Enterprise Linux Server Hardening

 

and OSUN-225 'Enterprise Linux Systems Administration'.
 

1. SECURITY CONCEPTS

• Basic Security Principles
• RHEL7 Default Install
• Minimization – Discovery
• Service Discovery
• Hardening
• Security Concepts
  • LAB TASKS
• Removing Packages Using RPM
• Firewall Configuration
• Process Discovery
• Operation of the setuid() and capset() System Calls
• Operation of the chroot() System Call
• Introduction to Troubleshooting Labs

2. SCANNING, PROBING, AND MAPPING VULNERABILITIES

• The Security Environment
• Stealth Reconnaissance
• The WHOIS database
• Interrogating DNS
• Discovering Hosts
• Discovering Reachable Services
• Reconnaissance with SNMP
• Discovery of RPC Services
• Enumerating NFS Shares
• Nessus/OpenVAS Insecurity Scanner
• Configuring OpenVAS
• Intrusion Detection Systems
• Snort Rules
• Writing Snort Rules
  • LAB TASKS
• NMAP
• OpenVAS
• Advanced nmap Options

3. TRACKING SECURITY UPDATES AND SOFTWARE MAINTENANCE

• Security Advisories
• Managing Software
• RPM Features
• RPM Architecture
• RPM Package Files
• Working With RPMs
• Querying and Verifying with RPM
• Updating the Kernel RPM
• Dealing With RPM & Yum Digest Changes
• Using the Yum command
• Using Yum history
• Yum Plugins & RHN Subscription Manager
• YUM Repositories
  • LAB TASKS
• Managing Software with RPM
• Creating a Custom RPM Repository
• Querying the RPM Database
• Using Yum

4. MANAGE THE FILESYSTEM

• Partitioning Disks with fdisk & gdisk
• Resizing a GPT Partition with gdisk
• Partitioning Disks with parted
• Filesystem Creation
• Persistent Block Devices
• Mounting Filesystems
• Filesystem Maintenance
• Swap
  • LAB TASKS
• Creating and Managing Filesystems
• Hot Adding Swap

5. SECURING THE FILESYSTEM

• Configuring Disk Quotas
• Setting Quotas
• Viewing and Monitoring Quotas
• Filesystem Attributes
• Filesystem Mount Options
• GPG – GNU Privacy Guard
• File Encryption with OpenSSL
• File Encryption With encfs
• Linux Unified Key Setup (LUKS)
  • LAB TASKS
• Setting User Quotas
• Securing Filesystems
• Securing NFS
• File Encryption with GPG
• File Encryption With OpenSSL
• LUKS-on-disk format Encrypted Filesystem

6. MANAGE SPECIAL PERMISSIONS

• File and Directory Permissions
• File Creation Permissions with umask
• SUID and SGID on files
• SGID and Sticky Bit on Directories
• Changing File Permissions
• User Private Group Scheme

7. MANAGE FILE ACCESS CONTROLS

• File Access Control Lists
• Manipulating FACLs
• Viewing FACLs
• Backing Up FACLs
• LAB TASKS
• Using Filesystem ACLs

8. MONITOR FOR FILESYSTEM CHANGES

• Host Intrusion Detection Systems
• Using RPM as a HIDS
• Introduction to AIDE
• AIDE Installation
• AIDE Policies
• AIDE Usage
  • LAB TASKS
• File Integrity Checking with RPM
• File Integrity Checking with AIDE

9. MANAGE USER ACCOUNTS

• Approaches to Storing User Accounts
• User and Group Concepts
• User Administration
• Modifying Accounts
• Group Administration
• RHEL DS Client Configuration
• System Security Services Daemon (SSSD)
  • LAB TASKS
• User Private Groups

10. PASSWORD SECURITY AND PAM

• Unix Passwords
• Password Aging
• Auditing Passwords
• PAM Overview
• PAM Module Types
• PAM Order of Processing
• PAM Control Statements
• PAM Modules
• pam_unix
• pam_cracklib.so
• pam_env.so
• pam_xauth.so
• pam_tally2.so
• pam_wheel.so
• pam_limits.so
• pam_nologin.so
• pam_deny.so
• pam_warn.so
• pam_securetty.so
• pam_time.so
• pam_access.so
• pam_listfile.so
• pam_lastlog.so
• pam_console.so
  • LAB TASKS
• John the Ripper
• Cracklib
• Using pam_listfile to Implement Arbitrary ACLs
• Using pam_limits to Restrict Simultaneous Logins
• Using pam_nologin to Restrict Logins
• Using pam_access to Restrict Logins
• su & pam

11. USING FREEIPA FOR CENTRALIZED AUTHENTICATION

• What Is FreeIPA?
• FreeIPA Features
• FreeIPA Installation
• FreeIPA Client Installation
• User, Group, And Host Management
• User, Group, And Host Management
• FreeIPA Active Directory Integration

12. LOG FILE ADMINISTRATION

• System Logging
• systemd Journal
• systemd Journal's journalctl
• Secure Logging with Journal's Log Sealing
• gnome-system-log
• Rsyslog
• /etc/rsyslog.conf
• Log Management
• Log Anomaly Detector
• Sending logs from the shell
  • LAB TASKS
• Using the systemd Journal
• Setting up a Full Debug Logfile
• Remote Syslog Configuration
• Remote Rsyslog TLS Configuration

13. ACCOUNTABILITY WITH KERNEL AUDITD

• Accountability and Auditing
• Simple Session Auditing
• Simple Process Accounting & Command History
• Kernel-Level Auditing
• Configuring the Audit Daemon
• Controlling Kernel Audit System
• Creating Audit Rules
• Searching Audit Logs
• Generating Audit Log Reports
• Audit Log Analysis
  • LAB TASKS
• Auditing Login/Logout
• Auditing File Access
• Auditing Command Execution

14. SECURING SERVICES

• Xinetd
• Xinetd Connection Limiting and Access Control
• Xinetd: Resource limits, redirection, logging
• TCP Wrappers
• The /etc/hosts.allow & /etc/hosts.deny Files
• /etc/hosts.{allow,deny} Shortcuts
• Advanced TCP Wrappers
• FirewallD
• Netfilter: Stateful Packet Filter Firewall
• Netfilter Concepts
• Using the iptables Command
• Netfilter Rule Syntax
• Targets
• Common match_specs
• Connection Tracking
  • LAB TASKS
• Securing xinetd Services
• Enforcing Security Policy with xinetd
• Securing Services with TCP Wrappers
• Securing Services with Netfilter
• FirewallD
• Troubleshooting Practice

15. SELINUX

• DAC vs. MAC
• Shortcomings of Traditional Unix Security
• SELinux Goals
• SELinux Evolution
• SELinux Modes
• Gathering SELinux Information
• SELinux Virtual Filesystem
• SELinux Contexts
• Managing Contexts
• The SELinux Policy
• Choosing an SELinux Policy
• Policy Layout
• Tuning and Adapting Policy
• Booleans
• Permissive Domains
• Managing File Context Database
• Managing Port Contexts
• SELinux Policy Tools
• Examining Policy
• SELinux Troubleshooting
• 21. SELinux Troubleshooting Continued
  • LAB TASKS
• Exploring SELinux Modes
• SELinux File Contexts
• SELinux Contexts in Action
• Managing SELinux Booleans
• Creating Policy with Audit2allow
• Creating & Compiling Policy from Source