LPIC-3 Exam 303: Security

About this Course

LPIC-3 303: Security

Regarding Linux Professional Institute
• LPI is Non-Profit.
• LPI is Non-Profit.
• According to their website, LPI is the world's first and largest vendor-neutral Linux certification body.
• According to their website, LPI is the world's first and largest vendor-neutral Linux certification body.
• LPI provides a number of Linux focused certificates.
• LPI provides a number of Linux focused certificates.

LPIC-3 303: Security

Course Pre-requisites
• LPI will not award the LPIC3-303 certificate unless • You should have extensive experience with Linux
you have successfully completed the LPIC2 systems prior to attempting the LPIC3-303.
certification.
• This is an advanced level professional
• LPIC2 requires LPIC1 certification. certification.

• No formal requirements to sit for exam. • Should have one of the following or equivalent
experience at a minimum:
• LPIC-2: Linux Engineer
• Red Hat Certified Engineer (RHCE)
• Linux Foundation Certified SysAdmin (LFCS)

LPIC-3 303: Security

Exam 303-200
• Exam 303-200 is the exam affiliated with the
LPIC3-303 certificate.

• The exam is focuses on the security of a system

through many facets.

• This course is designed to aid you in preparation

for the exam.
Insert Picture
• This course will follow the detailed objective list
published by LPI.

This Photo by Unknown Author is licensed under CC BY

LPIC-3 303: Security

Keys to Success
• Thoroughly review the video content.
• Thoroughly review the video content.
• Study the flash cards.
• Study the flash cards.
• Practice the learning activities.
• Practice the learning activities.
• Master the practice test!
• Master the practice test!

LPIC-3 303: Security

LPIC-3 Exam 303: Security
Course Features and Tools

LPIC-3 303: Security

Course Features and Tools
• Video Lectures
• Video Lectures
• Flash Cards
• Flash Cards
• Study Guide
• Study Guide
• Learning Activities
• Learning Activities
• Practice Test
• Practice Test

LPIC-3 303: Security

LPIC-3 Exam 303: Security
325.1 X.509 Certificates and Public Key
Infrastructures

LPIC-3 303: Security

Overview
• Cryptography Concepts
• Cryptography Concepts
• PKI and Trust Chains
• PKI and Trust Chains
• Creating and Working with Certificates
• Creating and Working with Certificates
• Operating a Certificate Authority
• Operating a Certificate Authority

LPIC-3 303: Security

What is Cryptography?
• According to the Wikipedia article, cryptography is
“the practice and study of techniques for secure
communication in the presence of third parties
called adversaries.”

• When we are talking about cryptography in a

computational context, we are generally referring
to either symmetric or asymmetric encryption.
Insert Picture
• Encryption is how we can pass information across
public channels without compromising the
content or integrity of the data.

This Photo by Unknown Author is licensed under CC BY­SA

LPIC-3 303: Security

Cryptography Concepts
Uses of Cryptography:

• Data Encryption

• Integrity

• Authentication

LPIC-3 303: Security

Cryptography Concepts: Encryption
There are two primary elements to cryptography:
• Key:
• Used to encrypt data
• Must be secret
• Algorithm:
• Method of encryption
• May be public
• Examples: 3DES (old), blowfish, AES

LPIC-3 303: Security

Cryptography Concepts: Encryption
• A cipher (or algorithm) is used to scramble information

• The ciphertext may be deciphered (or unencrypted) with a key

• There are two types of encryption in modern cryptography:

• Symmetric
• Asymmetric

Data Encrypt The Unencrypt Intended

Internet Recipient

LPIC-3 303: Security

Symmetric and Asymmetric Encryption
Symmetric Encryption: Asymmetric Encryption:

• There is only one encryption key: • Uses 2 keys:

• Both parties must know the key • Encryption key is public
• Generally faster than asymmetric encryption • Decryption key is private
• Example algorithms: RSA, DSA, PKCS
• Example algorithms: Blowfish, AES
• Good for digital signatures, key distribution, and
digital certificates

LPIC-3 303: Security

Cryptography Concepts: Data Integrity through Hashes
• A hash converts a string of any length to an output • A salt may be used to improve security.
string of fixed length.
• A salt is an additional text value (typically random
• Each string provides a unique hash. text) added to the ciphertext to improve security.

• Hashing is generally one way. • Common hashing algorithms include crc-32

(insecure), md5, sha-1 (most common).

LPIC-3 303: Security

PKI and Trust Chains

LPIC-3 303: Security

PKI and Trust Chains
• Public Key Infrastructure is made up of a hierarchy of
Certificate Authorities and a Certificate Signing Request
process.

