LinuxCBT Security Edition encompasses 9 pivotal security modules:

1. Security Basics (fundamentals)

2. Proxy Security featuring Squid
3. Firewall Security featuring IPTables
4. SELinux Security - MAC-based Security Controls
5. Network Intrusion Detection System (NIDS) Security featuring Snort® NIDS
6. Packet | Capture | Analysis Security featuring Ethereal®
7. Pluggable Authentication Modules (PAM) Security
8. Open Secure Shell version 2 (OpenSSHv2) Security
9. OpenPGP with Gnu Privacy Guard (GPG) Security
LinuxCBT Security Edition is unparalleled in content, depth and expertise. It entails 89-hours,
or ~ 2-weeks of classroom training. LinuxCBT Security Edition prepares you or your
organization for successfully securing GNU/Linux & Open Source-based solutions. As a by-
product, many of the covered concepts, utilities and tricks are applicable to heterogeneous
computing environments, ensuring your coverage of the fundamentals of securing corporate
infrastructures.
Recommended Prerequisites for:
• Any LinuxCBT Operating System Course (Classic/EL-4/SUSE/Debian Editions)
 Open mind & determination to master Linux and related open-source applications
 Basic understanding of networking concepts
 Access to a PC to follow the exercises

Basic Security - Module 1

• Boot Security
○ Explore Dell PowerEdge BIOS Security-related features
○ Discuss concepts & improve Dell PowerEdge BIOS security
○ Explain run-time boot loader vulnerabilities
○ Explore single-user mode (rootshell) and its inherent problems
○ Modify default GRUB startup options & examine results
○ Secure boot loader using MD5 hash
○ Identify key startup-related configuration files & define boot security measures
○ Identify key boot-related utilities
○ Confirm expected hardware configuration
○ Discuss INIT process, runlevel configuration & concepts
○ Explore & tighten the security of the INIT configuration
○
○ Shell Security
○ Confirm expected applications
○ Discuss Teletype Terminals (TTYs) and Pseudo Terminals (PTS)
○ Identify common TTYs and PTSs
○ Track current TTYs and PTSs - character devices
○ Discuss concepts related to privileged and non-privileged use
○ Restrict privileged login
○ Use SSH and discuss TTYs
○ Discuss the importance of consistent system-wide banners & messages
○ Define and configure system banners for pre and post-system-access
○ Identify user-logon history and correlate to TTYs
○ Identify current user-connections - console-based and network-based
○ Use lsof to identify open files and sockets
○
○ Syslog Security
○ Discuss Syslog concepts and applications
○ Explain Syslog semantics - facilities & levels - message handling & routing
○ Focus on security-related Syslog facilities
○ Examine security logs managed by Syslog
○ Configure Network Time Protocol (NTP) on interesting hosts
○ Secure NTP configuration
○ Ensure time consistency to preserve log-integrity
○ Configure Syslog replication to preserve log-integrity
○ Identify log discrepancies between Syslog hosts
○
○ Reconnaissance & Vulnerability Assessment Tools
○ Discuss Stage-1 host/network attack concepts
○ Upgrade NMAP reconnaissance tool to increase effectiveness
○ Identify NMAP files
○ Discuss TCP handshake procedure
○ Discuss half-open/SYN connections
○ Perform connect and SYN-based host/network reconnaissance
 ○ Identify potential vulnerabilities on interesting hosts derived from reconnaissance
○ Examine NMAP logging capabilities
○ Perform port sweeps to identify common vulnerabilities across exposed systems
○ Secure exposed daemons/services
○ Perform follow-up audit to ensure security policy compliance
○ Discuss vulnerability scanner capabilities and applications
○ Prepare system for Nessus vulnerability scanner installation - identify/install
dependencies
○ Generate self-signed SSL/TLS certificates for secure client/server
communications
○ Activate Nessus subscription, server and client components
○ Explore vulnerability scanner interface and features
○ Perform network-based reconnaissance attack to determine vulnerabilities
○ Examine results of the reconnaissance attack and archive results
○ Secure exposed vulnerabilities
○
○ XINETD - TCPWrappers - Chattr - Lsattr - TCPDump - Clear Text Daemons
○ Install Telnet Daemon
○ Install Very Secure FTP Daemon (VSFTPD)
○ Explore XINETD configuration and explain directives
○ Configure XINETD to restrict communications at layer-3 and layer-4
○ Restrict access to XINETD-protected daemons/services based on time range
○ Examine XINETD logging via Syslog
○ Discuss TCPWrappers security concepts & applications
○ Enhance Telnetd security with TCPWrappers
○ Confirm XINETD & TCPWrappers security
○ Discuss chattr applications & usage
○ Identify & flag key files as immutable to deter modifcation
○ Confirm extended attributes (XATTRs)
○ Discuss TCPDump applications & usage
○ Configure TCPDump to intercept Telnet & FTP - clear-text traffic
○ Use Ethereal to examine & reconstruct captured clear-text traffic
○
○ Secure Shell (SSH) & MD5SUM Applications
 ○ Use Ethereal to examine SSH streams
○ Generate RSA/DSA PKI usage keys
○ Configure Public Key Infrastructure (PKI) based authentication
○ Secure PKI authentication files
○ Use SCP to transfer files securely in non-interactive mode
○ Use SFTP to transfer files securely in interactive mode
○ Configure SSH to support a pseudo-VPN using SSH-Tunnelling
○ Discuss MD5SUM concepts and applications
○ Compare & contrast modified files using MD5SUM
