Description: Candidates should be able to configure BIND to function as a caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
Key Knowledge Areas:
BIND 9.x configuration files, terms and utilities
Defining the location of the BIND zone files in BIND configuration files
Reloading modified configuration and zone files
Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers
The following is a partial list of the used files, terms and utilities:
/etc/named.conf
/var/named/
/usr/sbin/rndc
kill
host
dig
Description: Candidates should be able to create a zone file for a forward or reverse zone and hints for root level servers. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
Key Knowledge Areas:
BIND 9 configuration files, terms and utilities
Utilities to request information from the DNS server
Layout, content and file location of the BIND zone files
Various methods to add a new host in the zone files, including reverse zones
Terms and Utilities:
/var/named/
zone file syntax
resource record formats
named-checkzone
named-compilezone
masterfile-format
dig
nslookup
host
Description: Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.
Key Knowledge Areas:
BIND 9 configuration files
Configuring BIND to run in a chroot jail
Split configuration of BIND using the forwarders statement
Configuring and using transaction signatures (TSIG)
Awareness of DNSSEC and basic tools
Awareness of DANE and related records
Terms and Utilities:
/etc/named.conf
/etc/passwd
DNSSEC
dnssec-keygen
dnssec-signzone
Description: Candidates should be able to install and configure a web server. This objective includes monitoring the server’s load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
Key Knowledge Areas:
Apache 2.4 configuration files, terms and utilities
Apache log files configuration and content
Access restriction methods and files
mod_perl and PHP configuration
Client user authentication files and utilities
Configuration of maximum requests, minimum and maximum servers and clients
Apache 2.4 virtual host implementation (with and without dedicated IP addresses)
Using redirect statements in Apache’s configuration files to customize file access
Terms and Utilities:
access logs and error logs
.htaccess
httpd.conf
mod_auth_basic, mod_authz_host and mod_access_compat
htpasswd
AuthUserFile, AuthGroupFile
apachectl, apache2ctl
httpd, apache2
Description: Candidates should be able to configure a web server to provide HTTPS.
Key Knowledge Areas:
SSL configuration files, tools and utilities
Generate a server private key and CSR for a commercial CA
Generate a self-signed Certificate
Install the key and certificate, including intermediate CAs
Configure Virtual Hosting using SNI
Awareness of the issues with Virtual Hosting and use of SSL
Security issues in SSL use, disable insecure protocols and ciphers
Terms and Utilities:
Apache2 configuration files
/etc/ssl/, /etc/pki/
openssl, CA.pl
SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
SSLCACertificateFile, SSLCACertificatePath
SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
Description: Candidates should be able to install and configure a reverse proxy server, Nginx. Basic configuration of Nginx as a HTTP server is included.
Key Knowledge Areas:
Nginx
Reverse Proxy
Basic Web Server
Terms and Utilities:
/etc/nginx/
nginx
Description: Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.
Key Knowledge Areas:
Squid 3.x configuration files, terms and utilities
Access restriction methods
Client user authentication methods
Layout and content of ACL in the Squid configuration files
Terms and Utilities:
squid.conf
acl
http_access
Description: Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
Key Knowledge Areas:
Samba 4 documentation
Samba 4 configuration files
Samba 4 tools and utilities and daemons
Mounting CIFS shares on Linux
Mapping Windows user names to Linux user names
User-Level, Share-Level and AD security
Terms and Utilities:
smbd, nmbd, winbindd
smbcontrol, smbstatus, testparm, smbpasswd, nmblookup
samba-tool
net
smbclient
mount.cifs
/etc/samba/
/var/log/samba/
Description: Candidates should understand the essential concepts of Samba. As well, the major differences between Samba3 and Samba4 should be known.
Key Knowledge Areas:
Understand the roles of the Samba daemons and components
Understand key issues regarding heterogeneous networks
Identify key TCP/UDP ports used with SMB/CIFS
Knowledge of Samba3 and Samba4 differences
The following is a partial list of the used files, terms and utilities:
/etc/services
Samba daemons: smbd, nmbd, samba, winbindd
Description: Candidates should be able to configure the Samba daemons for a wide variety of purposes.
