LinuxCBT Security Edition encompasses 9 pivotal security modules

8/14/2019 LinuxCBT Security Edition encompasses 9 pivotal security modules

1/29

LinuxCBT Security Edition encompasses 9 pivotal security modules:1. Security Basics (fundamentals)2. Proxy Security featuring Squid 3. Firewall Security featuring IPTables 4. SELinux Security - MAC-based Security Controls5. Network Intrusion Detection System ( NIDS ) Security featuring Snort NIDS6. Packet | Capture | Analysis Security featuring Ethereal 7. Pluggable Authentication Modules ( PAM ) Security8. Open Secure Shell version 2 ( OpenSSHv2 ) Security9. OpenPGP with Gnu Privacy Guard ( GPG ) Security

LinuxCBT Security Edition is unparalleled in content, depth and expertise. It entails 89-hour s,or ~ 2-weeks of classroom training. LinuxCBT Security Edition prepares you or your organization for successfully securing GNU/Linux & Open Source-based solutions. As a by-

product, many of the covered concepts, utilities and tricks are applicable to heterogeneouscomputing environments, ensuring your coverage of the fundamentals of securing corporateinfrastructures.

Recommended Prerequisites for: Any LinuxCBT Operating System Course (Classic/EL-4/SUSE/Debian Editions)

Open mind & determination to master Linux and related open-source applications

Basic understanding of networking concepts

Access to a PC to follow the exercises

Basic Security - Module 1 Boot Security

Explore Dell PowerEdge BIOS Security-related features Discuss concepts & improve Dell PowerEdge BIOS security Explain run-time boot loader vulnerabilities Explore single-user mode (rootshell) and its inherent problems Modify default GRUB startup options & examine results

Secure boot loader using MD5 hash Identify key startup-related configuration files & define boot security measures Identify key boot-related utilities Confirm expected hardware configuration Discuss INIT process, runlevel configuration & concepts Explore & tighten the security of the INIT configuration


2/29


3/29

Identify potential vulnerabilities on interesting hosts derived from reconnaissance Examine NMAP logging capabilities Perform port sweeps to identify common vulnerabilities across exposed systems Secure exposed daemons/services Perform follow-up audit to ensure security policy compliance Discuss vulnerability scanner capabilities and applications Prepare system for Nessus vulnerability scanner installation - identify/install

dependencies Generate self-signed SSL/TLS certificates for secure client/server

communications Activate Nessus subscription, server and client components Explore vulnerability scanner interface and features Perform network-based reconnaissance attack to determine vulnerabilities Examine results of the reconnaissance attack and archive results Secure exposed vulnerabilities

XINETD - TCPWrappers - Chattr - Lsattr - TCPDump - Clear Text Daemons Install Telnet Daemon Install Very Secure FTP Daemon (VSFTPD) Explore XINETD configuration and explain directives Configure XINETD to restrict communications at layer-3 and layer-4 Restrict access to XINETD-protected daemons/services based on time range Examine XINETD logging via Syslog Discuss TCPWrappers security concepts & applications Enhance Telnetd security with TCPWrappers Confirm XINETD & TCPWrappers security Discuss chattr applications & usage Identify & flag key files as immutable to deter modifcation

Confirm extended attributes (XATTRs) Discuss TCPDump applications & usage Configure TCPDump to intercept Telnet & FTP - clear-text traffic Use Ethereal to examine & reconstruct captured clear-text traffic

Secure Shell (SSH) & MD5SUM Applications


4/29

Use Ethereal to examine SSH streams Generate RSA/DSA PKI usage keys Configure Public Key Infrastructure ( PKI ) based authentication Secure PKI authentication files Use SCP to transfer files securely in non-interactive mode Use SFTP to transfer files securely in interactive mode Configure SSH to support a pseudo-VPN using SSH-Tunnelling Discuss MD5SUM concepts and applications Compare & contrast modified files using MD5SUM Use MD5SUM to verify the integrity of downloaded files

GNU Privacy Guard (GPG) - Pretty Good Privacy (PGP) Compatible - PKI Discuss GPG concepts & applications - symmetric/asymmetric encryption Generate asymmetric RSA/DSA GPG/PGP usage keys - for multiple users Create a local web of trust Perform encrypts/decrypts and test data-exchanges Sign encrypted content and verify signatures @ recipient Import & export public keys for usage Use GPG/PGP with Mutt Mail User Agent ( MUA )