○ Use MD5SUM to verify the integrity of downloaded files
○
○ GNU Privacy Guard (GPG) - Pretty Good Privacy (PGP) Compatible - PKI
○ Discuss GPG concepts & applications - symmetric/asymmetric encryption
○ Generate asymmetric RSA/DSA GPG/PGP usage keys - for multiple users
○ Create a local web of trust
○ Perform encrypts/decrypts and test data-exchanges
○ Sign encrypted content and verify signatures @ recipient
○ Import & export public keys for usage
○ Use GPG/PGP with Mutt Mail User Agent (MUA)
○
○ AIDE File Integrity Implementation
○ Discuss file-integrity checker concepts & applications
○ Identify online repository & download AIDE
○ Install AIDE on interesting hosts
○ Configure AIDE to protect key files & directories
○ Alter file system objects and confirm modifications using AIDE
○ Audit the file system using AIDE
○
○ Rootkits
○ Discuss rootkits concepts & applications
○ Describe privilege elevation techniques
○ Obtain & install T0rnkit - rootkit
○ Identify system changes due to the rootkit
○ Implement T0rnkit with AIDE to identify compromised system objects
 ○ Implement T0rnkit with chkrootkit to identify rootkits
○ T0rnkit - rootkit - cleanup
○ Implement N-DU rootkit
○ Evaluate system changes
○
○ Bastille Linux - OS-Hardening
○ Discuss Bastille Linux system hardening capabilities
○ Obtain Bastille Linux & perform a system assessment
○ Install Bastille Linux
○ Evaluate hardened system components
○
 top
Proxy Security - Module 2
• Squid Proxy Initialization
○ Discuss Squid concepts & applications
○ Discuss DNS application
○ Configure DNS on primary SuSE Linux server for the Squid Proxy environment
○ Confirm DNS environment
○ Start Squid and evaluate default configuration
○ Install Squid Proxy server
○
○ General Proxy Usage
○ Configure web browser to utilize proxy services
○ Grant permissions to permit local hosts to utilize proxy services
○ Discuss ideal file system layout - partitioning
○ Explore key configuration files
○ Use client to test the performance of proxy services
○ Discuss HIT/MISS logic for serving content
○ Configure proxy support for text-based (lftp/wget/lynx) HTTP clients
○
○ Squid Proxy Logs
○ Discuss Squid Proxy logging mechanism
○ Identify key log files
○ Discuss & explore the Access log to identify HITS and/or MISSES
 ○ Discuss & explore the Store log to identify cached content
○ Convert Squid logs to the Common Log Format (CLF) for easy processing
○ Discuss key CLF fields
○ Configure Webalizer to process Squid-CLF logs
○ Revert to Squid Native logs
○ Discuss key Native log fields
○ Configure Webalizer to process Squid Native logs
○
○ Squid Network Configuration & System Stats
○ Discuss cachemgr.cgi Common Gateway Interface(CGI) script
○ Explore the available metrics provided by cachemgr.cgi
○ Change default Squid Proxy port
○ Modify text/graphical clients and test communications
○ Discuss Safe Ports - usage & applications
○
○ Squid Access Control Lists (ACLs)
○ Intro to Access Control Lists (ACLs) - syntax
○ Define & test multiple HTTP-based ACLs
○ Define & test ACL lists - to support multiple hosts/subnets
○ Define & test time-based ACLs
○ Nest ACLs to tighten security
○ Implement destination domain based ACLs
○ Exempt destination domains from being cached to ensure content freshness
○ Define & test Anded ACLs
○ Discuss the benefits of Regular Expressions (Regexes)
○ Implement Regular Expressions ACLs to match URL patterns
○ Exempt hosts/subnets from being cached or using the Squid cache
○ Force cache usage
○ Configure enterprise-class Cisco PIX firewall to deny outbound traffic
○ Configure DNS round-robin with multiple Squid Proxy caches for load-balancing
○ Discuss delay pool concepts & applications - bandwidth management
○ Configure delay pools - to support rate-limiting
○ Examine results of various delay pool classes
○ Enforce maximum connections to deter Denial of Service (DoS) attacks
 ○ Verify maximum connections comply with security policy
○
○ Squid Proxy Hierarchies
○ Discuss Squid cache hierarchy concepts & applications
○ Ensure communications through a primary cache server - double-auditing
○ Discuss and configure parent-child bypass based on ACLs
○ Configure Intranet ACLs for peer-cache bypass
○ Discuss & implement Squid cache hierarchy siblings
○ Configure transparent proxy services
○
 top
Firewall Security - Module 3
• Intro IPTables
○ Discuss key IPTables concepts
○ OSI Model discussion
○ Determine if IPTables support is available in the current kernel
○ Identify key IPTables modules and supporting files
○ Explore and examine the default tables
○ Learn IPTables Access Control List (ACL) syntax
○ Discuss ACL management
○ Learn to Save & Restore IPTables ACLs
○
○ IPTables - Chain Management
○ Explore the various chains in the default tables
○ Discuss the purpose of each chain
○ Examine packet counts & bytes traversing the various chains
○ Focus on appending and inserting new ACLs into pre-defined chains
○ Write rules to permit common traffic flows
○ Delete & Replace ACLs to alter security policy
○ Flush ACLs - reset the security policy to defaults
○ Zero packet counts & bytes - bandwidth usage monitoring
○ Create user-defined chains to perform additional packet handling
○ Rename chains to suit the security policy/nomenclature
○ Discuss & explore chain policy
○
○ IPTables - Packet Matching & Handling
○ Explain the the basics of packet matching
○ Identify key layer-3/4 match objects - (Source/Dest IPs, Source/Dest Ports, etc.)