• CA or Certificate Authority:
• A CA is a trusted third party that validates the
authenticity of a public key.
• There is a root trusted CA that has signs vetted CA
certificates.
• By trusting a CA certificate, you trust all certificates
signed by that CA. Insert Picture
• Certificate Signing Requests (CSR) are essentially public
keys that are generated and may be submitted to a CA to
be signed:
• When a CA signs a CSR, it produces a certificate that is
trusted by the signing CA.
• The CA can invalidate the certificate if need be by using
either OCSP (Online Certificate Status Protocol) or by
using a CRL (Certificate Revocation List).
• CRL is almost entirely deprecated in favor of OCSP.

LPIC-3 303: Security

Creating and Working with
Certificates
Creating a private key
openssl genrsa –<algorithm> -out
<key_filename> <key_size>
openssl genrsa –aes128 –out mykey.pem
2048
Generating a self-signed certificate (public
key)
openssl req –utf8 –new –key <key_filename>
-x509 –days <cert_lifespan> -out
<cert_filename>
Display Certificate
openssl x509 –in mycert.crt –text -noout
Creating a CSR
openssl req –new –key <priv_key.pem> -out
<output.csr>

LPIC-3 303: Security

Creating and Working with Certificates: File formats
• The openssl command creates PEM formatted files by default.

• There are a few other formats, of which, you should be aware.

• DER - A binary form of ASCII PEM.
• P7B/PKCS#7 - Base64 encoded ASCII popular in windows.
• PFX/PKCS#12 - A binary format capable of storing keys, certs, and intermediary certs together.
• The openssl command is capable of doing conversion.

LPIC-3 303: Security

Operating a Certificate Authority: Understanding CAs
• What makes a CA is really a unique key pair.

• A CA public key has typically been signed by another CA that is trusted.

• The CA has three primary responsibilities:

• Sign valid CSRs
• Maintain security of their private key
• Revoke compromised or misused certificates

LPIC-3 303: Security

Operating a CA
Creating a private key
openssl genrsa –<algorithm> -out
<key_filename> <key_size>
openssl genrsa –aes128 –out mykey.key
2048
Generating a self-signed certificate (public
key)
openssl req –utf8 –new –key <key_filename>
-x509 –days <cert_lifespan> -out
<cert_filename>
You would add –set_serial <serial_num> for a
CA certificate
Signing a CSR as a CA (requires CA keys)
openssl ca –in <csr> -out <crt>

LPIC-3 303: Security

LPIC-3 Exam 303: Security
325.2 Working with X509 Certificates

LPIC-3 303: Security

Overview
• SSL, TLS, and Common Transport Security Layer Threats
• SSL, TLS, and Common Transport Security Layer Threats
• Working with Apache’s mod_ssl
• Working with Apache’s mod_ssl
• Troubleshooting using openssl
• Troubleshooting using openssl

LPIC-3 303: Security

SSL and TLS
• SSL stands for Secure Sockets Layer. • TLS stands for Transport Layer Security.

• SSL was originally the protocol used to secure • The TLS protocol is the successor to SSL
web traffic. beginning with TLS 1.0 which replaced SSLv3.

• The latest version of SSL is SSLV3, which has been • The current standard is TLS 1.2; however, TLS 1.3
deprecated. has been purposed as an Internet Standard.

• Due to the deprecated nature of SSL, it should

not be used.

LPIC-3 303: Security

Transport Layer Security
• TLS and SSL aim to address the issue of secure communication over a public network.
• TLS and SSL aim to address the issue of secure communication over a public network.
• The protocols meet the following needs:
• The protocols meet the following needs:
• Securely encrypt exchanged data
• Securely encrypt exchanged data
• Authenticate at least one party
• Authenticate at least one party
• Ensure data integrity
• Ensure data integrity
• Prevent replay attacks
• Prevent replay attacks

• Transport layer security achieves this through the use of PKI as well as general encryption practice.
• Transport layer security achieves this through the use of PKI as well as general encryption practice.

LPIC-3 303: Security

Transport Layer Security
• “Man in the middle” style attacks can be a threat to transport layer security.
• “Man in the middle” style attacks can be a threat to transport layer security.
• This is what it is critically important to use TLS 1.2 or newer as soon as feasible.
• This is what it is critically important to use TLS 1.2 or newer as soon as feasible.
• It is also important to encrypt all traffic.
• It is also important to encrypt all traffic.
• With each TLS update, vulnerabilities such as POODLE and BEAST are patched, and weak ciphers are de-
• With each TLS update, vulnerabilities such as POODLE and BEAST are patched, and weak ciphers are de-
supported.
supported.
• Still, some security measures lie with the client (such as not using a bank website on public wifi).
• Still, some security measures lie with the client (such as not using a bank website on public wifi).