AIDE File Integrity Implementation Discuss file-integrity checker concepts & applications Identify online repository & download AIDE Install AIDE on interesting hosts Configure AIDE to protect key files & directories Alter file system objects and confirm modifications using AIDE Audit the file system using AIDE

Rootkits Discuss rootkits concepts & applications Describe privilege elevation techniques Obtain & install T0rnkit - rootkit Identify system changes due to the rootkit Implement T0rnkit with AIDE to identify compromised system objects


5/29

Implement T0rnkit with chkrootkit to identify rootkits T0rnkit - rootkit - cleanup Implement N-DU rootkit Evaluate system changes

Bastille Linux - OS-Hardening Discuss Bastille Linux system hardening capabilities Obtain Bastille Linux & perform a system assessment Install Bastille Linux Evaluate hardened system components

top

Proxy Security - Module 2 Squid Proxy Initialization

Discuss Squid concepts & applications Discuss DNS application Configure DNS on primary SuSE Linux server for the Squid Proxy environment Confirm DNS environment Start Squid and evaluate default configuration Install Squid Proxy server

General Proxy Usage Configure web browser to utilize proxy services Grant permissions to permit local hosts to utilize proxy services Discuss ideal file system layout - partitioning Explore key configuration files Use client to test the performance of proxy services Discuss HIT/MISS logic for serving content Configure proxy support for text-based (lftp/wget/lynx) HTTP clients

Squid Proxy Logs Discuss Squid Proxy logging mechanism Identify key log files Discuss & explore the Access log to identify HITS and/or MISSES
http://www.linuxcbt.com/products_linuxcbt_security_edition.phphttp://www.linuxcbt.com/products_linuxcbt_security_edition.php


6/29

Discuss & explore the Store log to identify cached content Convert Squid logs to the Common Log Format ( CLF ) for easy processing Discuss key CLF fields Configure Webalizer to process Squid-CLF logs Revert to Squid Native logs Discuss key Native log fields Configure Webalizer to process Squid Native logs

Squid Network Configuration & System Stats Discuss cachemgr.cgi Common Gateway Interface(CGI) script Explore the available metrics provided by cachemgr.cgi Change default Squid Proxy port Modify text/graphical clients and test communications Discuss Safe Ports - usage & applications

Squid Access Control Lists (ACLs) Intro to Access Control Lists (ACLs) - syntax Define & test multiple HTTP-based ACLs Define & test ACL lists - to support multiple hosts/subnets Define & test time-based ACLs Nest ACLs to tighten security Implement destination domain based ACLs Exempt destination domains from being cached to ensure content freshness Define & test Anded ACLs Discuss the benefits of Regular Expressions (Regexes) Implement Regular Expressions ACLs to match URL patterns Exempt hosts/subnets from being cached or using the Squid cache Force cache usage Configure enterprise-class Cisco PIX firewall to deny outbound traffic Configure DNS round-robin with multiple Squid Proxy caches for load-balancing Discuss delay pool concepts & applications - bandwidth management Configure delay pools - to support rate-limiting Examine results of various delay pool classes Enforce maximum connections to deter Denial of Service ( DoS ) attacks


7/29

Verify maximum connections comply with security policy

Squid Proxy Hierarchies Discuss Squid cache hierarchy concepts & applications Ensure communications through a primary cache server - double-auditing Discuss and configure parent-child bypass based on ACLs Configure Intranet ACLs for peer -cache bypass Discuss & implement Squid cache hierarchy siblings Configure transparent proxy services

top

Firewall Security - Module 3 Intro IPTables

Discuss key IPTables concepts OSI Model discussion Determine if IPTables support is available in the current kernel Identify key IPTables modules and supporting files Explore and examine the default tables Learn IPTables Access Control List ( ACL ) syntax Discuss ACL management

Learn to Save & Restore IPTables ACLs

IPTables - Chain Management Explore the various chains in the default tables Discuss the purpose of each chain Examine packet counts & bytes traversing the various chains Focus on appending and inserting new ACLs into pre-defined chains Write rules to permit common traffic flows Delete & Replace ACLs to alter security policy Flush ACLs - reset the security policy to defaults Zero packet counts & bytes - bandwidth usage monitoring Create user-defined chains to perform additional packet handling Rename chains to suit the security policy/nomenclature Discuss & explore chain policy