○ Explore the multi-homed configuration
○ Block traffic based on untrusted (Internet-facing) interface
○ Perform packet matching/handling based on common TCP streams
○ Perform packet matching/handling based on common UDP datagrams
○ Perform packet matching/handling based on common ICMP traffic
○ Write fewer rules (ACLs) by specifying lists of interesting layer-4 ports
○ Discuss layer-3/4 IPTables default packet matching
○ Discuss default layer-2 behavior
○ Increase security by writing rules to match packets based on layer-2 addresses
○
○ IPTables - State Maintenance - Stateful Firewall
○ Discuss the capabilities of traditional packet-filtering firewalls
○ Explain the advantages of stateful firewalls
○ Examine the supported connection states
○ Identify key kernel modules to support the stateful firewall
○ Implement stateful ACLs & examine traffic flows
○
○ IPTables - Targets - Match Handling
○ Discuss the purpose of IPTables targets for packet handling
○ Write rules with the ACCEPT target
○ Write rules with the DROP target
○ Write rules with the REJECT target
○ Write rules with the REDIRECT target
○ Confirm expected behavior for all targets
○
○ IPTables - Logging
○ Explore Syslog kernel logging configuration
○ Define Access Control Entry (ACEs) to perform logging
○ Explain the key fields captured by IPTables
○ Log using user-defined chain for enhanced packet handling
 ○ Log traffic based on security policy
○ Define a catch-all ACE
○ Use ACE negation to control logged packets
○ Label log entries for enhanced parsing
○
○ IPTables - Packet Routing
○ Describe subnet layout
○ Enable IP routing in the kernel - committ changes to disk
○ Update routing tables on the other Linux Hosts on the network
○ Update the Cisco PIX Firewall's routing tables
○ Test routing through the Linux router, from a remote Windows 2003 Host
○ Focus on the forward chain
○ Write ACEs to permit routing
○ Test connectivity
○
○ IPTables - Network Address Translation (NAT)
○ Discuss NAT features & concepts
○ Discuss & implement IP masquerading
○ Define Source NAT (SNAT) ACEs & test translations
○ Create SNAT multiples
○ Implement Destination NAT (DNAT) ACEs & test translations
○ Define DNAT multiples
○ Create NETMAP subnet mappings - one-to-one NATs
○
○ IPTables - Demilitarized Zone (DMZ) Configuration
○ Describe DMZ configuration
○ Write Port Address Translation (PAT) rules to permit inbound traffic
○ Test connectivity from connected subnets
○ Configure DMZ forwarding (Routing)
○ Implement Dual-DMZs - ideal for n-tiered web applications
○
 top
SELinux Security - Module 4
• Access Control Models
 ○ Describe Access Control Model (ACM) theories (DAC/MAC/nDAC)
○ Explain features & shortcomings of Discretionary Access Control (DAC) models
○ Identify key DAC-based utilities
○ Discuss the advantages & caveats of Mandatory Access Control (MAC)models
○ Explore DAC-based programs
○
○ SELinux - Basics
○ Discuss subjects & objects
○ Explain how SELinux is implemented in 2.6.x-based kernels
○ Confirm SELinux support in the kernel
○ Identify key SELinux packages
○ Use sestatus to obtain the current SELinux mode
○ Discuss subject & object labeling
○ Describe the 3 SELinux operating modes
○ Identify key utilities & files, which dictate the current SELinux operating mode
○ Focus on the features of SELinux permissive mode
○ Explore the boot process as it relates to SELinux
○
○ SELinux - Object Labeling
○ Discuss subject & object labeling
○ Discuss the role of extended attributes (XATTRs)
○ Expose the labels of specific objects
○ Alter the lables of specific objects
○ Configure SELinux to automatically label objects per security policy
○ Reset the system and confirm labels on altered objects
○ Explain security tuples
○ Use fixfiles to restore object labels on running system per security policy
○
○ SELinux - Type Contexts - Security Labels Applied to Objects
○ Intro to object security tuples - security labels
○ Attempt to serve HTML content using Apache in SELinux enforcing mode
○ Identify problematic object security labels
○ Serve HTML content in SELinux permissive mode
○ Use chcon to alter object security labels
 ○ Switch to enforcing mode & confirm the ability to serve HTML content
○ Use restorecon to restore object security context (labels)
○
○ SELinux - Basic Commands - Type & Domain Exposition
○ ps - reveal subjects' security context (security label) - Domains
○ ls - reveal objects' security label - Types
○ cp - preserve/inherit security labels
○ mv - preserve security labels
○ id - expose subject security label
○
○ SELinux - Targeted Policy - Binary
○ Explain the Targeted Policy's features
○ Discuss policy transitions for domains
○ Compare & contrast confined & unconfined states
○ Exempt Apache daemon from the auspicies of the targeted policy's confined state
○ Evaluate results after exemption
