Enterprise Linux Server Hardening – GL413

Duration:

4 Days

Audience:

Employees of federal, state and local governments; and businesses working with the government.

Prerequisites:

Knowledge equivalent to the GL120 “Linux Fundamentals” and GL250 “Enterprise Linux Systems Administration”

Supported Distributions:

Red Hat Enterprise Linux 7

Course Outline:

1. SECURITY CONCEPTS
   1. Basic Security Principles
   2. RHEL7 Default Install
   3. Minimization – Discovery
   4. Service Discovery
   5. Hardening
   6. Security Concepts

   LAB TASKS

   1. Removing Packages Using RPM
   2. Firewall Configuration
   3. Process Discovery
   4. Operation of the setuid() and capset() System Calls
   5. Operation of the chroot() System Call
   6. Introduction to Troubleshooting Labs
2. SCANNING, PROBING, AND MAPPING VULNERABILITIES
   1. The Security Environment
   2. Stealth Reconnaissance
   3. The WHOIS database
   4. Interrogating DNS
   5. Discovering Hosts
   6. Discovering Reachable Services
   7. Reconnaissance with SNMP
   8. Discovery of RPC Services
   9. Enumerating NFS Shares
   10. Nessus/OpenVAS Insecurity Scanner
   11. Configuring OpenVAS
   12. Intrusion Detection Systems
   13. Snort Rules
   14. Writing Snort Rules

   LAB TASKS

   1. NMAP
   2. OpenVAS
   3. Advanced nmap Options
3. TRACKING SECURITY UPDATES AND SOFTWARE MAINTENANCE
   1. Security Advisories
   2. Managing Software
   3. RPM Features
   4. RPM Architecture
   5. RPM Package Files
   6. Working With RPMs
   7. Querying and Verifying with RPM
   8. Updating the Kernel RPM
   9. Dealing With RPM & Yum Digest Changes
   10. Using the Yum command
   11. Using Yum history
   12. Yum Plugins & RHN Subscription Manager
   13. YUM Repositories

   LAB TASKS

   1. Managing Software with RPM
   2. Creating a Custom RPM Repository
   3. Querying the RPM Database
   4. Using Yum
4. MANAGE THE FILESYSTEM
   1. Partitioning Disks with fdisk & gdisk
   2. Resizing a GPT Partition with gdisk
   3. Partitioning Disks with parted
   4. Filesystem Creation
   5. Persistent Block Devices
   6. Mounting Filesystems
   7. Filesystem Maintenance
   8. Swap

   LAB TASKS

   1. Creating and Managing Filesystems
   2. Hot Adding Swap
5. SECURING THE FILESYSTEM
   1. Configuring Disk Quotas
   2. Setting Quotas
   3. Viewing and Monitoring Quotas
   4. Filesystem Attributes
   5. Filesystem Mount Options
   6. GPG – GNU Privacy Guard
   7. File Encryption with OpenSSL
   8. File Encryption With encfs
   9. Linux Unified Key Setup (LUKS)

   LAB TASKS

   1. Setting User Quotas
   2. Securing Filesystems
   3. Securing NFS
   4. File Encryption with GPG
   5. File Encryption With OpenSSL
   6. LUKS-on-disk format Encrypted Filesystem
6. MANAGE SPECIAL PERMISSIONS
   1. File and Directory Permissions
   2. File Creation Permissions with umask
   3. SUID and SGID on files
   4. SGID and Sticky Bit on Directories
   5. Changing File Permissions
   6. User Private Group Scheme
7. MANAGE FILE ACCESS CONTROLS
   1. File Access Control Lists
   2. Manipulating FACLs
   3. Viewing FACLs
   4. Backing Up FACLs

   LAB TASKS

   1. Using Filesystem ACLs
8. MONITOR FOR FILESYSTEM CHANGES
   1. Host Intrusion Detection Systems
   2. Using RPM as a HIDS
   3. Introduction to AIDE
   4. AIDE Installation
   5. AIDE Policies
   6. AIDE Usage

   LAB TASKS

   1. File Integrity Checking with RPM
   2. File Integrity Checking with AIDE
9. MANAGE USER ACCOUNTS
   1. Approaches to Storing User Accounts
   2. User and Group Concepts
   3. User Administration
   4. Modifying Accounts
   5. Group Administration
   6. RHEL DS Client Configuration
   7. System Security Services Daemon (SSSD)