8/29

IPTables - Packet Matching & Handling Explain the the basics of packet matching Identify key layer-3/4 match objects - (Source/Dest IPs, Source/Dest Ports, etc.) Explore the multi-homed configuration Block traffic based on untrusted (Internet-facing) interface Perform packet matching/handling based on common TCP streams Perform packet matching/handling based on common UDP datagrams Perform packet matching/handling based on common ICMP traffic Write fewer rules (ACLs) by specifying lists of interesting layer-4 ports Discuss layer-3/4 IPTables default packet matching Discuss default layer-2 behavior Increase security by writing rules to match packets based on layer-2 addresses

IPTables - State Maintenance - Stateful Firewall Discuss the capabilities of traditional packet-filtering firewalls Explain the advantages of stateful firewalls Examine the supported connection states Identify key kernel modules to support the stateful firewall Implement stateful ACLs & examine traffic flows

IPTables - Targets - Match Handling Discuss the purpose of IPTables targets for packet handling Write rules with the ACCEPT target Write rules with the DROP target Write rules with the REJECT target Write rules with the REDIRECT target Confirm expected behavior for all targets

IPTables - Logging Explore Syslog kernel logging configuration Define Access Control Entry ( ACEs ) to perform logging Explain the key fields captured by IPTables Log using user-defined chain for enhanced packet handling


9/29

Log traffic based on security policy Define a catch-all ACE Use ACE negation to control logged packets Label log entries for enhanced parsing

IPTables - Packet Routing Describe subnet layout Enable IP routing in the kernel - committ changes to disk Update routing tables on the other Linux Hosts on the network Update the Cisco PIX Firewall's routing tables Test routing through the Linux router, from a remote Windows 2003 Host Focus on the forward chain Write ACEs to permit routing Test connectivity

IPTables - Network Address Translation (NAT) Discuss NAT features & concepts Discuss & implement IP masquerading Define Source NAT ( SNAT ) ACEs & test translations Create SNAT multiples Implement Destination NAT ( DNAT ) ACEs & test translations Define DNAT multiples Create NETMAP subnet mappings - one-to-one NATs

IPTables - Demilitarized Zone (DMZ) Configuration Describe DMZ configuration Write Port Address Translation ( PAT ) rules to permit inbound traffic Test connectivity from connected subnets Configure DMZ forwarding (Routing) Implement Dual-DMZs - ideal for n-tiered web applications

top

SELinux Security - Module 4 Access Control Models


10/29

Describe Access Control Model (ACM) theories (DAC/MAC/nDAC) Explain features & shortcomings of Discretionary Access Control ( DAC ) models Identify key DAC-based utilities Discuss the advantages & caveats of Mandatory Access Control ( MAC )models Explore DAC-based programs

SELinux - Basics Discuss subjects & objects Explain how SELinux is implemented in 2.6.x-based kernels Confirm SELinux support in the kernel Identify key SELinux packages Use sestatus to obtain the current SELinux mode Discuss subject & object labeling Describe the 3 SELinux operating modes Identify key utilities & files, which dictate the current SELinux operating mode Focus on the features of SELinux permissive mode Explore the boot process as it relates to SELinux

SELinux - Object Labeling Discuss subject & object labeling Discuss the role of extended attributes ( XATTRs ) Expose the labels of specific objects Alter the lables of specific objects Configure SELinux to automatically label objects per security policy Reset the system and confirm labels on altered objects Explain security tuples Use fixfiles to restore object labels on running system per security policy

SELinux - Type Contexts - Security Labels Applied to Objects Intro to object security tuples - security labels Attempt to serve HTML content using Apache in SELinux enforcing mode Identify problematic object security labels Serve HTML content in SELinux permissive mode Use chcon to alter object security labels


11/29

Switch to enforcing mode & confirm the ability to serve HTML content Use restorecon to restore object security context (labels)

SELinux - Basic Commands - Type & Domain Exposition ps - reveal subjects' security context (security label) - Domains ls - reveal objects' security label - Types cp - preserve/inherit security labels mv - preserve security labels id - expose subject security label