○ Explain the security contexts applied to subjects & objects
○ Peruse key targeted binary policy files
○ Identify the daemons protected by the targeted policy
○ Discuss the unconfined_t domain - subject label
○
○ SELinux - Targeted Policy - Source
○ Install the targeted policy source files
○ Identify & discuss TE and FC files
○ Explore file_contexts - context definition for objects
○ Discuss the file context syntax
○ Explain the purpose of using run_init to initiate SELinux-protected daemons
○ Switch between permissive & enforcing modes and evaluate behavior
○ Peruse the key files in the targeted source policy
○
○ SELinux - Miscellaneous Utilities - Logging
○ Use tar to archive SELinux-protected objects
○ Confirm security labels on tar-archived objects
○ Use the tar substitute 'star' to archive extended attributes(XATTRs)
 ○ Confirm security labels on star-archived objects
○ Discuss the role of the AVC
○ Examine SELinux logs - /var/log/messages
○ Alter Syslog configuration to route SELinux messages to an ideal location
○ Use SETools, shell-based programs to output real-time statistics
○ Install & use SEAudit graphical SELinux log-management tool
○
 top
Network Intrusion Detection System (NIDS) Security - Module 5
• Snort NIDS - Installation
○ Peruse the LinuxCBT Security Edition classroom network topology
○ Download Snort
○ Import G/PGP public key and verify package integrity
○ Identify & download key Snort dependencies
○ Install current libpcap - Packet Capture Library
○ Establish security configuration baseline
○
○ Snort NIDS - Sniffer Mode
○ Discuss sniffer mode concepts & applications
○ Sniff IP packet headers - layer-3/4
○ Sniff data-link headers - layer-2
○ Sniff application payload - layer-7
○ Sniff application/ip packet headers/data-link headers - all layers except physical
○ Examine packets & packet loss
○ Sniff traffic traversing interesting interfaces
○ Sniff clear-text traffic
○ Sniff encrypted streams
○
• Snort NIDS - Logging Mode
○ Discuss logging mode concepts & applications
○ Log traffic using default PCAP/TCPDump format
○ Log traffic using ASCII mode & examine output
○ Discuss directory structure created by ASCII logging mode
○ Control verbosity of ASCII logging mode & examine output
 ○ Enhance packet logging analysis by defaulting to binary logging
○ Discuss default nomenclature for binary/TCPDump files
○ Alter binary output options
○ Use Snort NIDS to read binary/TCPDump files
○
• Snort NIDS - Berkeley Packet Filters (BPFs)
○ Explain the advantages to utilizing BPFs
○ Discuss BPF directional, type, and protocol qualifiers
○ Identify clear-text based network applications and define appropriate BPFs
○ Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting
traffic
○ Log to the active pseudo-terminal console and examine the packet flows
○ Combine BPF qualifiers to increase packet-matching capabilities
○ Use logical operators to define more flexible BPFs
○ Read binary TCPDump files using Snort & BPFs
○ Execute Snort NIDS in logging/daemon mode
○
• Snort NIDS - Cisco Switch Configuration
○ Examine the current network configuration
○ Identify Snort NIDS sensors and centralized DBMS Server
○ Create multiple VLANs on the Cisco Switch
○ Secure the Cisco Switch configuration
○ Isolate internal and external hosts, sensors and DBMS systems
○ Configure SPAN - Port Mirroring for internal and external Snort NIDS Sensors
○ Examine internal and external packet flows
○
• Snort NIDS - Network Intrusion Detection System (NIDS) Mode
○ Discuss NIDS concepts & applications
○ Prepare /etc/snort - configuration directory for NIDS operation
○ Explore the snort.conf NIDS configuration file
○ Discuss all snort.conf sections
○ Download & install community rules
○ Execute Snort in NIDS mode with TCPDump compliant output plugin
○ Download & install Snort Vulnerability Research Team (VRT) rules
 ○ Compare & contrast community rules to VRT rules
○
• Snort NIDS - Output Plugin - Barnyard Configuration
○ Discuss features & benefits
○ Configure Syslog based logging and examine results
○ Configure Snort to log sequentially to multiple output locations
○ Implement unified binary output logging to enhance performance
○ Discuss concepts & features associated with post-processing Snort logs
○ Download and install current barnyard post-processor
○ Use barnyard to post-process logs to multiple output destinations
○
○ Snort NIDS - BASE - MySQL® Implementation
○ Discuss benefits of centralized console reporting for 1 or more Snort sensors
○ Re-compile Snort on both sensors to support MySQL logging
○ Configure MySQL on Database Management System (DBMS) Host
○ Implement Snort database schema on DBMS Host
○ Configure Snort to log output to MySQL DBMS Host
○ Confirm output logging to the MySQL DBMS Host
○ Prepare DBMS Host for BASE console installation
○ Install BASE and complete schema extension
○ Peruse BASE interface