   LAB TASKS

   1. User Private Groups
10. PASSWORD SECURITY AND PAM
    1. Unix Passwords
    2. Password Aging
    3. Auditing Passwords
    4. PAM Overview
    5. PAM Module Types
    6. PAM Order of Processing
    7. PAM Control Statements
    8. PAM Modules
    9. pam_unix
    10. pam_cracklib.so
    11. pam_env.so
    12. pam_xauth.so
    13. pam_tally2.so
    14. pam_wheel.so
    15. pam_limits.so
    16. pam_nologin.so
    17. pam_deny.so
    18. pam_warn.so
    19. pam_securetty.so
    20. pam_time.so
    21. pam_access.so
    22. pam_listfile.so
    23. pam_lastlog.so
    24. pam_console.so

    LAB TASKS

    1. John the Ripper
    2. Cracklib
    3. Using pam_listfile to Implement Arbitrary ACLs
    4. Using pam_limits to Restrict Simultaneous Logins
    5. Using pam_nologin to Restrict Logins
    6. Using pam_access to Restrict Logins
    7. su & pam
11. USING FREEIPA FOR CENTRALIZED AUTHENTICATION
    1. What Is FreeIPA?
    2. FreeIPA Features
    3. FreeIPA Installation
    4. FreeIPA Client Installation
    5. User, Group, And Host Management
    6. User, Group, And Host Management
    7. FreeIPA Active Directory Integration
12. LOG FILE ADMINISTRATION
    1. System Logging
    2. systemd Journal
    3. systemd Journal’s journalctl
    4. Secure Logging with Journal’s Log Sealing
    5. gnome-system-log
    6. Rsyslog
    7. /etc/rsyslog.conf
    8. Log Management
    9. Log Anomaly Detector
    10. Sending logs from the shell

    LAB TASKS

    1. Using the systemd Journal
    2. Setting up a Full Debug Logfile
    3. Remote Syslog Configuration
    4. Remote Rsyslog TLS Configuration
13. ACCOUNTABILITY WITH KERNEL AUDITD
    1. Accountability and Auditing
    2. Simple Session Auditing
    3. Simple Process Accounting & Command History
    4. Kernel-Level Auditing
    5. Configuring the Audit Daemon
    6. Controlling Kernel Audit System
    7. Creating Audit Rules
    8. Searching Audit Logs
    9. Generating Audit Log Reports
    10. Audit Log Analysis

    LAB TASKS

    1. Auditing Login/Logout
    2. Auditing File Access
    3. Auditing Command Execution
14. SECURING SERVICES
    1. Xinetd
    2. Xinetd Connection Limiting and Access Control
    3. Xinetd: Resource limits, redirection, logging
    4. TCP Wrappers
    5. The /etc/hosts.allow & /etc/hosts.deny Files
    6. /etc/hosts.{allow,deny} Shortcuts
    7. Advanced TCP Wrappers
    8. FirewallD
    9. Netfilter: Stateful Packet Filter Firewall
    10. Netfilter Concepts
    11. Using the iptables Command
    12. Netfilter Rule Syntax
    13. Targets
    14. Common match_specs
    15. Connection Tracking

    LAB TASKS

    1. Securing xinetd Services
    2. Enforcing Security Policy with xinetd
    3. Securing Services with TCP Wrappers
    4. Securing Services with Netfilter
    5. FirewallD
    6. Troubleshooting Practice
15. SELINUX
    1. DAC vs. MAC
    2. Shortcomings of Traditional Unix Security
    3. SELinux Goals
    4. SELinux Evolution
    5. SELinux Modes
    6. Gathering SELinux Information
    7. SELinux Virtual Filesystem
    8. SELinux Contexts
    9. Managing Contexts
    10. The SELinux Policy
    11. Choosing an SELinux Policy
    12. Policy Layout
    13. Tuning and Adapting Policy
    14. Booleans
    15. Permissive Domains
    16. Managing File Context Database
    17. Managing Port Contexts
    18. SELinux Policy Tools
    19. Examining Policy
    20. SELinux Troubleshooting
    21. SELinux Troubleshooting Continued

    LAB TASKS

    1. Exploring SELinux Modes
    2. SELinux File Contexts
    3. SELinux Contexts in Action
    4. Managing SELinux Booleans
    5. Creating Policy with Audit2allow
    6. Creating & Compiling Policy from Source