SELinux - Targeted Policy - Binary Explain the Targeted Policy's features Discuss policy transitions for domains Compare & contrast confined & unconfined states Exempt Apache daemon from the auspicies of the targeted policy's confined state Evaluate results after exemption Explain the security contexts applied to subjects & objects Peruse key targeted binary policy files Identify the daemons protected by the targeted policy Discuss the unconfined_t domain - subject label

SELinux - Targeted Policy - Source Install the targeted policy source files Identify & discuss TE and FC files Explore file_contexts - context definition for objects Discuss the file context syntax Explain the purpose of using run_init to initiate SELinux-protected daemons Switch between permissive & enforcing modes and evaluate behavior Peruse the key files in the targeted source policy

SELinux - Miscellaneous Utilities - Logging Use tar to archive SELinux-protected objects Confirm security labels on tar-archived objects Use the tar substitute ' star ' to archive extended attributes(XATTRs)


12/29

Confirm security labels on star -archived objects Discuss the role of the AVC Examine SELinux logs - /var/log/messages Alter Syslog configuration to route SELinux messages to an ideal location Use SETools , shell-based programs to output real-time statistics Install & use SEAudit graphical SELinux log-management tool

top

Network Intrusion Detection System (NIDS) Security - Module 5 Snort NIDS - Installation

Peruse the LinuxCBT Security Edition classroom network topology Download Snort

Import G/PGP public key and verify package integrity Identify & download key Snort dependencies Install current libpcap - Packet Capture Library Establish security configuration baseline

Snort NIDS - Sniffer Mode Discuss sniffer mode concepts & applications Sniff IP packet headers - layer-3/4

Sniff data-link headers - layer-2 Sniff application payload - layer-7 Sniff application/ip packet headers/data-link headers - all layers except physical Examine packets & packet loss Sniff traffic traversing interesting interfaces Sniff clear-text traffic Sniff encrypted streams

Snort NIDS - Logging Mode Discuss logging mode concepts & applications Log traffic using default PCAP/TCPDump format Log traffic using ASCII mode & examine output Discuss directory structure created by ASCII logging mode Control verbosity of ASCII logging mode & examine output


13/29

Enhance packet logging analysis by defaulting to binary logging Discuss default nomenclature for binary/TCPDump files Alter binary output options Use Snort NIDS to read binary/TCPDump files

Snort NIDS - Berkeley Packet Filters (BPFs) Explain the advantages to utilizing BPFs Discuss BPF directional, type, and protocol qualifiers Identify clear-text based network applications and define appropriate BPFs Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting

traffic Log to the active pseudo-terminal console and examine the packet flows

Combine BPF qualifiers to increase packet-matching capabilities Use logical operators to define more flexible BPFs Read binary TCPDump files using Snort & BPFs Execute Snort NIDS in logging/daemon mode

Snort NIDS - Cisco Switch Configuration Examine the current network configuration Identify Snort NIDS sensors and centralized DBMS Server

Create multiple VLANs on the Cisco Switch Secure the Cisco Switch configuration Isolate internal and external hosts, sensors and DBMS systems Configure SPAN - Port Mirroring for internal and external Snort NIDS Sensors Examine internal and external packet flows

Snort NIDS - Network Intrusion Detection System (NIDS) Mode Discuss NIDS concepts & applications

Prepare /etc/snort - configuration directory for NIDS operation Explore the snort.conf NIDS configuration file Discuss all snort.conf sections Download & install community rules Execute Snort in NIDS mode with TCPDump compliant output plugin Download & install Snort Vulnerability Research Team (VRT) rules


14/29

Compare & contrast community rules to VRT rules

Snort NIDS - Output Plugin - Barnyard Configuration Discuss features & benefits Configure Syslog based logging and examine results Configure Snort to log sequentially to multiple output locations Implement unified binary output logging to enhance performance Discuss concepts & features associated with post-processing Snort logs Download and install current barnyard post-processor Use barnyard to post-process logs to multiple output destinations

Snort NIDS - BASE - MySQL Implementation Discuss benefits of centralized console reporting for 1 or more Snort sensors Re-compile Snort on both sensors to support MySQL logging Configure MySQL on Database Management System (DBMS) Host Implement Snort database schema on DBMS Host Configure Snort to log output to MySQL DBMS Host Confirm output logging to the MySQL DBMS Host Prepare DBMS Host for BASE console installation Install BASE and complete schema extension Peruse BASE interface