LPIC-3 303: Security

Working with mod_ssl
Secure http traffic with PKI:

SSLCertificateFile <cert_file>

SSLCertificateKeyFile <key_file>

Authenticate with a client certificate:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile "<ca_cert_path>"
Configure Cipher usage:

SSLCipherSuite HIGH:!aNULL:!MD5
OCSP Stapling:

SSLUseStapling On
SSLStaplingCache
 "shmcb:logs/ssl_stapling(32768)"

LPIC-3 303: Security

Apache and mod_ssl
• Server Name Indication (SNI) . • HTTPS Strict Transport Security (HSTS)

• Historically, Apache was only able to bind a • HSTS is a way to encourage encryption for an
certificate to a single socket. entire domain rather than select parts.

• Starting with Apache 2.2.12 and OpenSSL v0.9.8j, it • A special header is sent by the web server which
is possible to have many certificates bound to the instructs the browser to direct all traffic over SSL.
same socket.
• Header always set Strict-Transport-Security "max-
• This allows the use of name-based virtual hosts age=300; includeSubDomains; preload”.
with unique certificates.

• SSLStrictSNIVHostCheck

LPIC-3 303: Security

More on openssl
Establish a secure connection:

openssl s_client -connect <host>
Validate a trust chain:

openssl verify -verbose <certificate>

View Certificate details:

openssl x509 –text <cert_file>

LPIC-3 303: Security

LPIC-3 Exam 303: Security
325.3 Encrypted File Systems

LPIC-1 Exam 102

Overview


Disk Encryption Concepts

File System Encryption with eCryptfs

Working with LUKS

LPIC-3 303: Security

Disk Encryption Concepts


Use cases of disk encryption 
Disk encryption tools

Protect removable media • dm-encrypt and LUKS

Add additional data security • cryptmount

Methods of disk encryption • eCryptfs

Block Device • EncFS

File System Level

LPIC-3 303: Security

Disk Encryption with eCryptfs and EncFS


eCryptfs provides file system level encryption:

Uses ecryptfs package

Mount a new directory using the ecryptfs type

PAM module provided for automatic mounting options

ecryptfs-utils package provides helper utilities

EncFS is similar to eCryptfs but targets non-superusers:

Allows for the creation of encrypted repositories by standard users

LPIC-3 303: Security

Working with LUKS
Create encrypted volume
cryptsetup luksFormat dev
cryptsetup luksOpen dev mapping

Luks Keys
cryptsetup luksAddKey dev keyfile

Mount on boot with Crypttab

/etc/crypttab
/etc/fstab

LPIC-3 303: Security

LPIC-3 Exam 303: Security
325.4 DNS and Cryptography

LPIC-1 Exam 102

Overview


Working with DNS

Securing DNS with DNSSEC

LPIC-3 303: Security

DNS Overview
• DNS is short for Domain Name System: • With the development of DNS technology, EDNS
• DNS is a hierarchical system used to was purposed:
resolve hostnames. • The extension mechanism for DNS.
• The hierarchy starts with a root server that • Documented in RFC 2671.
branches. • The goal of EDNS is to address backward
• Resolvers attempt to lookup hostnames compatibility for older versions of DNS.
against local forwarders if configured. • BIND is a popular implementation of a DNS
• Otherwise, the resolvers will go directly to server:
the root name server which will delegate to • The primary configuration file is located
an appropriate intermediary. in /etc/named.conf.
• Zones and Resource Records: • The objectives on LPIC exam 303-200
• DNS configurations are made up of zones cover securing DNS with BIND in particular.
and Resource Records (RRs).
• RRs consist of a type and a series of labels
that make up domains, subdomains,
hosts, etc.

LPIC-3 303: Security

Securing BIND

• Means of securing DNS

• TSIGs – A method of digitally signing data provided to a resolver or data sent in a zone transfer.
• Running a named server in a chroot jail.
• Configuration directives:
• Allow query
• Recursion
• Allow Transfer
• RNDC stands for Remote Name server Daemon Control
• Allows for remote name server management.
• Must be secured using a secret key that is shared with the BIND server.
• See study guide for more detail.

LPIC-3 303: Security

BIND Configuration
Directives:
allow query
recursion
allow transfer

DNS utilities:
dig

LPIC-3 303: Security

DNS security with DNSSEC

• What is DNSSEC?
• Domain Name System Security Extension.
• DNSSEC guarantees the authenticity of Zone Transfers and RR lookups.
• Security is achieved by digitally signing zone files to ensure they have not been altered or spoofed.
• Enabling DNSSEC
• Dnssec-enable and dnssec-validation directives in namd.conf.
• Must create Zone Singing Keys (ZSKs), Key Signing Keys (KSKs), and have your registration
publish a Delegation Signer (DS) record for your domain.
• Must also sign zone files using the dnssec-signzone command.