○
○ Snort® NIDS - Rules Configuration & Updates
○ Discuss the concept of rules as related to Snort NIDS
○ Examine Snort rule syntax
○ Peruse pre-defined Snort rules
○ Download & configure oinkmaster to automatically update Snort rules
○ Confirm oinkmaster operation
○
 top
Packet Capture Analysis Security feat. Ethereal® - Module 6
• Introduction - Topology - Features
○ Discuss course outline
○ Explore system configuration
 ○ Identify key network interfaces to be used for captures
○ Identify connected interfaces on Cisco Switch
○ Explore network topology - IPv4 & IPv6
○ Identify Ethereal installation
○ Enumerate and discuss key Ethereal features
○
○ Ethereal® Graphical User Interface (GUI)
○ Identify installation footprint
○ Differentiate between promiscuous and non-promiscuous modes
○ Configure X.org to permit non-privileged user to write output to screen
○ Launch Ethereal GUI
○ Identify the primary GUI components /Packet List | Packet Details | Packet Bytes/
○ Discuss defaults
○ Explore key menu items
○
• TCPDump | WinDump - Packet Capturing for /Linux|Unix|Windows/
○ Discuss defaults, features and applications
○ Use TCPDump on Linux to capture packets
○ Log traffic using default PCAP/TCPDump format
○ Discuss Berkeley Packet Filters (BPFs)
○ Capture and log specific packets using BPFs for analysis with Ethereal
○ Connect to Windows 2003 Server using Remote Desktop (RDesktop) utility
○ Install WinDump and WinPCAP on Windows 2003 Server
○ Identify available network interfaces using WinDump
○ Capture and log packets using WinDump
○ Capture and log specific packets using BPFs with WinDump for analysis with
Ethereal
○ Upload captures to Linux system for analysis in Ethereal
○
• Snort® NIDS Packet Capturing & Logging
○ Discuss Snort NIDS's features
○ Confirm prerequisites - /PCRE|LibPCAP|GCC|Make/
○ Download and Import Snort G/PGP key and MD5SUM for Snort NIDS
○ Download, verify, compile and install Snort NIDS
 ○ Discuss BPF directional, type, and protocol qualifiers
○ Identify clear-text based network applications and define appropriate BPFs
○ Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting
traffic
○ Log to the active pseudo-terminal console and examine the packet flows
○ Combine BPF qualifiers to increase packet-matching capabilities
○ Use logical operators to define more flexible BPFs
○ Create captures for further analysis with Ethereal
○
• Sun Snoop Packet Capturing & Logging
○ Connect to Solaris 10 system and prepare to use Snoop
○ Draw parallels to TCPDump
○ Enumerate key features
○ Sniff and log generic traffic
○ Sniff and log specific traffic using filters
○ Sniff using Snoop, HTTP and FTP traffic
○ Save filters for analysis by Ethereal
○ Snoop various Solaris interfaces for interesting traffic
○
• Layer-2 & Internet Control Messaging Protocol (ICMP) Captures
○ Launch Ethereal
○ Identify sniffing interfaces
○ Capture Address Resolution Protocol (ARP) Packets using Capture Filters
○ Discuss and Identify Protocol Data Units (PDUs)
○ Identify default Ethereal capture file
○ Peruse packet capture statistics
○ Identify Cisco VOIP router generating ARP requests
○ Peruse time precision features - deci - nano-seconds
○ Discuss time manipulations - relative to first packet - actual time
○ Reveal protocol information from layer-1 through 7
○ Identify network broadcasts in the packet stream
○ Generate Layer-2 ARP traffic using PING and capture and analyze results
○ Sniff traffic based on MAC addresses using Ethereal and Capture FIlters
○
• User Datagram Protocol (UDP) Captures & Analyses
○ Discuss UDP Characteristics
○ Focus on Network Time Protocol (NTP)
○ Setup NTP strata for testing between multiple systems
○ Analyze NTP - UDP traffic using Ethereal
○ Focus on Domain Name Service (DNS)
○ Install a BIND DNS Caching-Only Server
○ Analyze DIG queries
○ Analyze 'nslookup' queries
○
○ Transmission Control Protocol (TCP) Captures & Analyses
○ Discuss TCP Characteristics - Connection-Oriented Services
○ Explain TCP connection rules - Socket creation
○ Sniff TCP traffic using Capture Filters in Ethereal
○ Use Display Filters to parse TCP traffic
○ Sniff FTP traffic
○ Reconstruct FTP flows using TCP Stream Reassembly
○ Differentiate between client and server flows
○ Quantify client and server flows
○ Discuss embedded Protocol Data Units (PDUs)
○ Sniff Internet Protocol Version 6 (IPv6) traffic
○ Peruse and discuss the IPv6:TCP:FTP traffic dump
○ Analyze TCP Sockets
○
○ Ethereal Display Filters - Post Processing Filters
○ Identify previously captured - TCPDump - Ethereal - Snort - Snoop - Dumps
○ Discuss features
○ Explain Display Filter syntax
○ Post-process previously captured traffic dumps
○ Identify the various methods to exact display filters
○ Filter data using the expression builder
○ Filter traffic based on interesting properties
○ Filter traffic using logical operators