Snort NIDS - Rules Configuration & Updates Discuss the concept of rules as related to Snort NIDS Examine Snort rule syntax Peruse pre-defined Snort rules Download & configure oinkmaster to automatically update Snort rules Confirm oinkmaster operation

top

Packet Capture Analysis Security feat. Ethereal - Module 6 Introduction - Topology - Features

Discuss course outline Explore system configuration


15/29

Identify key network interfaces to be used for captures Identify connected interfaces on Cisco Switch Explore network topology - IPv4 & IPv6 Identify Ethereal installation Enumerate and discuss key Ethereal features

Ethereal Graphical User Interface (GUI) Identify installation footprint Differentiate between promiscuous and non-promiscuous modes Configure X.org to permit non-privileged user to write output to screen Launch Ethereal GUI Identify the primary GUI components /Packet List | Packet Details | Packet Bytes/ Discuss defaults Explore key menu items

TCPDump | WinDump - Packet Capturing for /Linux|Unix|Windows/ Discuss defaults, features and applications Use TCPDump on Linux to capture packets Log traffic using default PCAP/TCPDump format Discuss Berkeley Packet Filters ( BPFs ) Capture and log specific packets using BPFs for analysis with Ethereal Connect to Windows 2003 Server using Remote Desktop ( RDesktop ) utility Install WinDump and WinPCAP on Windows 2003 Server Identify available network interfaces using WinDump Capture and log packets using WinDump Capture and log specific packets using BPFs with WinDump for analysis with

Ethereal Upload captures to Linux system for analysis in Ethereal

Snort NIDS Packet Capturing & Logging Discuss Snort NIDS's features Confirm prerequisites - /PCRE|LibPCAP|GCC|Make/ Download and Import Snort G/PGP key and MD5SUM for Snort NIDS Download, verify, compile and install Snort NIDS


16/29

Discuss BPF directional, type, and protocol qualifiers Identify clear-text based network applications and define appropriate BPFs Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting

traffic

Log to the active pseudo-terminal console and examine the packet flows Combine BPF qualifiers to increase packet-matching capabilities Use logical operators to define more flexible BPFs Create captures for further analysis with Ethereal

Sun Snoop Packet Capturing & Logging Connect to Solaris 10 system and prepare to use Snoop Draw parallels to TCPDump

Enumerate key features Sniff and log generic traffic Sniff and log specific traffic using filters Sniff using Snoop , HTTP and FTP traffic Save filters for analysis by Ethereal Snoop various Solaris interfaces for interesting traffic

Layer-2 & Internet Control Messaging Protocol (ICMP) Captures

Launch Ethereal Identify sniffing interfaces Capture Address Resolution Protocol (ARP) Packets using Capture Filters Discuss and Identify Protocol Data Units ( PDUs ) Identify default Ethereal capture file Peruse packet capture statistics Identify Cisco VOIP router generating ARP requests Peruse time precision features - deci - nano-seconds

Discuss time manipulations - relative to first packet - actual time Reveal protocol information from layer-1 through 7 Identify network broadcasts in the packet stream Generate Layer-2 ARP traffic using PING and capture and analyze results Sniff traffic based on MAC addresses using Ethereal and Capture FIlters


17/29

User Datagram Protocol (UDP) Captures & Analyses Discuss UDP Characteristics Focus on Network Time Protocol ( NTP ) Setup NTP strata for testing between multiple systems Analyze NTP - UDP traffic using Ethereal Focus on Domain Name Service ( DNS ) Install a BIND DNS Caching-Only Server Analyze DIG queries Analyze 'nslookup' queries

Transmission Control Protocol (TCP) Captures & Analyses Discuss TCP Characteristics - Connection-Oriented Services Explain TCP connection rules - Socket creation Sniff TCP traffic using Capture Filters in Ethereal Use Display Filters to parse TCP traffic Sniff FTP traffic Reconstruct FTP flows using TCP Stream Reassembly Differentiate between client and server flows Quantify client and server flows Discuss embedded Protocol Data Units (PDUs) Sniff Internet Protocol Version 6 ( IPv6 ) traffic Peruse and discuss the IPv6:TCP:FTP traffic dump Analyze TCP Sockets

