- Introduction to NIS
- Setting up an NIS Server
- Establishing the NIS Domain: domainame and /etc/sysconfig/network
- Limiting NIS Access: /var/yp/securenets
- Starting the ypserv Service
- Creating NIS Maps: /var/yp/Makefile
- Initializing the Service: /usr/lib/yp/ypinit
More NIS Configuration
- Maintaining Passwords with yppasswdd
- Configuration and NIS Slave
- Automounting Home Directories
- Network Security Using iptables
|
Kernel Level Firewalling
- Introduction to iptables
- The iptables Command
- Saving the Firewall State: iptables-save and iptables-restore
- The iptables Service
Advanced kernel Level Firewalling
- Adding Custom Chains
- An iptables GUI: system-config-securitylevel
- Implementing Routing Policy
- Providing Access to Private Networks: MASQUERADE
- Selectively Exposing Private Networks: DNAT
More iptables Extensions
- Target Extensions: REJECT and LOG
- Stateful Firewalls: TCP state Extensions
- TCP Flag extensions
- Rate Limiting Rules
- Owner Extensions
- Sampling Rules: nth and random
- Implementing Policy by Time
Securing Services:
Tcp Wrappers
- History of tcp_wrappers
- The /etc/hosts.{deny,allow} Files
- Specifying daemons
- Specifying Clients
More TCP wrappers
- LOCAL, ALL, EXCEPT keywords
- Which applications are complied against lib_wrap.so?
- Spawning Connections
- Twisting Connections
Xinetd bases Access Control
- Access Control Lists: only_from and no_access
- DOS prevention: per_source, cps, loadavg
- Managing Logging: log_on_success and log_on_failure
- Other Options: time, nice, rlimits
Securing Data:
Introduction to Encryption
- The Need for encryption
- Cryptographic Building Blocks
- Implementations: openssl, gpg, RPM
- Random Numbers
- One Way Hashes (“Fingerprints”)
Symmetric Encryption
- What is Symmetric Encryption
- Common Algorithms
- Common Utilities
- Password Handling – crypt(), md5, md5apache, etc…
Asymmetric (“Public Key”) Encryption
- What is Asymmetric Encryption?
- Public/Private Key Pairs
- Encryptions w/o Key Synchronization
- Digital Signatures
Public Key Infrastructures
- Webs of Trust: Key Signing
- X509 Digital Certificates
- Certificate Authorities
OpenSSH
- OpenSSH Basics
- Public Key Authentication
- Server Configuration
- Client Configuration
- Tunneling legacy protocols
- One Time Logins: The SSH Agent
|
- Course Length: 5 days or 10 evenings
- Tuition: $1,999/per person
- On-site training available
- Group discounts available
REGISTER HERE
|
