ExitCertified Canada English
ExitCertified Canada French
CONTACTS
Email Us
Sales & Registration
After-Class & Technical
Careers
General Contact Form
Free Quote
Phone & Mailing Address
LOCATIONS
United States
Sacramento
San Francisco
San Jose
Las Vegas
Phoenix
more >
Los Angeles / Monrovia, California
San Diego, California
Broomfield, Colorado
Colorado Springs, Colorado
Fort Lauderdale, Florida
Tampa, Florida
Atlanta, Georgia
Downers Grove, Illinois
Kansas City / Overland Park, Kansas
Portland / Westbrook, Maine
Baltimore / Columbia, Maryland
Burlington / Boston, Massachusetts
Detriot / Troy, Michigan
Roseville / Minneapolis, Minnesota
St. Louis, Missouri
Omaha, Nebraska
Edison, New Jersey
New York City, New York
Raleigh / Cary, North Carolina
Columbus / Lewis Center, Ohio
Philadelphia, Pennsylvania
Nashville / Franklin, Tennessee
Dallas, Texas
Houston, Texas
Hampton, Virginia
Rosslyn / Arlington, Virginia
Madison / Middleton, Wisconsin
Seattle / Kirkland, Washington
Canada
Vancouver
Victoria
Calgary
Edmonton
Toronto
Ottawa
Montreal
ABOUT
About ExitCertified
Registration FAQs
Press
Careers
Newsletter
Partners
Partnership & Strategic Alliance
YOU ARE HERE: USA
Change Web Site Location
Canada - English
Canada - French
USA - English
start
>
courses and registration
> training feature sheet
Enterprise Linux Security Administration
course schedule
who can benefit
prerequisites
skills gained
other notes
course content
related solutions
code.
QLG55
length.
5 days
type.
Instructor-Led
partner.
IBM
price.
$2,750
In this highly technical course, focus on properly securing machines running the Linux operating systems. Examine a broad range of general security techniques, such as user/group policies and file integrity checking. Learn advanced security technologies, such as Kerberos, Security Enhanced Linux (SELinux), and the hardening of popular applications, such as Apache, databases, and e-mail systems. By the end of the course, gain an excellent understanding of the potential security vulnerabilities: know how to audit existing machines and best practices on how to securely deploy new Linux servers.
course schedule
There are currently no scheduled dates for this course. If you are interested in this course, request a course date with the links below.
who can benefit
This is an expert course for:
Individuals who are Linux system administrators needing to secure Linux systems
Individuals seeking security auditing skills for Linux systems
Individuals who administer Red Hat Enterprise Linux or SUSE Linux Enterprise Server based systems
prerequisites
You should have strong Linux system administration experience. You should be comfortable with concepts and tasks, such as editing text files in UNIX and starting and stopping services/daemons. A good grasp of networking concepts is helpful.