Ethereal Display Filters - Post Processing Filters Identify previously captured - TCPDump - Ethereal - Snort - Snoop - Dumps Discuss features Explain Display Filter syntax Post-process previously captured traffic dumps Identify the various methods to exact display filters Filter data using the expression builder Filter traffic based on interesting properties Filter traffic using logical operators


18/29

Ethereal Statistics Discuss features Explore the summary (metadata) of captured packets Peruse the protocol hierarchy - Layer's 1 - 7 of OSI Examine network conversations of captured packets Identify Destinations in packet dumps Examine ICMP statistics

Text-based Captures with Tethereal Discuss features and applications Identify ' tethereal ' and invoke Enumerate network interfaces Sniff generic network traffic Suppress capture output Apply Capture Filters Capture UDP Traffic Capture TCP Traffic

Intranet-based Captures & Analysis Discuss Intranet monitoring objectives Analyze the network topology drawing Discuss Unicast, Broadcast and Multicast traffic Discuss Switch Port Mirroring - SPAN Configure Port Mirroring - SPAN on Cisco Switch for interesting ports Dedicate a network interface for sniffing traffic Configure Snort NIDS to sniff traffic on dedicated network interface Analyze Snort NIDS captures in Ethereal Sniff traffic between various Intranet hosts

Internet-based Captures & Analysis Discuss Internet monitoring objectives Identify key external interfaces to monitor Update the Port Mirroring configuration to capture Internet traffic Capture external traffic


19/29

Analyze using Ethereal

Wireless-based Captures & Analysis Discuss Wireless monitoring objectives Connect to remote system with wireless interface Enable wireless interface Sniff traffic on wireless network Analyze using Ethereal

Windows-based Captures & Analysis on Windows Download and Install Ethereal for Windows Explore interface Load previously captured data Analyze data Compare and contrast with Ethereal for Linux|Unix systems

top

Pluggable Authentication Modules (PAM) Security - Module 7 Introduction - Topology - Features

Discuss course outline Explore system configuration Explore network topology Identify primary PAM systems Enumerate and discuss key PAM features

PAM Rules Files & Syntax Identify key PAM configuration files Explain the purpose of the /etc/pam.d/other PAM rules file Discuss PAM's 4 management tasks Identify the 4 tokens supported within PAM rules files Explain possible values for the 4 supported rules file tokens Discuss PAM's stacking of rules for the 4 management tasks Examine the /etc/pam.d/sshd PAM rules file for the SSHD service/daemon Explore the contents of included PAM rules files


20/29

Common PAMs - Identify & Discuss Commonly Implemented PAMs Explain the purpose and implementation of pam_echo Test pam_echo using SSH Explain the purpose and implementation of pam_warn Explain the purpose and implementation of pam_deny Identify instances of pam_warn and pam_deny modules Explain the purpose and implementation of pam_unix2 Identify instances of pam_unix2 module Explain the purpose and implementation of pam_env Explain the purpose and implementation of pam_ftp Peruse /etc/pam.d/vsftpd and discuss the implemenation of pam_ftp Explain the purpose and implementation of pam_lastlog Explain the purpose and implementation of pam_limits Explain the purpose and implementation of pam_listfile Explain the purpose and implementation of pam_nologin

Account Policies with PAM Explain authentication flow when using PAM Discuss account policies features

Identify and peruse the default account policies file: /etc/login.defs Discus PAM's usage of /etc/login.defs as it pertains to system security Discuss pam_pwcheck is maintaining system policy Configure pam_pwcheck to support minimum password length Correlate pam_pwcheck system policy to user accounts database Configure pam_pwcheck to support password history Use chage to enumerate and change user accounts' attributes associated with

system policy

PAM Tally Explain applications of pam_tally Identify failed logins log file: /var/log/faillog Identify PAM authentication messages in /var/log/messages Compare and contrast pam_tally with faillog


21/29

Use pam_tally to display user's tally Enable pam_tally system-wide with desired policy Fail to login multiple times, exceeding the system policy and evaluate results Reset user's login count using pam_tally and faillog Redirect PAM log messages using Syslog-NG

PAM Password Quality Check (pam_passwdqc) Identify pam_passwdqc using RPM Discuss features Enumerate the supported password character classes - Complex passwords Replace pam_pwcheck with pam_passwdqc using at least 2 character classes Test password policy in non-enforcing mode Evaluate the effects Enable password policy in enforcing mode and evaluate Alter character class and length (complexity) requirements and evaluate