Key Knowledge Areas:
Knowledge of Samba server configuration file structure
Knowledge of Samba variables and configuration parameters
Troubleshoot and debug configuration problems with Samba
Terms and Utilities:
smb.conf
smb.conf parameters
smb.conf variables
testparm
secrets.tdb
Description: Candidates should know about the various tools and utilities that are part of a Samba installation.
Key Knowledge Areas:
Monitor and interact with running Samba daemons
Perform regular backups of Samba configuration and state data
Terms and Utilities:
smbcontrol
smbstatus
tdbbackup
Description: Candidates should understand the structure of trivial database files and know how troubleshoot problems.
Key Knowledge Areas:
Configure Samba logging
Backup TDB files
Restore TDB files
Identify TDB file corruption
Edit / list TDB file content
Terms and Utilities:
/var/log/samba/
log level
debuglevel
smbpasswd
pdbedit
secrets.tdb
tdbbackup
tdbdump
tdbrestore
tdbtool
Description: Candidates should be able to work with internationalization character codes and code pages.
Key Knowledge Areas:
Understand internationalization character codes and code pages
Understand the difference in the name space between Windows and Linux/Unix with respect to share, file and directory names in a non-English environment
Understand the difference in the name space between Windows and Linux/Unix with respect to user and group naming in a non-English environment
Understand the difference in the name space between Windows and Linux/Unix with respect to computer naming in a non-English environment
Terms and Utilities:
internationalization
character codes
code pages
smb.conf
dos charset, display charset and unix charset
Description: Candidates should be able to create and configure file shares in a mixed environment.
Key Knowledge Areas:
Create and configure file sharing
Plan file service migration
Limit access to IPC$
Create scripts for user and group handling of file shares
Samba share access configuration parameters
Terms and Utilities:
smb.conf
[homes]
smbcquotas
smbsh
browseable, writeable, valid users, write list, read list, read only and guest ok
IPC$
mount, smbmount
Description: Candidates should be able to manage user and group accounts in a mixed environment.
Key Knowledge Areas:
Manager user and group accounts
Understand user and group mapping
Knowledge of user account management tools
Use of the smbpasswd program
Force ownership of file and directory objects
Terms and Utilities:
pdbedit
smb.conf
samba-tool user (with subcommands)
samba-tool group (with subcommands)
smbpasswd
/etc/passwd
/etc/group
force user, force group.
idmap
Description: Candidates should understand the various authentication mechanisms and configure access control. Candidates should be able to install and configure the Winbind service.
Key Knowledge Areas:
Setup a local password database
Perform password synchronization
Knowledge of different passdb backends
Convert between Samba passdb backends
Integrate Samba with LDAP
Configure Winbind service
Configure PAM and NSS
Terms and Utilities:
smb.conf
smbpasswd, tdbsam, ldapsam
passdb backend
libnss_winbind
libpam_winbind
libpam_smbpass
wbinfo
getent
SID and foreign SID
/etc/passwd
/etc/group
Description: Candidates should be able to setup and maintain primary and backup domain controllers. Candidates should be able to manage Windows/Linux client access to the NT-Style domains.
Key Knowledge Areas:
Understand and configure domain membership and trust relationships
Create and maintain a primary domain controller with Samba3 and Samba4
Create and maintain a backup domain controller with Samba3 and Samba4
Add computers to an existing domain
Configure logon scripts
Configure roaming profiles
Configure system policies
Terms and Utilities:
smb.conf
security mode
server role
domain logons
domain master
logon script
logon path
NTConfig.pol
net
profiles
add machine script
profile acls
Description: Candidates should be familiar with FreeIPA v4.x. This includes installation and maintenance of a server instance with a FreeIPA domain as well as integration of FreeIPA with Active Directory.
Key Knowledge Areas:
Understand FreeIPA, including its architecture and components
Understand system and configuration prerequisites for installing FreeIPA
Install and manage a FreeIPA server and domain
Understand and configure Active Directory replication and Kerberos cross-realm trusts
Be aware of sudo, autofs, SSH and SELinux integration in FreeIPA
Terms and Utilities:
389 Directory Server, MIT Kerberos, Dogtag Certificate System, NTP, DNS, SSSD, certmonger
ipa, including relevant subcommands
ipa-server-install, ipa-client-install, ipa-replica-install
ipa-replica-prepare, ipa-replica-manage
Description: Candidates should be able to configure Samba 4 as an AD Domain Controller.