LPIC-3 303: Security

DNSSEC
Zone Signing Keys (ZSK)
• Signs a particular zone file.
• Generated using dnssec-
keygen.
• Should be rotated on a
monthly interval for optimal
security.

Key Signing Keys (KSK)

• KSKs are what authenticate
your server’s ZSKs.
• Created using dnssec-keygen
but with -f KSK parameter.

Dnssec-signzone
• Generated key records are
placed in a zone file.
• dnssec-signzone creates a
signed zone file for use with
BIND.
LPIC-3 303: Security
DNSSEC
Zone Signing Keys (ZSK)
• Signs a particular zone file.
• Generated using dnssec-
keygen.
• Should be rotated on a
monthly interval for optimal
security.

Key Signing Keys (KSK)

• KSKs are what authenticate
your server’s ZSKs.
• Created using dnssec-keygen
but with -f KSK parameter.

Dnssec-signzone
• Generated key records are
placed in a zone file.
• dnssec-signzone creates a
signed zone file for use with
BIND.
LPIC-3 303: Security
More on DNSSEC

• Chain of Trust
• KSKs are provided and published by the parent of a child zone.
• This continues all the way to the root dns servers which have their KSK signed in a key signing
ceremony.
• Other commands to understand
• dnssec-settime – Manages the validity period of a given key.
• dnssec-dsfromkey – Used to generate the DS RR for a given KSK.
• Review the man pages.
• DO and AD bits
• The DO and AD bits are contained in DNS queries and responses.
• DO stands for DNSSEC OK and indicates that a client will understand a NDSSEC response.
• AD stands for Authenticated Data and is set when data returned by a server that is authenticated
with DNSSEC.

LPIC-3 303: Security

What is DANE?

• DANE stands for DNS-Based Authentication of Named Entities:

• Domain Name System Security Extension.
• DNSSEC guarantees the authenticity of Zone Transfers and RR lookups.
• Security is achieved by digitally signing zone files to ensure they have not been
altered or spoofed.

• The TLSA Resource Record:

- Example

• Note the port and protocol designation in the label.

• TLSA Records are not limited to https.

LPIC-3 303: Security

LPIC-3 Exam 303: Security
326.1 Host Hardening

LPIC-1 Exam 102

Overview

• Kernel Security
• Securing Grub

LPIC-3 303: Security

Kernel Security

• Disabling unnecessary software:

• Every running program presents a possible security threat.
• Disabling unused services is a good security practice.
• Use systemctl and chkconfig to disable services.
• Commonly disabled services include atd, avahi-daemon, cups.
• Limiting resource usage:
• The user may limit system resources such as threads, open files, and memory.
• The pam_limits.so module allows operators to control how much of any one resource a user may
access through hard and soft limits.
• Most systems come with pam_limits.so preloaded.
• The ulimit command may be used to adjust these limits at runtime.
• Limits may be set persistently in /etc/security/limits.conf.

LPIC-3 303: Security

Kernel Security

• Tuning kernel parameters: • The NX bit:

• The sysctl command is capable of displaying • The NX bit is a CPU feature.
and setting kernel parameters. • It prevents execution from protected
• Parameters map to the procfs filesystem. memory areas.
• Kernel parameters set persistently in the • Exec-Shield is a software solution for the
file /etc/sysctl.conf. same problem designed to support CPUs
• See kernel-docs for additional information. without this feature.
• Managing ASLR: • ICMP security settings:
• ASLR stands for Address Space Layout • Network security may be enhanced through
Randomization. kernel parameter tuning.
• It ensures that every time a program loads, • Disabling ICMP is a common security
it loads into a different place in memory. measure that may be achieved by setting
the parameter
net.ipv4.icmp_echo_ignore_all to 1.

LPIC-3 303: Security

Sysctl Review
View Settings:
sysctl -a

sysctl -ar <search_pattern>

procfs

Setting parameters:

sysctl -w <param>=<value>

Persist changes:

/etc/sysctl.conf

LPIC-3 303: Security

Kernel Security

• Chroot Environments
• A chroot environment is a ‘fake root’ that is set for a specific user and process.
• The chroot command is used by root to create the environment using a pre-configured area in the
filesystem.
• An unprivileged process is unable to access files outside of a chroot environment.
• Be mindful of hard links in chroot environments.
• Virtualization
• Virtualization is similar to a chroot environment but at a much more advanced level.
• Containerization is similar in nature when it comes to resource segmentation and process isolation.

LPIC-3 303: Security

Securing Grub

Boot parameters present a security threat:

• Booting a system with specific options may allow unauthorized access to a system.
• Grub is capable of password protection for menu entries:

Grub 1 was only able to support passwords and not unique user accounts.