PAM Time - Time-based Access Control Discuss features Explain configuration file syntax Impose restrictions on common services Evaluate results

PAM Nologin Discuss features Explain configuration file syntax Implement nologin module via /etc/nologin Evaluate results

PAM Limits - System Resource Limits Controlled by PAM Discuss features Explain configuration file syntax Impose restrictions on system resources Evaluate results


22/29

PAM Authentication with Apache Discuss features and desired result Install Apache and development modules providing apxs support Download PAM Apache module Compile and install PAM Apache module Configure Apache web site to support PAM Evaluate results

top

Open Secure Shell version 2 (OpenSSHv2) Security - Module 8 Introduction - Topology - Features

Discuss course outline Explore system configuration Identify key systems to be used Explore network topology Enumerate and discuss key OpenSSHv2 features

Identify Key OpenSSHv2 Components Identify installed OpenSSHv2 related packages Peruse related startup and run-control script files Locate 'sshd' on the file system Discuss related client | server configuration files

OpenSSHv2 Client - /ssh/ Discuss features and benefits Obtain shell access on a remote system Configure /etc/hosts to provide local name resolution for OpenSSHv2 Identify and discuss pseudo-terminals - pty Redirect X11/X.org traffic to localhost via SSH Bind 'ssh' to specific source IP address and test connectivity Execute commands on remote system without allocating a pseudo-terminal Debug 'ssh' connectivity Explore the system -wide client configuration file Explore user configuration file


23/29

Secure Copy Program (SCP) - /scp/ Discuss features and benefits Locate 'scp' on the file system Discuss usage Copy, non-interactively, previously generated data to remote systems Test 'scp' with global and user configuration directives Debug 'scp' connectivity Limit transfer rate to conserve bandwidth

Secure File Transfer Program (SFTP) - /sftp/ Discuss features and benefits Locate 'sftp' on the file system Discuss usage Connect to remote system using 'sftp' interactive shell Issue puts and gets and evaluate results Identify the sftp-server subsystem Peruse process list while connected to OpenSSHv2 server Illustrate batch file usage

SSH Key Scan Utility - /ssh-keyscan/ Discuss features and benefits Locate ' ssh-keyscan ' on the file system Discuss usage Scan the network from STDIN for OpenSSHv2 public keys - RSA (SSHv1 &

SSHv2) | DSA Scan the network based on a file with a list of hosts for OpenSSHv2 public keys Populate ~/.ssh/known_hosts file using 'ssh-keyscan' with BASH for loop

Compare and contrast STDOUT with the output file

SSH Key Generation Utility - /ssh-keygen/ Discuss features and benefits Locate 'ssh-keygen' on the file system Discuss usage


24/29

Generate RSA-2 usage keys Identify RSA-2 public and private key pair Generate DSA usage keys Identify DSA public and private key pair Expose usage keys' fingerprint using 'ssh-keygen' Generate RSA-2 | DSA usage keys for all hosts

Public Key Infrastructure (PKI) - Password-less Logins Discuss features and benefits Identify key files for client and server implemenation of password-less (PKI-

based) logins Copy manually, RSA-2 | DSA public keys to remote system's

~/.ssh/authorized_keys file Test password-less logins Use ' ssh-copy-id ' to seamlessly populate remote system with RSA-2 | DSA usage

keys Test password-less connectivity after using 'ssh-copy-id' Confirm password-less connectivity using SSH clients /ssh|scp|sftp/ in debug

mode Connect to privileged account from non-privileged account using PKI Configure RSA-1 connectivity using PKI

System-wide OpenSSHv2 Configuration Directives Identify key directory and files associated with client | server configuration Explore primary server configuration file Discuss applicability of directives Alter and test several SSHD directives Explore OpenSSHv2 configuration on RedHat Linux Explore OpenSSHv2 configuration on Solaris 10

Port Forwarding - Pseudo-VPN Support - /Local|Remote|Gateway/ Discuss features and benefits Implement local port forwarding using 'ssh' Configure remote port forwarding using 'ssh' Test circumvention of local firewall using remote port forwarding


25/29

Implement gateway ports to share forwarded /local|remote/ with connected users Test connectivity

Windows Integration - /PuTTY|WinSCP/ Discuss features and applications Download and install PuTTY Explore PuTTY's features Configure PKI logins Download and install WinSCP Explore WinSCP's features Move data between Windows, Linux and Solaris