Key Knowledge Areas:
Configure and test Samba 4 as an AD DC
Using smbclient to confirm AD operation
Understand how Samba integrates with AD services: DNS, Kerberos, NTP, LDAP
Terms and Utilities:
smb.conf
server role
samba-tool domain (with subcommands)
samba
Description: Candidates should be able to integrate Linux servers into an environment where Active Directory is present.
Key Knowledge Areas:
Joining Samba to an existing NT4 domain
Joining Samba to an existing AD domain
Ability to obtain a TGT from a KDC
Terms and Utilities:
smb.conf
server role
server security
net command
kinit, TGT and REALM
NetBIOS and WINS
Description: Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing.
Key Knowledge Areas:
Understand WINS concepts
Understand NetBIOS concepts
Understand the role of a local master browser
Understand the role of a domain master browser
Understand the role of Samba as a WINS server
Understand name resolution
Configure Samba as a WINS server
Configure WINS replication
Understand NetBIOS browsing and browser elections
Understand NETBIOS name types
Terms and Utilities:
smb.conf
nmblookup
smbclient
name resolve order
lmhosts
wins support, wins server, wins proxy, dns proxy
domain master, os level, preferred master
Description: Candidates should be familiar with the internal DNS server with Samba4.
Key Knowledge Areas:
Understand and manage DNS for Samba4 as an AD Domain Controller
DNS forwarding with the internal DNS server of Samba4
Terms and Utilities:
samba-tool dns (with subcommands)
smb.conf
dns forwarder
/etc/resolv.conf
dig, host
Description: Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
Key Knowledge Areas:
NFS version 3 configuration files
NFS tools and utilities
Access restrictions to certain hosts and/or subnets
Mount options on server and client
TCP Wrappers
Awareness of NFSv4
Terms and Utilities:
/etc/exports
exportfs
showmount
nfsstat
/proc/mounts
/etc/fstab
rpcinfo
mountd
portmapper
Description: Candidates should have experience and knowledge of security issues in use and configuration of NFSv4 clients and servers as well as CIFS client services. Earlier versions of NFS are not required knowledge.
Key Knowledge Areas:
Understand NFSv4 security issues and improvements
Configure NFSv4 server and clients
Understand and configure NFSv4 authentication mechanisms (LIPKEY, SPKM, Kerberos)
Understand and use NFSv4 pseudo file system
Understand and use NFSv4 ACLs
Configure CIFS clients
Understand and use CIFS Unix Extensions
Understand and configure CIFS security modes (NTLM, Kerberos)
Understand and manage mapping and handling of CIFS ACLs and SIDs in a Linux system
Terms and Utilities:
/etc/exports
/etc/idmap.conf
nfs4acl
mount.cifs parameters related to ownership, permissions and security modes
winbind
getcifsacl, setcifsacl
Description: Candidates should be comfortable working with CIFS in a mixed environment.
Key Knowledge Areas:
Understand SMB/CIFS concepts
Access and mount remote CIFS shares from a Linux client
Securely storing CIFS credentials
Understand features and benefits of CIFS
Understand permissions and file ownership of remote CIFS shares
Terms and Utilities:
SMB/CIFS
mount, mount.cifs
smbclient
smbget
smbtar
smbtree
findsmb
smb.conf
smbcquotas
/etc/fstab
Description: Candidates should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers.
