Description: Candidates should know how to review system configuration to ensure host security in accordance with local security policies.
Key Knowledge Areas:
Audit a system to find files with the suid/sgid bit set.
Set or change user passwords and password aging information.
Being able to use nmap and netstat to discover open ports on a system.
Set up limits on user logins, processes and memory usage.
Determine which users have logged in to the system or are currently logged in.
Basic sudo configuration and usage.
The following is a partial list of the used files, terms and utilities:
find
passwd
fuser
lsof
nmap
chage
netstat
sudo
/etc/sudoers
su
usermod
ulimit
who, w, last
Description: Candidates should be able to secure computers running Linux against common threats. This includes kernel and software configuration.
Key Knowledge Areas:
Configure BIOS and boot loader (GRUB 2) security
Disable useless software and services
Use sysctl for security related kernel configuration, particularly ASLR, Exec-Shield and IP / ICMP configuration
Exec-Shield and IP / ICMP configuration
Limit resource usage
Work with chroot environments
Drop unnecessary capabilities
Be aware of the security advantages of virtualization
Terms and Utilities:
grub.cfg
chkconfig, systemctl
ulimit
/etc/security/limits.conf
pam_limits.so
chroot
sysctl
/etc/sysctl.conf
Description: Candidates should be familiar with the use and configuration of common host intrusion detection software. This includes updates and maintenance as well as automated host scans.
Key Knowledge Areas:
Use and configure the Linux Audit system
Use chkrootkit
Use and configure rkhunter, including updates
Use Linux Malware Detect
Automate host scans using cron
Configure and use AIDE, including rule management
Be aware of OpenSCAP
Terms and Utilities:
auditd
auditctl
ausearch, aureport
auditd.conf
auditd.rules
pam_tty_audit.so
chkrootkit
rkhunter
/etc/rkhunter.conf
maldet
conf.maldet
aide
/etc/aide/aide.conf
Description: Candidates should be familiar with management and authentication of user accounts. This includes configuration and use of NSS, PAM, SSSD and Kerberos for both local and remote directories and authentication mechanisms as well as enforcing a password policy.
Key Knowledge Areas:
Understand and configure NSS
Understand and configure PAM
Enforce password complexity policies and periodic password changes
Lock accounts automatically after failed login attempts
Configure and use SSSD
Configure NSS and PAM for use with SSSD
Configure SSSD authentication against Active Directory, IPA, LDAP, Kerberos and local domains
Kerberos and local domains
Obtain and manage Kerberos tickets
Terms and Utilities:
nsswitch.conf
/etc/login.defs
pam_cracklib.so
chage
pam_tally.so, pam_tally2.so
faillog
pam_sss.so
sssd
sssd.conf
sss_* commands
krb5.conf
kinit, klist, kdestroy
Description: Candidates should know how to set up a basic level of host security.
Key Knowledge Areas:
Awareness of shadow passwords and how they work.
Turn off network services not in use.
Understand the role of TCP wrappers.
The following is a partial list of the used files, terms and utilities:
/etc/nologin
/etc/passwd
/etc/shadow
/etc/xinetd.d/
/etc/xinetd.conf
systemd.socket
/etc/inittab
/etc/init.d/
/etc/hosts.allow
/etc/hosts.deny
Description: The candidate should be able to use public key techniques to secure data and communication.
Key Knowledge Areas:
Perform basic OpenSSH 2 client configuration and usage.
Understand the role of OpenSSH 2 server host keys.
Perform basic GnuPG configuration, usage and revocation.
Use GPG to encrypt, decrypt, sign and verify files.
Understand SSH port tunnels (including X11 tunnels).
The following is a partial list of the used files, terms and utilities:
ssh
ssh-keygen
ssh-agent
ssh-add
~/.ssh/id_rsa and id_rsa.pub
~/.ssh/id_dsa and id_dsa.pub
~/.ssh/id_ecdsa and id_ecdsa.pub
~/.ssh/id_ed25519 and id_ed25519.pub
/etc/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key and ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key and ssh_host_ed25519_key.pub
~/.ssh/authorized_keys
ssh_known_hosts
gpg
gpg-agent
~/.gnupg/
Description: Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
Key Knowledge Areas:
iptables and ip6tables configuration files, tools and utilities
Tools, commands and utilities to manage routing tables.
Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
Port redirection and IP forwarding
List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address
Save and reload filtering configurations
Terms and Utilities:
/proc/sys/net/ipv4/
/proc/sys/net/ipv6/
/etc/services
iptables
ip6tables
Description: Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
Key Knowledge Areas:
Configuration files, tools and utilities for Pure-FTPd and vsftpd
Awareness of ProFTPd
Understanding of passive vs. active FTP connections
Terms and Utilities:
vsftpd.conf
important Pure-FTPd command line options
Description: Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
Key Knowledge Areas:
OpenSSH configuration files, tools and utilities
Login restrictions for the superuser and the normal users
Managing and using server and client keys to login with and without password
Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes
Terms and Utilities:
ssh
sshd
/etc/ssh/sshd_config
/etc/ssh/
Private and public key files
PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol
Description: Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
Key Knowledge Areas:
Tools and utilities to scan and test ports on a server
Locations and organizations that report security alerts as Bugtraq, CERT or other sources
Tools and utilities to implement an intrusion detection system (IDS)
Awareness of OpenVAS and Snort
Terms and Utilities:
telnet
nmap
fail2ban
nc
iptables
Description: Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
Key Knowledge Areas:
OpenVPN
Terms and Utilities:
/etc/openvpn/
openvpn
Description: Candidates should be able to use system tools to back up important system data.