○
○ Ethereal Statistics
○ Discuss features
○ Explore the summary (metadata) of captured packets
○ Peruse the protocol hierarchy - Layer's 1 - 7 of OSI
○ Examine network conversations of captured packets
○ Identify Destinations in packet dumps
○ Examine ICMP statistics
○
• Text-based Captures with Tethereal
○ Discuss features and applications
○ Identify 'tethereal' and invoke
○ Enumerate network interfaces
○ Sniff generic network traffic
○ Suppress capture output
○ Apply Capture Filters
○ Capture UDP Traffic
○ Capture TCP Traffic
○
○ Intranet-based Captures & Analysis
○ Discuss Intranet monitoring objectives
○ Analyze the network topology drawing
○ Discuss Unicast, Broadcast and Multicast traffic
○ Discuss Switch Port Mirroring - SPAN
○ Configure Port Mirroring - SPAN on Cisco Switch for interesting ports
○ Dedicate a network interface for sniffing traffic
○ Configure Snort NIDS to sniff traffic on dedicated network interface
○ Analyze Snort NIDS captures in Ethereal
○ Sniff traffic between various Intranet hosts
○
○ Internet-based Captures & Analysis
○ Discuss Internet monitoring objectives
○ Identify key external interfaces to monitor
○ Update the Port Mirroring configuration to capture Internet traffic
○ Capture external traffic
 ○ Analyze using Ethereal
○
○ Wireless-based Captures & Analysis
○ Discuss Wireless monitoring objectives
○ Connect to remote system with wireless interface
○ Enable wireless interface
○ Sniff traffic on wireless network
○ Analyze using Ethereal
○
○ Windows-based Captures & Analysis on Windows
○ Download and Install Ethereal for Windows
○ Explore interface
○ Load previously captured data
○ Analyze data
○ Compare and contrast with Ethereal for Linux|Unix systems
○
○ top
Pluggable Authentication Modules (PAM) Security - Module 7
• Introduction - Topology - Features
○ Discuss course outline
○ Explore system configuration
○ Explore network topology
○ Identify primary PAM systems
○ Enumerate and discuss key PAM features
○
○ PAM Rules Files & Syntax
○ Identify key PAM configuration files
○ Explain the purpose of the /etc/pam.d/other PAM rules file
○ Discuss PAM's 4 management tasks
○ Identify the 4 tokens supported within PAM rules files
○ Explain possible values for the 4 supported rules file tokens
○ Discuss PAM's stacking of rules for the 4 management tasks
○ Examine the /etc/pam.d/sshd PAM rules file for the SSHD service/daemon
○ Explore the contents of included PAM rules files
○
• Common PAMs - Identify & Discuss Commonly Implemented PAMs
○ Explain the purpose and implementation of pam_echo
○ Test pam_echo using SSH
○ Explain the purpose and implementation of pam_warn
○ Explain the purpose and implementation of pam_deny
○ Identify instances of pam_warn and pam_deny modules
○ Explain the purpose and implementation of pam_unix2
○ Identify instances of pam_unix2 module
○ Explain the purpose and implementation of pam_env
○ Explain the purpose and implementation of pam_ftp
○ Peruse /etc/pam.d/vsftpd and discuss the implemenation of pam_ftp
○ Explain the purpose and implementation of pam_lastlog
○ Explain the purpose and implementation of pam_limits
○ Explain the purpose and implementation of pam_listfile
○ Explain the purpose and implementation of pam_nologin
○
• Account Policies with PAM
○ Explain authentication flow when using PAM
○ Discuss account policies features
○ Identify and peruse the default account policies file: /etc/login.defs
○ Discus PAM's usage of /etc/login.defs as it pertains to system security
○ Discuss pam_pwcheck is maintaining system policy
○ Configure pam_pwcheck to support minimum password length
○ Correlate pam_pwcheck system policy to user accounts database
○ Configure pam_pwcheck to support password history
○ Use chage to enumerate and change user accounts' attributes associated with
system policy
○
• PAM Tally
○ Explain applications of pam_tally
○ Identify failed logins log file: /var/log/faillog
○ Identify PAM authentication messages in /var/log/messages
○ Compare and contrast pam_tally with faillog
 ○ Use pam_tally to display user's tally
○ Enable pam_tally system-wide with desired policy
○ Fail to login multiple times, exceeding the system policy and evaluate results
○ Reset user's login count using pam_tally and faillog
○ Redirect PAM log messages using Syslog-NG
○
• PAM Password Quality Check (pam_passwdqc)
○ Identify pam_passwdqc using RPM
○ Discuss features
○ Enumerate the supported password character classes - Complex passwords
○ Replace pam_pwcheck with pam_passwdqc using at least 2 character classes
○ Test password policy in non-enforcing mode
○ Evaluate the effects
○ Enable password policy in enforcing mode and evaluate
○ Alter character class and length (complexity) requirements and evaluate
○
• PAM Time - Time-based Access Control
○ Discuss features
○ Explain configuration file syntax