Key Knowledge Areas:
Knowledge of Windows clients
Explore browse lists and SMB clients from Windows
Share file / print resources from Windows
Use of the smbclient program
Use of the Windows net utility
Terms and Utilities:
Windows net command
smbclient
control panel
rdesktop
workgroup
Description: Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
Key Knowledge Areas:
DHCP configuration files, terms and utilities
Subnet and dynamically-allocated range setup
Awareness of DHCPv6 and IPv6 Router Advertisements
Terms and Utilities:
dhcpd.conf
dhcpd.leases
DHCP Log messages in syslog or systemd journal
arp
dhcpd
radvd
radvd.conf
Description: The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
Key Knowledge Areas:
PAM configuration files, terms and utilities
passwd and shadow passwords
Use sssd for LDAP authentication
Terms and Utilities:
/etc/pam.d/
pam.conf
nsswitch.conf
pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss
sssd.conf
Description: Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
Key Knowledge Areas:
OpenLDAP
Directory based configuration
Access Control
Distinguished Names
Changetype Operations
Schemas and Whitepages
Directories
Object IDs, Attributes and Classes
Terms and Utilities:
slapd
slapd-config
LDIF
slapadd
slapcat
slapindex
/var/lib/ldap/
loglevel
Description: Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
Key Knowledge Areas:
LDAP utilities for data management and queries
Change user passwords
Querying the LDAP directory
Terms and Utilities:
ldapsearch
ldappasswd
ldapadd
ldapdelete
Description: Candidates should be familiar with the server replication available with OpenLDAP.
Key Knowledge Areas:
Replication concepts
Configure OpenLDAP replication
Analyze replication log files
Understand replica hubs
LDAP referrals
LDAP sync replication
The following is a partial list of the used files, terms and utilities:
master / slave server
multi-master replication
consumer
replica hub
one-shot mode
referral
syncrepl
pull-based / push-based synchronization
refreshOnly and refreshAndPersist
replog
Description: Candidates should be able to configure encrypted access to the LDAP directory, and restrict access at the firewall level.
Key Knowledge Areas:
Securing the directory with SSL and TLS
Firewall considerations
Unauthenticated access methods
User / password authentication methods
Maintanence of SASL user DB
Client / server certificates
Terms and Utilities:
SSL / TLS
Security Strength Factors (SSF)
SASL
proxy authorization
StartTLS
iptables
Description: Candidates should be capable of measuring the performance of an LDAP server, and tuning configuration directives.
Key Knowledge Areas:
Measure OpenLDAP performance
Tune software configuration to increase performance
Understand indexes
Terms and Utilities:
index
DB_CONFIG
Description: Candidates should be able to configure PAM and NSS to retrieve information from an LDAP directory.
Key Knowledge Areas:
Configure PAM to use LDAP for authentication
Configure NSS to retrieve information from LDAP
Configure PAM modules in various Unix environments
Terms and Utilities:
PAM
NSS
/etc/pam.d/
/etc/nsswitch.conf
Description: Candidates should be able to integrate LDAP with Active Directory Services.
Key Knowledge Areas:
Kerberos integration with LDAP
Cross platform authentication
Single sign-on concepts
Integration and compatibility limitations between OpenLDAP and Active Directory
Terms and Utilities:
Kerberos
Active Directory
single sign-on
DNS
Description: Candidates should be able to manage an e-mail server, including the configuration of e-mail aliases, e-mail quotas and virtual e-mail domains. This objective includes configuring internal e-mail relays and monitoring e-mail servers.
Key Knowledge Areas:
Configuration files for postfix
Basic TLS configuration for postfix
Basic knowledge of the SMTP protocol
Awareness of sendmail and exim
Terms and Utilities:
Configuration files and commands for postfix
/etc/postfix/
/var/spool/postfix/
sendmail emulation layer commands
/etc/aliases
mail-related logs in /var/log/
Description: Candidates should be able to implement client e-mail management software to filter, sort and monitor incoming user e-mail.
Key Knowledge Areas:
Understanding of Sieve functionality, syntax and operators
Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size
Awareness of procmail
Terms and Utilities:
Conditions and comparison operators
keep, fileinto, redirect, reject, discard, stop
Dovecot vacation extension
Description: Candidates should be able to install and configure POP and IMAP daemons.
Key Knowledge Areas:
Dovecot IMAP and POP3 configuration and administration
Basic TLS configuration for Dovecot
Awareness of Courier
Terms and Utilities:
/etc/dovecot/
dovecot.conf
doveconf
doveadm
Description: Candidates should be aware of the commonly available MTA programs and be able to perform basic forward and alias configuration on a client host. Other configuration files are not covered.
Key Knowledge Areas:
Create e-mail aliases.
Configure e-mail forwarding.
Knowledge of commonly available MTA programs (postfix, sendmail, exim) (no configuration).
Terms and Utilities:
~/.forward
sendmail emulation layer commands
newaliases
mail
mailq
postfix
sendmail
exim