Grub 2 has more robust security.

LPIC-3 303: Security

Securing Grub
Configuring users in
/etc/grub.d/01_users:

set superusers=”bob”

Password bob somepw

Password notsuper otherpw

Configuring menu entries

grep menuentry
/boot/grub2/grub.cfg in
/etc/grub.d/40_custom:

menuentry “menu item”

--usersnotsuper

Building grub configuration:

grub2-mkconfig -o
/boot/grub2/grub.cfg

LPIC-3 303: Security

LPIC-3 Exam 303: Security
326.2 Host Intrusion Detection

LPIC-1 Exam 102

Overview


Threat Detection Tools

System Auditing with Auditd

LPIC-3 303: Security

Threat Detection
• The important thing about threat detection • Important for the test
• These tools are post-incident tools. • Know commands and options.
• You are alerted once your system has • Understand broad concepts.
already been compromised! • Know configuration directives!
• The tools you need to know about
• AIDE
• OpenSCAP
• Linux Malware Detect
• Rkhunter
• Chkrootkit

LPIC-3 303: Security

AIDE
Commands:
aide --init
aide --check

Configuration
/etc/aide.conf

LPIC-3 303: Security

A Brief Word on OpenSCAP

• SCAP
• Security Content Automation Protocol .
• Community project started by Red Hat.
• OpenSCAP
• An implementation of SCAP.
• Vulnerability Assessment.
• Security Compliance.
• Be aware of what it is.

LPIC-3 303: Security

Linux Malware Detect
Commands:
maldet -a
maldet -e
systemctl cat maldet

Configuration
/usr/local/maldet/conf.maldet
/usr/local/maldet/monitor_paths

LPIC-3 303: Security

Rootkit detection
Chkrootkit
• chkrootkit -q

Rkhunter
• rkhunter -c --cronjob -rwo
• /var/log/rkhunter/rkhunter.log
•
Other notes
• AIDE may also detect rootkits
• Kernel modules are popular
places to hide rootkits

LPIC-3 303: Security

System Auditing with Auditd

• Auditing vs Logging
• Logs vary by system and software.
• Audit runs at OS level.
• Auditd
• Built into Red Hat distributions.
• May be installed in Debian.
• Customizable rules.

LPIC-3 303: Security

Working with Auditd
Commands:
ausearch
aureport
auditctl

Configuration
/etc/audit/auditd.conf
/etc/audit/rules.d
/etc/audit/audit.rules

Files
/var/log/audit.log
/etc/pam.d/system-auth

LPIC-3 303: Security

LPIC-3 Exam 303: Security
326.3 User Management and Authentication

LPIC-1 Exam 102

Overview

• Linux Login Basics

• PAM Concepts and Configuration
• Kerberos
• Understanding SSSD

LPIC-3 303: Security

Linux Login Basics
• /etc/login.defs: • NSS Concepts:
• Used to be main login configuration. • The Name Service Switch.
• Replaced over time by PAM. • Connects calls for information from a
• MAIL_DIR. system database to a back-end service.
• UID and GID settings. • Know contents of /etc/nsswitch.conf.
• UMASK.
• The chage command:
• Requires root for most functionality.
• User must have entry in /etc/shadow.
• -E <YYYY-MM-DD> LOGIN
• -I <days> LOGIN
• -W <days> LOGIN
• A value of -1 may be used to inactivate
many options.

LPIC-3 303: Security

/etc/nsswitch.conf
Databases:
passwd
shadow
group
hosts

Services:
files
sss
dns

LPIC-3 303: Security

PAM Concepts

• Pluggable Authentication Module

• Has become a core part of the login process on modern Linux distributions.
• Made up of a number of modules each handling a unique function regarding authentication and
authorization.
• Pam is divided into four management groups:
• Auth: Used for authentication purposes
• Account: Deals with account related work such as verifying account details.
• Password: Modules in this class work with passwords.
• Session: Interacts with user session properties.

LPIC-3 303: Security

PAM
Configuration:
/etc/pam.d/*

Modules:
pam_tally2.so
pam_cracklib.so

LPIC-3 303: Security

Kerberos
Terms:
• Key Distribution Center
• Realm
• Principal
• Ticket
• TGT
• TGS

Important Files:
• /etc/krb5.conf

Commands:
• kinit
• klist
• kdestroy

LPIC-3 303: Security

System Security Services Daemon

• SSSD provides a set of daemons to manage access to remote directories and authentication
mechanisms.
• Key Integrations
• Active Directory
• FreeIPA
• LDAP
• Kerberos
• Local Domain