○ Impose restrictions on common services
○ Evaluate results
○
○ PAM Nologin
○ Discuss features
○ Explain configuration file syntax
○ Implement nologin module via /etc/nologin
○ Evaluate results
○
○ PAM Limits - System Resource Limits Controlled by PAM
○ Discuss features
○ Explain configuration file syntax
○ Impose restrictions on system resources
○ Evaluate results
○
 ○ PAM Authentication with Apache
○ Discuss features and desired result
○ Install Apache and development modules providing apxs support
○ Download PAM Apache module
○ Compile and install PAM Apache module
○ Configure Apache web site to support PAM
○ Evaluate results
○
• top
Open Secure Shell version 2 (OpenSSHv2) Security - Module 8
• Introduction - Topology - Features
○ Discuss course outline
○ Explore system configuration
○ Identify key systems to be used
○ Explore network topology
○ Enumerate and discuss key OpenSSHv2 features
○
○ Identify Key OpenSSHv2 Components
○ Identify installed OpenSSHv2 related packages
○ Peruse related startup and run-control script files
○ Locate 'sshd' on the file system
○ Discuss related client | server configuration files
○
• OpenSSHv2 Client - /ssh/
○ Discuss features and benefits
○ Obtain shell access on a remote system
○ Configure /etc/hosts to provide local name resolution for OpenSSHv2
○ Identify and discuss pseudo-terminals - pty
○ Redirect X11/X.org traffic to localhost via SSH
○ Bind 'ssh' to specific source IP address and test connectivity
○ Execute commands on remote system without allocating a pseudo-terminal
○ Debug 'ssh' connectivity
○ Explore the system-wide client configuration file
○ Explore user configuration file
○
• Secure Copy Program (SCP) - /scp/
○ Discuss features and benefits
○ Locate 'scp' on the file system
○ Discuss usage
○ Copy, non-interactively, previously generated data to remote systems
○ Test 'scp' with global and user configuration directives
○ Debug 'scp' connectivity
○ Limit transfer rate to conserve bandwidth
○
• Secure File Transfer Program (SFTP) - /sftp/
○ Discuss features and benefits
○ Locate 'sftp' on the file system
○ Discuss usage
○ Connect to remote system using 'sftp' interactive shell
○ Issue puts and gets and evaluate results
○ Identify the sftp-server subsystem
○ Peruse process list while connected to OpenSSHv2 server
○ Illustrate batch file usage
○
• SSH Key Scan Utility - /ssh-keyscan/
○ Discuss features and benefits
○ Locate 'ssh-keyscan' on the file system
○ Discuss usage
○ Scan the network from STDIN for OpenSSHv2 public keys - RSA (SSHv1 &
SSHv2) | DSA
○ Scan the network based on a file with a list of hosts for OpenSSHv2 public keys
○ Populate ~/.ssh/known_hosts file using 'ssh-keyscan' with BASH for loop
○ Compare and contrast STDOUT with the output file
○
• SSH Key Generation Utility - /ssh-keygen/
○ Discuss features and benefits
○ Locate 'ssh-keygen' on the file system
○ Discuss usage
 ○ Generate RSA-2 usage keys
○ Identify RSA-2 public and private key pair
○ Generate DSA usage keys
○ Identify DSA public and private key pair
○ Expose usage keys' fingerprint using 'ssh-keygen'
○ Generate RSA-2 | DSA usage keys for all hosts
○
○ Public Key Infrastructure (PKI) - Password-less Logins
○ Discuss features and benefits
○ Identify key files for client and server implemenation of password-less (PKI-
based) logins
○ Copy manually, RSA-2 | DSA public keys to remote system's
~/.ssh/authorized_keys file
○ Test password-less logins
○ Use 'ssh-copy-id' to seamlessly populate remote system with RSA-2 | DSA usage
keys
○ Test password-less connectivity after using 'ssh-copy-id'
○ Confirm password-less connectivity using SSH clients /ssh|scp|sftp/ in debug
mode
○ Connect to privileged account from non-privileged account using PKI
○ Configure RSA-1 connectivity using PKI
○
○ System-wide OpenSSHv2 Configuration Directives
○ Identify key directory and files associated with client | server configuration
○ Explore primary server configuration file
○ Discuss applicability of directives
○ Alter and test several SSHD directives
○ Explore OpenSSHv2 configuration on RedHat Linux
○ Explore OpenSSHv2 configuration on Solaris 10
○
○ Port Forwarding - Pseudo-VPN Support - /Local|Remote|Gateway/
○ Discuss features and benefits
○ Implement local port forwarding using 'ssh'
○ Configure remote port forwarding using 'ssh'
○ Test circumvention of local firewall using remote port forwarding
 ○ Implement gateway ports to share forwarded /local|remote/ with connected users
○ Test connectivity
○
• Windows Integration - /PuTTY|WinSCP/
○ Discuss features and applications
○ Download and install PuTTY
○ Explore PuTTY's features
○ Configure PKI logins
○ Download and install WinSCP
○ Explore WinSCP's features
○ Move data between Windows, Linux and Solaris
○
○ Syslog | Syslog-NG Configuration
○ Discuss features and benefits
○ Identify default configuration