Key Knowledge Areas:
Knowledge about directories that have to be include in backups
Awareness of network backup solutions such as Amanda, Bacula, Bareos and BackupPC
Knowledge of the benefits and drawbacks of tapes, CDR, disk or other backup media
Perform partial and manual backups.
Verify the integrity of backup files.
Partially or fully restore backups.
Terms and Utilities:
/bin/sh
dd
tar
/dev/st* and /dev/nst*
mt
rsync
Description: Candidates should be able to notify the users about current issues related to the system.
Key Knowledge Areas:
Automate communication with users through logon messages
Inform active users of system maintenance
Terms and Utilities:
/etc/issue
/etc/issue.net
/etc/motd
wall
/sbin/shutdown
systemctl
Description: Candidates are required to understand Discretionary Access Control and know how to implement it using Access Control Lists. Additionally, candidates are required to understand and know how to use Extended Attributes.
Key Knowledge Areas:
Understand and manage file ownership and permissions, including SUID and SGID
Understand and manage access control lists
Understand and manage extended attributes and attribute classes
Terms and Utilities:
getfacl
setfacl
getfattr
setfattr
Description: Candidates should be familiar with Mandatory Access Control systems for Linux. Specifically, candidates should have a thorough knowledge of SELinux. Also, candidates should be aware of other Mandatory Access Control systems for Linux. This includes major features of these systems but not configuration and use.
Key Knowledge Areas:
Understand the concepts of TE, RBAC, MAC and DAC
Configure, manage and use SELinux
Be aware of AppArmor and Smack
Terms and Utilities:
getenforce, setenforce, selinuxenabled
getsebool, setsebool, togglesebool
fixfiles, restorecon, setfiles
newrole, runcon
semanage
sestatus, seinfo
apol
seaudit, seaudit-report, audit2why, audit2allow
/etc/selinux/*
Description: Candidates should understand file permissions on a Linux file system in a mixed environment.
Key Knowledge Areas:
Knowledge of file / directory permission control
Understand how Samba interacts with Linux file system permissions and ACLs
Use Samba VFS to store Windows ACLs
Terms and Utilities:
smb.conf
chmod, chown
create mask, directory mask, force create mode, force directory mode
smbcacls
getfacl, setfacl
vfs_acl_xattr, vfs_acl_tdb and vfs objects
Description: Candidates should understand X.509 certificates and public key infrastructures. They should know how to configure and use OpenSSL to implement certification authorities and issue SSL certificates for various purposes.
Key Knowledge Areas:
Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
Understand trust chains and public key infrastructures
Generate and manage public and private keys
Create, operate and secure a certification authority
Request, sign and manage server and client certificates
Revoke certificates and certification authorities
The following is a partial list of the used files, terms and utilities:
openssl, including relevant subcommands
OpenSSL configuration
PEM, DER, PKCS
CSR
CRL
OCSP
Description: Candidates should know how to use X.509 certificates for both server and client authentication. Candidates should be able to implement user and server authentication for Apache HTTPD. The version of Apache HTTPD covered is 2.4 or higher.
Key Knowledge Areas:
Understand SSL, TLS and protocol versions
Understand common transport layer security threats, for example Man-in-the-Middle
Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS
Configure Apache HTTPD with mod_ssl to authenticate users using certificates
Configure Apache HTTPD with mod_ssl to provide OCSP stapling
Use OpenSSL for SSL/TLS client and server tests
Terms and Utilities:
Intermediate certification authorities
Cipher configuration (no cipher-specific knowledge)
httpd.conf
mod_ssl
openssl
Description: Candidates should have experience and knowledge of cryptography in the context of DNS and its implementation using BIND. The version of BIND covered is 9.7 or higher.
Key Knowledge Areas:
Understanding of DNSSEC and DANE
Configure and troubleshoot BIND as an authoritative name server serving DNSSEC secured zones
Configure BIND as an recursive name server that performs DNSSEC validation on behalf of its clients
Key Signing Key, Zone Signing Key, Key Tag
Key generation, key storage, key management and key rollover
Maintenance and re-signing of zones
Use DANE to publish X.509 certificate information in DNS
Use TSIG for secure communication with BIND
Terms and Utilities:
DNS, EDNS, Zones, Resource Records
DNS resource records: DS, DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, TLSA
DO-Bit, AD-Bit
TSIG
named.conf
dnssec-keygen
dnssec-signzone
dnssec-settime
dnssec-dsfromkey
rndc
dig
delv
openssl