LPIC-3: Enterprise Professional Certification LPIC-3 303: Security

LPIC-3 is a professional certification program program that covers enterprise Linux specialties. LPIC-3 303 covers administering Linux enterprise-wide with an emphasis on Security.

To become LPIC-3 certified, a candidate with an active LPIC-1 and LPIC-2 certification must pass at least one of the following specialty exams. Upon successful completion of the requirements, they will be entitled to the specialty designation: LPIC-3 Specialty Name. For example, LPIC-3 & High Availability. Specialties: • 300: Mixed Environment • 303: Security • 304: Virtualization and High Availability

TOPIC 325: CRYPTOGRAPHY • Configure Apache HTTPD with mod_ssl to that performs DNSSEC validation on behalf of 325.1 X.509 Certificates and Public Key provide HTTPS service, including SNI and its clients Infrastructures (5) HSTS • Key Signing Key, Zone Signing Key, Key Tag Candidates should understand X.509 certificates • Configure Apache HTTPD with mod_ssl to • Key generation, key storage, key management and public key infrastructures. They should know authenticate users using certificates and key rollover how to configure and use OpenSSL to implement • Configure Apache HTTPD with mod_ssl to • Maintenance and re-signing of zones certification authorities and issue SSL certificates provide OCSP stapling • Use DANE to publish X.509 certificate for various purposes. • Use OpenSSL for SSL/TLS client and server information in DNS Key knowledge areas: tests • Use TSIG for secure communication with BIND • Understand X.509 certificates, X.509 certificate 325.3 Encrypted File Systems (3) TOPIC 326: HOST SECURITY lifecycle, X.509 certificate fields and X.509v3 Candidates should be able to setup and 326.1 Host (3) certificate extensions configure encrypted file systems. Candidates should be able to secure computers • Understand trust chains and public key Key knowledge areas: running Linux against common threats. This infrastructures • Understand block device and file system includes kernel and software configuration. • Generate and manage public and private keys encryption Key knowledge areas: • Create, operate and secure a certification • Use dm-crypt with LUKS to encrypt block • Configure BIOS and boot loader (GRUB 2) authority devices security • Request, sign and manage server and client • Use eCryptfs to encrypt file systems, including • Disable useless software and services certificates home directories and • Use sysctl for security related kernel • Revoke certificates and certification authorities • PAM integration configuration, particularly ASLR, • Be aware of plain dm-crypt and EncFS 325.2 X.509 Certificates for Encryption, • Exec-Shield and IP / ICMP configuration Signing and Authentication (4) 325.4 DNS and Cryptography (5) • Limit resource usage Candidates should know how to use X.509 Candidates should have experience and • Work with chroot environments certificates for both server and client knowledge of cryptography in the context of DNS • Drop unnecessary capabilities authentication. Candidates should be able to and its implementation using BIND. The version • Be aware of the security advantages of implement user and server authentication for of BIND covered is 9.7 or higher. virtualization Apache HTTPD. The version of Apache HTTPD Key knowledge areas: 326.2 Host Intrusion Detection (4) covered is 2.4 or higher. • Understanding of DNSSEC and DANE Candidates should be familiar with the use and Key knowledge areas: • Configure and troubleshoot BIND as an configuration of common host intrusion detection • Understand SSL, TLS and protocol versions authoritative name server serving DNSSEC software. This includes updates and maintenance • Understand common transport layer security secured zones as well as automated host scans. threats, for example Man-in-the-Middle • Configure BIND as an recursive name server

ert cert rt ert - C re ce C LP re u e re I u t r u U t u u t f t K u u

u

@ & F f F

I

r

Future Cert: representing in the UK and Ireland e

l a n

  d Exam Objectives Version: Version 2.0 (last major update: September 2015) Exam Covered: LPIC-3 (303-200); Exam 1 of 1 to obtain LPIC-3 Linux Enterprise Professional: Security certification Objectives Reflected in Published Exam:January 2016 Required Prerequisite: Successfully pass LPIC-1 101 and 102 and LPIC-2 201 and 202 exams About objective weights: Each objective is assigned a weighting value (x). The weights range roughly from 1 to 10 and indicate the relative importance of each objective. Objectives with higher weights will be covered in the exam with more questions.