○ Redirect OpenSSHv2 data using Syslog and Syslog-NG
○ Examine results
○ Enable debugging
○
○ Host-based Authentication
○ Discuss applicability and caveats
○ Identify key configuration files and directives
○ Implement host-based authentication
○ Test results
○
○ OpenSSHv2 Source Installation
○ Discuss features and benefits
○ Download current OpenSSHv2 source code
○ Compile and install
○ Restart services|daemons
○ Test new version of OpenSSHv2
○
○ Secure OpenSSHv2 Implementation
 ○ Discuss features and benefits
○ Identify key configuration file
○ Enumerate and implement key directives
○ Test configuration
○
○ top
OpenSSHv2 Security - Module 9
• Introduction - Topology - Features
○ Discuss course outline
○ Explore system configuration
○ Identify key systems to be used
○ Explore network topology
○ Enumerate and discuss key OpenPGP features
○
○ Explore GPG Configuration
○ Identify installed GPG packages in various Linux distros
○ Discuss the key contents of those packages
○ Explore configuration hierarchy
○ Discuss security as it pertains to private key management
○ Explain the purpose of public and private keys
○ Discuss symmetric and asymmetric encryption provided by OpenPGP-compliant
Apps
○
• Generate | Import | Export OpenPGP Usage Keys
○ Discuss features and benefits
○ Obtain shell access on remote systems
○ Generate usage (private|public) keys
○ Identify the generated keys
○ Discuss how usage keys are used
○ Generate usage keys on remote systems
○ Export OpenPGP public key chain on various systems
○ Import OpenPGP public keys on various systems
○ Evaluate the results of exchanging public keys
○
• Digital Signatures
○ Discuss features and benefits as they pertain to data integrity
○ Identify default digital signatures on multiple hosts
○ Explain the differences between signing and encrypting correspondence
○ Sign and export data to remote systems - Inline
○ Create detached OpenPGP signatures for data
○ Confirm the signed data on the remote systems
○ Recap non-repudiation benefits provided by digitally signing correspondence
○
• Encryption | Decryption | Sign & Encrypt Content
○ Discuss features and benefits
○ Generate files for usage
○ Encrypt content using symmetric (shared-key) algorithm
○ Decrypt content using the shared-key, based on the symmetric algorithm
○ Evaluate results on multiple machines
○ Explain caveats associated with symmetric encryption
○ Encrypt content to a given recipient, using their public key - asymmetric
encryption
○ Decrypt content on various hosts
○ Attempt to decrypt content without the corresponding private key
○ Evaluate results
○ Encrypt using ASCII-armoured and binary (OpenPGP-compliant) formats
○ Decrypt both ASCII-armoured and binary formats
○ Recap encryption decryption processes
○ Discuss the requirements of signing and encrypting content
○ Sign and encrypt content to various recipients
○ Confirm signed and encrypted content
○ Attempt to confirm and decrypt content as the unintended recipient
○ Evaluate results
○
• OpenPGP Key Management | Web of Trust | Internet Key Distribution
○ Discuss features and benefits
○ Explore GPG key management facility
○ Update properties of public/private key pairs
 ○ Add sub-keys to public/private key pairs
○ Sign remote users' public keys
○ Evaluate results
○ Discuss the web of trust functionality
○ Create a web of trust with various hosts
○ Evaluate trust confirmation
○ Discuss the features of OpenPGP Internet key distribution servers
○ Generate and upload public keys to an Internet key server
○ Download the uploaded public keys to the public keyrings of various hosts
○ Evaluate results
○
• Perl Scripting with GPG
○ Discuss features and benefits
○ Create a Perl script to backup key directories and files
○ Ensure that the script GPG-protects the content post-backup
○ Include error-handling to ensure that each step of the script is routed appropriately
○ Configure the script to transfer the encrypted content to a remote host ust 'scp'
○ Evaluate results
○
○ OpenPGP (GPG | PGP Desktop) on Win32
○ Discuss features and benefits
○ Download and install GPG for Win32
○ Generate usage keys
○ Exchange public keys with a user on a Linux system
○ Sign and encrypt content to and from the Win32 user
○ Confirm results
○ Download and install GPG4WIN (GUI-based GPG for Win32)
○ Explore features
○ Sign and encrypt content to and from the Win32 user
○ Confirm results
○ Integrate GPG4WIN with MS Outlook
○ Sign and encrypt e-mail messages
○ Confirm and decrypt e-mail messages
○ Install PGP Desktop for Win32
○ Explore features and interface
○ Generate usage keys
○ Exchange public keys with Linux user
○ Sign and encrypt content to and from the Win32 user using PGP Desktop
○ Evaluate results
○ Draw parallels between Win32 based OpenPGP tools and GPG for Linux | Unix
○ Recap OpenPGP functionality included in /GPG|GPG4WIN|PGP Desktop/