LPIC-3 303: Security

SSSD
Integrations:
Active Directory
IPA
LDAP
Kerberos
Local
NSS
pam_sss.so

Configuration:
/etc/sssd.conf

Utitlities:
sss_useradd
sss_userdel
sss_usermod
sss_groupadd
sss_cache
sss_obfuscate

LPIC-3 303: Security

LPIC-3 Exam 303: Security
326.4 FreeIPA Installation and Samba Integration

LPIC-1 Exam 102

Overview

• FreeIPA Overview
• Installing and Configuring FreeIPA
• Working with FreeIPA

LPIC-3 303: Security

Overview of FreeIPA
• What it? • The FreeIPA Suite:
• FreeIPA is a suite of tools that provides • 389 Directory Server
identity and authentication services • MIT Kerberos
• FreeIPA is similar to Microsoft Active • DNS (BIND)
Directory but it is not a replacement • NTP
• What can it do? • Dogtag
• Provide a user directory via LDAP
• Provide Kerberos Authentication
• Maintain a central sudo rule set
• Keep autofs configurations
• Hold SELinux user mapping data

LPIC-3 303: Security

A word on Certmonger

• The certmonger daemon monitors certificates for impending expiration.

• It can optionally refresh soon-to-be-expired certificates with the help of a CA.
• Working with certmonger:
• ipa-getcert list
• ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r
• By default, certmonger works with the CA configured for the IPA noted in /etc/ipa/default.conf

LPIC-3 303: Security

FreeIPA Prerequisites

• Local DNS configuration

• Any IPA server must have a static hostname configured in /etc/hosts that matches the system
hostname and is in the planned DNS domain.
• The installation utility verifies DNS resolution prior to starting installation.
• Firewall Considerations
• Though it is not required for install, there are a number of ports that must be open for proper
operation of an IPA server.
• Services: HTTP/S (tcp/80, tcp/443), Kerberos (tcp/88, tcp/464, udp/88, udp/464), DNS (udp/53),
NTP (udp/123), LDAP (tcp 389, tcp/636)

LPIC-3 303: Security

Installing FreeIPA
Packages:
• ipa-server
• Ipa-server-trust-ad

Commands:
• ipa-server-install
• ipa-replica-install
• ipa-replica-prepare
• ipa-replica-manage
• ipa-adtrust-install

LPIC-3 303: Security

Working with FreeIPA
Packages:
ipa-client

Commands:
• ipa-client-install
• ipa user-add sam --first sam
--last j
• ipa group-add staff --desc “staff”
• ipa help

LPIC-3 303: Security

LPIC-3 Exam 303: Security
327.1 Discretionary Access Control

LPIC-1 Exam 102

Overview

• Basic System Permissions – DAC Review

• Extended Attributes
• Using ACLs

LPIC-3 303: Security

DAC Review
Commands:
• chown
• chmod

Permissions:
• read / write / execute
• SUID
• SGID
• Sticky Bit

LPIC-3 303: Security

Extended Attributes
• The Concept:
• Modern Linux Filesystems support extended attributes (abbreviated xattr) if the libattr feature is
enabled in the kernel configuration
• Any regular file may have a list of extended attributes denoted by name

• Xattr namespaces:
• User
• Trusted
• Security
• System

LPIC-3 303: Security

Xattr
Getting xattrs:
• getfattr
• -n <name>
• -m <pattern>

Setting xattrs:
• setfattr
• -n <name>
• -v <value>
• -x <name>

LPIC-3 303: Security

Access Control Lists
Commands:
• setfacl -m u:lisa:r filename
• setfacl -m m::rx file
• getfacl filename

LPIC-3 303: Security

LPIC-3 Exam 303: Security
327.2 Mandatory Access Control

LPIC-1 Exam 102

Overview

• Understanding Mandatory Access Control

• SELinux
• MAC Alternatives

LPIC-3 303: Security

Understanding Mandatory Access Control

The Concept
• Mandatory Access Control (MAC) differs from Discretionary Access Control in that access is based on
context and not by ownership.
• MAC uses roles and type enforcement (TE) to only allow access to users who are authorized to use
resources of a specific type.
• MAC is generally implemented by means of a kernel module and through use of extended attributes.

MAC Systems
• SELinux
• AppArmor
• Smack

LPIC-3 303: Security

SELinux
Commands:
• semanage
• Setsebook, getsebool
• Restorecon
• Newrole
• sealert

Files:
• /etc/selinux/config

LPIC-3 303: Security

MAC Alternatives

AppArmor
• Popular in Ubuntu.
• Known for being less cumbersome to manage than SELinux.
• Works by assigning types to file paths rather than inodes.
• Two modes: Enforcement or Complain.
• The commands aa-genprof and aa-logprof are used to craft policies.

