دوره LPIC 3-303 Linux Security

• Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
• Understand trust chains and public key infrastructures, including certificate transparency
• Generate and manage public and private keys
• Create, operate and secure a certification authority
• Request, sign and manage server and client certificates
• Revoke certificates and certification authorities
• Basic feature knowledge of Let’s Encrypt, ACME and certbot
• Basic feature knowledge of CFSSL

• Understand SSL, TLS, including protocol versions and ciphers
• Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS
• Configure Apache HTTPD with mod_ssl to serve certificate chains and adjust the cipher configuration (no cipher-specific knowledge)
• Configure Apache HTTPD with mod_ssl to authenticate users using certificates
• Configure Apache HTTPD with mod_ssl to provide OCSP stapling
• Use OpenSSL for SSL/TLS client and server tests repositories

• Understand block device and file system encryption
• Use dm-crypt with LUKS1 to encrypt block devices
• Use eCryptfs to encrypt file systems, including home directories and PAM integration
• Awareness of plain dm-crypt
• Awareness of LUKS2 features
• Conceptual understanding of Clevis for LUKS devices and Clevis PINs for TMP2 and Network Bound Disk Encryption (NBDE)/Tang

• Understand the concepts of DNS, zones and resource records
• Understand DNSSEC, including key signing keys, zone signing keys and relevant DNS records such as DS, DNSKEY, RRSIG, NSEC, NSEC3 and NSEC3PARAM
• Configure and troubleshoot BIND as an authoritative name server serving DNSSEC secured zones
• Manage DNSSEC signed zones, including key generation, key rollover and re-signing of zones
• Configure BIND as an recursive name server that performs DNSSEC validation on behalf of its clients
• Understand CAA and DANE, including relevant DNS records such as CAA and TLSA
• Use CAA and DANE to publish X.509 certificate and certificate authority information in DNS
• Use TSIG for secure communication with BIND
• Awareness of DNS over TLS and DNS over HTTPS
• Awareness of Multicast DNS

• Configure BIOS and boot loader (GRUB 2) security
• Disable unused software and services
• Understand and drop unnecessary capabilities for specific systemd units and the entire system
• Understand and configure Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and Exec-Shield
• Black and white list USB devices attached to a computer using USBGuard
• Create an SSH CA, create SSH certificates for host and user keys using the CA and configure OpenSSH to use SSH certificates
• Work with chroot environments
• Use systemd units to limit the system calls and capabilities available to a process
• Use systemd units to start processes with limited or no access to specific files and devices
• Use systemd units to start processes with dedicated temporary and /dev directories and without network access
• Understand the implications of Linux Meltdown and Spectre mitigations and enable/disable the mitigations
• Awareness of polkit
• Awareness of the security advantages of virtualization and containerization

• Use and configure the Linux Audit system
• Use chkrootkit
• Use and configure rkhunter, including updates
• Use Linux Malware Detect
• Automate host scans using cron
• Use RPM and DPKG package management tools to verify the integrity of installed files
• Configure and use AIDE, including rule management
• Awareness of OpenSCAP

• Understand and configure ulimits
• Understand cgroups, including classes, limits and accounting
• Manage cgroups and process cgroup association
• Understand systemd slices, scopes and services
• Use systemd units to limit the system resources processes can consume
• Awareness of cgmanager and libcgroup utilities

• Understand and manage file ownership and permissions, including SetUID and SetGID bits
• Understand and manage access control lists
• Understand and manage extended attributes and attribute classes

• Understand the concepts of type enforcement, role based access control, mandatory access control and discretionary access control
• Configure, manage and use SELinux
• Awareness of AppArmor and Smack

• Understand wireless networks security mechanisms
• Configure FreeRADIUS to authenticate network nodes
• Use Wireshark and tcpdump to analyze network traffic, including filters and statistics
• Use Kismet to analyze wireless networks and capture wireless network traffic
• Identify and deal with rogue router advertisements and DHCP messages
• Awareness of aircrack-ng and bettercap

• Implement bandwidth usage monitoring
• Configure and use Snort, including rule management
• Configure and use OpenVAS, including NASL

• Understand common firewall architectures, including DMZ
• Understand and use iptables and ip6tables, including standard modules, tests and targets
• Implement packet filtering for IPv4 and IPv6
• Implement connection tracking and network address translation
• Manage IP sets and use them in netfilter rules
• Awareness of nftables and nft
• Awareness of ebtables
• Awareness of conntrackd

• Understand the principles of bridged and routed VPNs
• Understand the principles and major differences of the OpenVPN, IPsec, IKEv2 and WireGuard protocols
• Configure and operate OpenVPN servers and clients
• Configure and operate IPsec servers and clients using strongSwan
• Configure and operate WireGuard servers and clients
• Awareness of L2TP

• Conceptual understanding of threats against individual nodes
• Conceptual understanding of threats against networks
• Conceptual understanding of threats against application
• Conceptual understanding of threats against credentials and confidentiality
• Conceptual understanding of honeypots

• Understand the concepts of penetration testing and ethical hacking
• Understand legal implications of penetration testing
• Understand the phases of penetration tests, such as active and passive information gathering, enumeration, gaining access, privilege escalation, access maintenance, covering tracks
• Understand the architecture and components of Metasploit, including Metasploit module types and how Metasploit integrates various security tools
• Use nmap to scan networks and hosts, including different scan methods, version scans and operating system recognition
• Understand the concepts of Nmap Scripting Engine and execute existing scripts
• Awareness of Kali Linux, Armitage and the Social Engineer Toolkit (SET)