skills gained
Understand core security concepts, such as firewalling, file security, discovery, and hardening
Use tools for probing, mapping, and scanning for vulnerabilities including nmap and nessus
Implement a hardened Network Time Protocol (NTP) client/server setup for secure, synchronized network time
Secure a system's filesystem using Network File System (NFS), GNU Privacy Guard (GPG), and TripWire
Implement password security and Pluggable Authentication Module (PAM)
Deploy a secure authentication system using Kerberos
Configure SELinux policies
Perform a security audit on Linux systems
Securely deploy new network services, such as Apache, PostgreSQL, PHP, and Posfix
ibm education advantage program eligibility:
Yes - IBM Education Pack - online account
course content details
Section 1 - security concepts
basic security principles
Red hat enterprise Linux (RHEL) /Fiber Channel (FC) /SUSE Linux enterprise Server (SLES) / SUSE Linux (SL) default install
Red hat (RH) /SUSE firewall options and file security
minimization - discovery
service discovery
hardening
security concepts
Lab 1 - security concepts
discovering what software packages are installed and removing unneeded packages
using lokkit for firewall configuration
identification of running services and removing unneeded services
increasing security using system calls and chroot
Section 2 - probing, mapping, and scanning for vulnerabilities
the security environment
stealth reconnaissance
the WHOIS database
interrogating Domain Name System (DNS)
discovering available hosts and applications
reconnaissance with Simple Network Management Protocol (SNMP)
discovery of Remote Procedure Call (RPC) services
enumerating NFS shares
Nessus insecurity scanner and installation
Lab 2 - probing, mapping and Nessus
Discovery of listening services and remote stack fingerprinting
Installing, configuring and testing Nessus insecurity scanner
Section 3 - password security and PAM
UNIX passwords
password aging
auditing passwords
PAM implementation, management, and control statements
PAM modules
pam_stack.so, pam_unix.so, pam_unix2.so, pam_cracklib.so, pam_pwcheck.so, pam_env.so, pam_xauth..so, pam_tally.so, pam_wheel.so, pam_limits.so, pam_nologin.so, pam_deny.so, pam_securetty.so, pam_time.so, pam_access.so, pam_listfile.so, pam_lastlog.so, pam_warn.so, pam_console.so, pam_resmgr.so, and pam_devperm.so
user device access: resmgr
Lab 3 - PAMs
auditing user password quality
creating additional dictionaries for use with cracklib
working with PAM modules
limiting access activities of users and accounts
Section 4 - secure NTP
the importance of time
time measurements and synchronization methods
NTP evolution
time server hierarchy
operational modes
NTP clients
configuring NTP clients and servers
securing NTP
NTP packet integrity
useful NTP commands
Lab 4 - secure NTP
configuring NTP peering
configuring strong authentication on a NTP server
defining access control lists (ACL) for secure access to NTP server
Section 5 - Kerberos concepts
the computing landscape
common security problems
account proliferation
the Kerberos solution
Kerberos history, implementations, and concepts
Kerberos principals, safeguards, and components
authentication process and identification types
logging in
gaining and using privileges
Section 6 - Kerberos components
Kerberos components
Kerberos principal review
Kerberized services review and clients
Key Distribution Center (KDC) server daemons
Configuration files
Utilities overview
Kerberos sysV init scripts
Section 7 - implementing Kerberos
plan topology and implementation
Kerberos 5 client and server software
synchronize clocks
creating and configuring the master KDC
KDC logging
specifying [realms] and [domain_realm]
allow administrative access
create KDC databases and administrators
Install Keys for services and start services
add host principals and common service principals
configure slave KDCs
client configuration
Install krb5.conf on clients
client PAM configuration
Install client host keys
Section 8 - administrating and using Kerberos
administrative tasks
key tables
managing keytabs
principals and managing principals
Massachusetts Institute of Technology (MIT) principal policy
viewing principals
MIT managing policies
goals for users
signing into Kerberos
ticket types and viewing tickets
Graphical User Interface (GUI) Kerberos ticket management
removing tickets
Passwords and changing passwords
giving others access
using Kerberized services
Kerberized FTP
enabling Kerberized services
OpenSSH and Kerberos
Lab 8 - using Kerberized clients
system configuration for use of Kerberized client and server applications
using the Kerberized Telnet to connect via a ticket and encrypt the data for the session
exploring the utility and behavior of forwardable tickets