Syslog | Syslog-NG Configuration Discuss features and benefits Identify default configuration Redirect OpenSSHv2 data using Syslog and Syslog-NG Examine results Enable debugging

Host-based Authentication Discuss applicability and caveats Identify key configuration files and directives Implement host-based authentication Test results

OpenSSHv2 Source Installation Discuss features and benefits Download current OpenSSHv2 source code Compile and install Restart services|daemons Test new version of OpenSSHv2

Secure OpenSSHv2 Implementation


26/29

Discuss features and benefits Identify key configuration file Enumerate and implement key directives Test configuration

top

OpenSSHv2 Security - Module 9 Introduction - Topology - Features

Discuss course outline Explore system configuration Identify key systems to be used Explore network topology Enumerate and discuss key OpenPGP features

Explore GPG Configuration Identify installed GPG packages in various Linux distros Discuss the key contents of those packages Explore configuration hierarchy Discuss security as it pertains to private key management Explain the purpose of public and private keys Discuss symmetric and asymmetric encryption provided by OpenPGP-compliant

Apps

Generate | Import | Export OpenPGP Usage Keys Discuss features and benefits Obtain shell access on remote systems Generate usage (private|public) keys Identify the generated keys

Discuss how usage keys are used Generate usage keys on remote systems Export OpenPGP public key chain on various systems Import OpenPGP public keys on various systems Evaluate the results of exchanging public keys


27/29

Digital Signatures Discuss features and benefits as they pertain to data integrity Identify default digital signatures on multiple hosts Explain the differences between signing and encrypting correspondence Sign and export data to remote systems - Inline Create detached OpenPGP signatures for data Confirm the signed data on the remote systems Recap non-repudiation benefits provided by digitally signing correspondence

Encryption | Decryption | Sign & Encrypt Content Discuss features and benefits Generate files for usage Encrypt content using symmetric (shared-key) algorithm Decrypt content using the shared-key, based on the symmetric algorithm Evaluate results on multiple machines Explain caveats associated with symmetric encryption Encrypt content to a given recipient, using their public key - asymmetric

encryption Decrypt content on various hosts Attempt to decrypt content without the corresponding private key

Evaluate results Encrypt using ASCII-armoured and binary (OpenPGP-compliant) formats Decrypt both ASCII-armoured and binary formats Recap encryption decryption processes Discuss the requirements of signing and encrypting content Sign and encrypt content to various recipients Confirm signed and encrypted content Attempt to confirm and decrypt content as the unintended recipient

Evaluate results

OpenPGP Key Management | Web of Trust | Internet Key Distribution Discuss features and benefits Explore GPG key management facility Update properties of public/private key pairs


28/29

Add sub-keys to public/private key pairs Sign remote users' public keys Evaluate results Discuss the web of trust functionality Create a web of trust with various hosts Evaluate trust confirmation Discuss the features of OpenPGP Internet key distribution servers Generate and upload public keys to an Internet key server Download the uploaded public keys to the public keyrings of various hosts Evaluate results

Perl Scripting with GPG Discuss features and benefits Create a Perl script to backup key directories and files Ensure that the script GPG-protects the content post-backup Include error-handling to ensure that each step of the script is routed appropriately Configure the script to transfer the encrypted content to a remote host ust 'scp' Evaluate results

OpenPGP (GPG | PGP Desktop) on Win32 Discuss features and benefits Download and install GPG for Win32 Generate usage keys Exchange public keys with a user on a Linux system Sign and encrypt content to and from the Win32 user Confirm results Download and install GPG4WIN (GUI-based GPG for Win32) Explore features Sign and encrypt content to and from the Win32 user Confirm results Integrate GPG4WIN with MS Outlook Sign and encrypt e-mail messages Confirm and decrypt e-mail messages


29/29

Install PGP Desktop for Win32 Explore features and interface Generate usage keys Exchange public keys with Linux user Sign and encrypt content to and from the Win32 user using PGP Desktop Evaluate results Draw parallels between Win32 based OpenPGP tools and GPG for Linux | Unix Recap OpenPGP functionality included in /GPG|GPG4WIN|PGP Desktop/

Documents

LinuxCBT Security Edition encompasses 9 pivotal security modules