Smack
• Must be compiled into the kernel.
• Uses extended file attributes for label assignment.
• Uses -Z flag like SELinux.
• The chsmack command may be used to query and set label information.

LPIC-3 303: Security

LPIC-3 Exam 303: Security
327.3 Network File Systems

LPIC-1 Exam 102

Overview

• NFSv4 Improvements
• NFS in Practice
• Understanding NFSv4 ACLs
• CIFS Configuration

LPIC-3 303: Security

NFSv4 Improvements

Access Security
• Kerberos Authentication is built into NFSv4, allowing enhanced security.
• Requires use of additional services to run and tap into GSS (Generic Security Services) API.
• GSS API manages the use of LIPKEY and SPKM public authentication methods.

Pseudo File System

• Allows mounting many exports via parent directory.

Port Mapper Not Required

• NFSv4 may use TPC which eliminates need the for port mapper.

LPIC-3 303: Security

NFS in Practice
Packages:
• nfs
• nfs-utils

Files:
• /etc/exports
• /etc/idmapd.conf

Commands:
• showmount -e

LPIC-3 303: Security

NFSv4 ACLs
Commands:
• nfs4_setfacl
• nfs4_getfacl

LPIC-3 303: Security

CIFS Configuration

Samba
• Popular software suite designed for inter-operation with a Windows domain.
• smbd and nmbd daemons present file shares for windows hosts.
• CIFS in particular maps windows logins to Linux logins and is part of the Samba suite.
• LPIC-3 303 focuses on security details around CIFS.

Winbind
• Service that allows a CIFS server to integrate with an AD domain.
• Must run the winbind daemon.
• May integrate with NSS via the winbind service.
• May integrate with the system login via pam_winbind.

LPIC-3 303: Security

CIFS
Commands:
• getcifsacl
• setcifsacl
• mount.cifs

Files:
• /etc/samba/smb.conf

LPIC-3 303: Security

LPIC-3 Exam 303: Security
328.1 Network Hardening

LPIC-1 Exam 102

Overview

• FreeRADIUS
• Network Utilities
• Network Threats

LPIC-3 303: Security

FreeRADIUS
Packages:
• freeradius

Files:
• /etc/raddb/radiusd.conf
• /etc/raddb/*

Commands:
• radmin
• radtest
• radwho
• radlast

LPIC-3 303: Security

Network Utilities

Wireshark
• A GUI tool that can perform packet captures
• Provides filtering capability
• Optionally can be ran using tshark CLI utility.
• Be familiar with filters

tcpdump
• A classic CLI utility for capturing network traffic
• Capable of filtering

LPIC-3 303: Security

Capturing Network Traffic
Commands:
• tshark
• tcpdump

Filters:
• host IP
• port PORT
• portrange PORT-PORT
• tcp portrange PORT-PORT

LPIC-3 303: Security

Network Utilities

npdmon
• Neighborhood Protocol Discovery Monitor
• Compiled versions available for BSD, OSX, and Debian
• Used for monitoring ICMPv6 packets
• Writes output to syslog

nmap
• Network Mapper tool
• A utility capable of doing various scans against target networks

LPIC-3 303: Security

nmap
Commands:
• nmap

options:
• -sS
• -T#
• -sN / -sF / -sX

LPIC-3 303: Security

Network Threats

Rogue Router Advertisements

• This is a problem on IPv6 networks where malicious router advertisements may be used to hijack traffic
on unsecured networks.
• It can be mitigated by adjusting your kernel to not accept router advertisements:

/proc/sys/net/ipv6/conf/<interface>/forwarding

/proc/sys/net/ipv6/conf/<interface>/accept_ra

Rouge DHCP Messages

• This is an issue that is best dealt with at the switch level.
• DHCP traffic should be restricted to solely the switch port running the DHCP server that is trusted.
• This is done using DHCP snooping.

LPIC-3 303: Security

LPIC-3 Exam 303: Security
328.2 Network Intrusion Detection

LPIC-1 Exam 102

Overview

• Network Monitoring
• Working with Snort
• OpenVas and NASL

LPIC-3 303: Security

Network Utilities

Ntop
• A network traffic probe that provides network usage information.
• To start daemon: ntop -P /etc/ntop -w4242 -d
• Reset ntop admin password: ntop --set-admin-password=newpassword

Cacti
• Another network monitoring tool
• Known for graphic functionality
• More general purpose than ntop