configuring an OpenSSH server and client to accept and use Kerberos authentication
testing Kerberos authentication with OpenSSH
Section 9 securing the filesystem
filesystem mount options
NFS properties and NFS export option
NFSv4 and Generic Security Service Application Program Interfaces (GSS-API) auth
implementing NFSv4
file encryption with GPG and OpenSSL
encrypted loopback File System (FS)
Lab 9 - filesystem security and file encryption
modification of filesystem mounting options to increase system security
configuring and securing an NFS share
encrypting and decrypting files using GPG and OpenSSL
setting up a NFSv4 share with GSSAPI/Kerberos authentication
Section 10 - TripWire
host intrusion detection
using Red Hat Package Manager (RPM) as an Intrusion Detection System (IDS)
TripWire history and concepts
TripWire installation, policies, and configuration
TripWire commands and general operation
Lab 10 - file integrity checking with RMP / TripWire
verifying the integrity of files on the system and files in a directory
configuring TripWire to monitor files and report changes
Section 11 - securing Apache
Apache overview
RH/SUSE default configuration
configuring Common Gateway Interface (CGI)
turning off unneeded modules
configuration delegation and scope
ACL by Internet Protocol (IP) address
Hypertext Transfer Protocol (HTTP) user authentication
Standard auth modules
HTTP digest authentication
authentication via SQL, Lightweight Directory Access Protocol (LDAP), and Kerberos
scrubbing HTTP headers
metering HTTP bandwidth
Section 12 - securing PostgreSQL
PostgreSQL overview and default configuration
configuring Secure Sockets Layer (SSL)
authentication methods and advanced authentication
ident-based authentication
Lab 12- securing PostgreSQL
configuring PostgreSQL to accept remote Transmission Control Protocol (TCP) connections
configuring PostgreSQL to support strong authentication via SSL
configuring PostgreSQL to support Kerberos
setting up and configuring a Web-based multiuser PHP calendaring application that uses PostgreSQL
configuring Apache to support Kerberos authentication and to require SSL
Section 13 - securing e-mail systems
Simple Mail Transfer Protocol (SMTP) overview and implementations
selecting an Message Transfer Agent (MTA)
security considerations
Postfix overview
Chrooting Postfix
connections and relays
SMTP AUTH and Start Transport Layer Security (TLS) /SSL
secure Cyrus Internet Message Access Protocol (IMAP) config
using GSSAPI/Kerberos auth
Lab 13 - securing email
configuring a system to use Postfix
configuring Postfix to listen on the network and accept mail
modifying Postfix's sysV init script to set up and maintain the proper environment for chrooting Postfix daemons each time it starts
configuring Postfix to chroot some of its daemons
configuring Postfix to use SMTP AUTH via PAM for secure relaying
configuring Postfix to support STARTTLS to secure SMTP AUTH
configuring Cyrus IMAP with SSL/TLS for IMAPS and Post Office Protocol 3 (POP3) access
configuring Postfix to deliver mail to Cyrus IMAP
setting up evolution to test Postfix and Cyrus IMAP
generating Kerberos principals for Cyrus IMAP and Postfix
reconfiguring Cyrus IMAP and Postfix to perform GSSAPI/Kerberos authentication
reconfiguring evolution to perform GSSAPI/Kerberos authentication
Section 14 - Security Enhanced Linux (SELinux) concepts
Massachusetts Institute of Technology (MIT) versus Media Access Control (MAC)
shortcomings of traditional UNIX security
SELinux goals, terms, and logical architecture
SELinux in action
activating and interfacing SELinux
SELinux commands and roles
modified system utilities
Lab 14 - SELinux concepts
installing and initializing SELinux
working with several SELinux management commands to see how roles and contexts are used on the system
Section 15 - SELinux policy
SELinux policies review
choosing a policy
compiled policy files
policy source files
M4 macro language
file context files (*.fc)
type enforcement files (*.te)
Booleans
graphical policy tools
policy analysis
policy customization
troubleshooting SELinux problems
Lab 15 - SELinux policy
enabling strict policy
changing roles on the system
understanding the difference between how context labels are treated with the cp and mv commands
setting SELinux Boolean values
modifying the default policy so that users can do a directory listing in /var/log
go to top
© 2008 ExitCertified. All rights reserved.
terms of use and disclaimer
::
privacy policy
::
webmaster
::
link to us
Sacramento Training
:: 916.669.3970 |
Las Vegas Training
:: 1.800.803.EXIT (3948) |
San Francisco Training
:: 415.975.3948 |
San Jose Training
:: 408.288.EXIT (3948)
Phoenix, Arizona Training
|
Los Angeles, California Training
|
San Diego, California Training
|
Broomfield, Colorado Training
|
Fort Lauderdale, Florida Training
T