Key knowledge areas: 327.2 Mandatory Access Control (4) 328.3 Packet Filtering (5) • Use and configure the Linux Audit system Candidates should be familiar with Mandatory Candidates should be familiar with the use and • Use Access Control systems for Linux. Specifically, configuration of packet filters. This includes • Use and configure , including updates candidates should have a thorough knowledge , iptables and ip6tables as well as basic • Use Detect of SELinux. Also, candidates should be aware knowledge of , nft and ebtables. • Automate host scans using cron of other Mandatory Access Control systems Key knowledge areas: • Configure and use AIDE, including rule for Linux. This includes major features of these • Understand common firewall architectures, management systems but not configuration and use. including DMZ • Be aware of OpenSCAP Key knowledge areas: • Understand and use netfilter, iptables and 326.3 User Management and Authentication (5) • Understand the concepts of TE, RBAC, MAC ip6tables, including standard modules, tests Candidates should be familiar with management and DAC and targets and authentication of user accounts. This • Configure, manage and use SELinux • Implement packet filtering for both IPv4 and includes configuration and use of NSS, PAM, • Be aware of AppArmor and IPv6 SSSD and Kerberos for both local and remote 327.3 Network File Systems (3) • Implement connection tracking and network directories and authentication mechanisms as Candidates should have experience and address translation well as enforcing a password policy. knowledge of security issues in use and • Define IP sets and use them in netfilter rules Key knowledge areas: configuration of NFSv4 clients and servers as well • Have basic knowledge of nftables and nft • Understand and configure NSS as CIFS client services. Earlier versions of NFS • Have basic knowledge of ebtables • Understand and configure PAM are not required knowledge. • Be aware of conntrackd • Enforce password complexity policies and Key knowledge areas: 328.4 Virtual Private Networks (4) periodic password changes • Understand NFSv4 security issues and im- Candidates should be familiar with the use of • Lock accounts automatically after failed login provements OpenVPN and IPsec. attempts • Configure NFSv4 server and clients Key knowledge areas: • Configure and use SSSD • Understand and configure NFSv4 authentication • Configure and operate OpenVPN server • Configure NSS and PAM for use with SSSD mechanisms (LIPKEY, SPKM, Kerberos) and clients for both bridged and routed VPN • Configure SSSD authentication against Active • Understand and use NFSv4 pseudo file system networks Directory, IPA, LDAP, • Understand and use NFSv4 ACLs • Configure and operate IPsec server and clients • Kerberos and local domains • Configure CIFS clients for routed VPN networks using IPsec-Tools/ • Obtain and manage Kerberos tickets • Understand and use CIFS Unix Extensions racoon 326.4 FreeIPA Installation and Samba • Understand and configure CIFS security • Awareness of L2TP Integration (4) modes (NTLM, Kerberos) Candidates should be familiar with FreeIPA v4.x. • Understand and manage mapping and handling This includes installation and maintenance of a of CIFS ACLs and SIDs in a Linux system server instance with a FreeIPA domain as well as TOPIC 328: NETWORK SECURITY integration of FreeIPA with Active Directory. 328.1 Network Hardening (4) Key knowledge areas: Candidates should be able to secure networks • Understand FreeIPA, including its architecture against common threats. This includes verification and components of the effectiveness of security measures. • Understand system and configuration Key knowledge areas: prerequisites for installing FreeIPA • Configure FreeRADIUS to authenticate network • Install and manage a FreeIPA server and nodes domain • Use nmap to scan networks and hosts, • Understand and configure Active Directory including different scan methods replication and Kerberos cross-realm trusts • Use Wireshark to analyze network traffic, • Be aware of sudo, autofs, SSH and SELinux including filters and statistics integration in FreeIPA • Identify and deal with rogue router TOPIC 327: ACCESS CONTROL advertisements and DHCP messages 327.1 Discretionary Access Control (3) 328.2 Network Intrusion Detection (4) Candidates are required to understand Candidates should be familiar with the use and Discretionary Access Control and know how to configuration of network security scanning, implement it using Access Control Lists. network monitoring and network intrusion Additionally, candidates are required to understand detection software. This includes updating and and know how to use Extended Attributes. maintaining the security scanners. Key knowledge areas: Key knowledge areas: • Understand and manage file ownership and • Implement bandwidth usage monitoring permissions, including SUID and SGID • Configure and use Snort, including rule • Understand and manage access control lists management • Understand and manage extended attributes • Configure and use OpenVAS, including NASL and attribute classes

Future Cert Ltd. Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ T: 0117 313 7007 E: [email protected] www.futurecert.com