LPIC-3 303: Security

Snort
Packages:
• snort
• daq

Files:
• /etc/snort/*

Commands:
• snort
• snort-stat

LPIC-3 303: Security

OpenVAS and NASL
Commands:
• openvas-mkcert
• openvas-nvt-sync

Files:
• /etc/openvas/openvasd.conf

LPIC-3 303: Security

LPIC-3 Exam 303: Security
328.3 Packet Filtering

LPIC-1 Exam 102

Overview

• Firewall Review
• Advanced Firewall Concepts
• Nftables

LPIC-3 303: Security

Firewall Review
Files:
• /etc/sysconfig/iptables

Commands:
• iptables
• ip6tables
• Iptables-save
• Iptables-restore

LPIC-3 303: Security

Advanced Firewall Concepts

IP Sets
• Depending on the type of the set, an IP set may store:

IP (v4/v6) addresses

(TCP/UDP) port numbers

IP and MAC address pairs

IP address and port number pairs
• The ipset command is used to create and work with IP Sets
• Netfilter is able to use the IP Sets

Firewall DMZ
• Provides additional security for a network
• It is a subnet that is separate from a general LAN
• May be accessed by an external network
• Where services and hosts that require a public face are located on a network
• Typically, the internal LAN is firewalled off from external network access

LPIC-3 303: Security

IP Sets
Files:
• /etc/sysconfig/ipset

Commands:
• ipset create
• ipset add
• ipset save
• ipset list

LPIC-3 303: Security

Advanced Firewall Concepts

Connection Tracking
• Used so that the firewall may track a connection state
• The conntrackd daemon does the tracking

Network Address Translation

• Used to load balance service or to translate external to internal addresses
• Handled by firewalls and/or routers
• Makes use of the nat tables in iptables and the OUTPUT, PREROUTING and POSTROUTING chains

LPIC-3 303: Security

Network Address Translation
Table:
• nat

Chains:
• OUTPUT
• PREROUTING
• POSTROUTING

LPIC-3 303: Security

Advanced Firewall Concepts

Ebtables
• Used to insert and filter Ethernet frames
• Mostly analogous to the iptables command except it works specifically with ethernet frames
• Defaults chains:

filter

broute

nat
• Specific options to ebtables

-Ln — List line numbers when printing a rule set

-Lc — List packet and byte counters with each rule

LPIC-3 303: Security

Nftables

The Concept
• An alternative to iptables.
• Aims to provide a simpler interface to netfilter.
• Use the nft command to interact with nftables.
• May use iptables rules but supports a more plain language rule set.
• Only brief familiarity required for the exam.

LPIC-3 303: Security

LPIC-3 Exam 303: Security
328.4 Virtual Private Networks

LPIC-1 Exam 102

Overview

• OpenVPN
• Working with IPSec Server and Clients

LPIC-3 303: Security

OpenVPN
Files:
• /etc/openvpn/server.con

Commands:
• openvpn --mlock
• openvpn --push

LPIC-3 303: Security

Working with IPSec Server and Clients

The Concept
• IPSec is used to create a peer to peer secure connection
• Configurations reside /etc/ipsec-tools.conf
• The Kernel maintains two databases for IPSec:

Security Association Database:

A Security Association (SA) describes how entities will use security services to communicate

SAD entries contain the key of each IPSec-SA

Security Policy Database:

Used to determine if IPSec applies to a given packet

Also determines how an IPSec Security Association applies to a packet

The setkey utility may add, update, dump, or flush SAD or SPD entries in the kernel

LPIC-3 303: Security

Working with IPSec Server and Clients

Notable setkey directives

• The following are directives that may be used to manipulate the SAD:
• add
• get
• delete
• flush
• Dump
• The directives may be prefaced with ‘spd’ (ie spdadd) and will work for the SPD.

Racoon and L2TP

• Racoon is an IKEv1 keying daemon.

The daemon is configured via /etc/racoon/racoon.conf
• L2TP is a VPN technology.

By itself, it is insecure.

It must be used over an IPSec link due to this.

LPIC-3 303: Security

LPIC-3 Exam 303: Security
Conclusion

LPIC-1 Exam 102

Overview

• Exam Review
• Scheduling and Taking the Exam
• After Certification

LPIC-3 303: Security

Exam Review

LPIC-3 303-200
• It is a broad test!
• It hits on commands, options, and configurations particularly hard
• Be able to reliably pass the course practice exam by a wide margin
• Drill the flash cards
• Learning Activities
• Syntax and capitalization are important!

LPIC-3 303: Security

Scheduling and Taking the Exam

LPIC-3 303-200
• Purchase a voucher through the Linux Professional Institute (link in video description).
• Use the Linux Academy discount code (also noted in the video description)!
• The exam is 60 questions and you are given 90 minutes to complete it.
• Most questions are multiple choice.
• Some questions are fill-in-the-blank.

LPIC-3 303: Security

After Certification

Wondering what to study now?

• LPIC3-304 Virtualization
• RHCE / RHCA
• Certified Ethical Hacker

LPIC-3 303: Security