EVALUATION COPY Unauthorized Reproduction or Distribution Enterprise LinuxProhibited Security Administration Student Workbook EVALUATION COPY Unauthorized Reproduction GL550 ENTERPRISE LINUX SECURITY ADMINISTRATION RHEL7 SLES12 or Distribution The contents of this course and all its modules and related materials, including handouts to audience members, are copyright ©2017 Guru Labs L.C. No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record, without the prior written permission of Guru Labs. This curriculum contains proprietary information which is for the exclusive use of customers of Guru Labs L.C., and is not to be shared with personnel other than those in attendance at this course. This instructional program, including all material provided herein, is supplied without any guarantees from Guru Labs L.C. Guru Labs L.C. assumes no liability for damages or legal action arising from Prohibited the use or misuse of contents or details contained herein. Photocopying any part of this manual without prior written consent of Guru Labs L.C. is a violation of federal law. This manual should not appear to be a photocopy. If you believe that Guru Labs training materials are being photocopied without permission, please email [email protected] or call 1-801-298-5227. Guru Labs L.C. accepts no liability for any claims, demands, losses, damages, costs or expenses suffered or incurred howsoever arising from or in connection with the use of this courseware. All trademarks are the property of their respective owners. Version: GL550S-R7S12-F05 EVALUATION COPY Unauthorized Reproduction or Distribution Prohibited Table of Contents Chapter 1 EVALUATIONChapter 3 COPY SECURITY CONCEPTS 1 PASSWORD SECURITY AND PAM 1 Basic Security Principles 2 Unix Passwords 2 RHEL7 Default Install 3 Password Aging 3 RHEL7 Firewall Unauthorized 5 Auditing Passwords 5 SLES12 Default Install 6 PAM Overview 6 SUSE Basic Firewall Configuration 7 PAM Module Types 7 SLES12: File Security 8 PAM Order of Processing 8 Minimization – Discovery 9 PAM Control Statements 10 Service Discovery 10 PAM Modules 11 Hardening 12 pam_unix 13 Security Concepts 13 pam_cracklib.so 14 Lab Tasks 15 pam_pwcheck.so 15 1. Removing Packages Using RPM Reproduction 16 pam_env.so 16 2. Firewall Configuration 19 pam_xauth.so 17 3. Process Discovery 23 pam_tally2.so 18 4. Operation of the setuid() and capset() System Calls 25 pam_wheel.so 19 5. Operation of the chroot() System Call 30 pam_limits.so 20 pam_nologin.so 21 Chapter 2 pam_deny.so 22 SCANNING, PROBING, AND MAPPING VULNERABILITIES 1 pam_warn.so 23 The Security Environment 2 pam_securetty.so 24 Stealth Reconnaissance or3 pam_time.so 25 The WHOIS database 4 Distributionpam_access.so 26 Interrogating DNS 5 pam_listfile.so 27 Discovering Hosts 6 pam_lastlog.so 28 Discovering Reachable Services 7 pam_console.so 29 Reconnaissance with SNMP 8 Lab Tasks 31 Discovery of RPC Services 10 1. John the Ripper 32 Enumerating NFS Shares 11 2. Cracklib 36 Nessus/OpenVAS Insecurity Scanner 12 3. Using pam_listfile to Implement Arbitrary ACLs 41 Configuring OpenVAS 13 4. Using pam_limitsProhibited to Restrict Simultaneous Logins 44 Intrusion Detection Systems 14 5. Using pam_nologin to Restrict Logins 47 Snort Rules 15 6. Using pam_access to Restrict Logins 51 Writing Snort Rules 16 7. su & pam 55 Lab Tasks 17 1. NMAP 18 Chapter 4 2. OpenVAS 22 SECURE NETWORK TIME PROTOCOL (NTP) 1 3. Advanced nmap Options 27 The Importance of Time 2 Hardware and System Clock 3 Time Measurements 5 ii NTP Terms and Definitions 6 Create Master KDC 6 Synchronization Methods 7 Configuring the Master KDC 7 NTP Evolution EVALUATION8 KDC Logging COPY 9 Time Server Hierarchy 9 Kerberos Realm Defaults 11 Operational Modes 10 Specifying [realms] 12 NTP Clients Unauthorized 11 Specifying [domain_realm] 13 Configuring NTP Clients 13 Allow Administrative Access 14 Configuring NTP Servers 15 Create KDC Databases 15 Securing NTP 16 Create Administrators 16 NTP Packet Integrity 18 Install Keys for Services 17 Useful NTP Commands 19 Start Services 18 Lab Tasks 20 Add Host Principals 19 1. Configuring and Securing NTP 21 Add Common Service Principals 20 2. Peering NTP with Multiple Systems 25 Configure Slave KDCs 21 Reproduction Create Principals for Slaves 22 Chapter 5 Define Slaves as KDCs 23 KERBEROS CONCEPTS AND COMPONENTS 1 Copy Configuration to Slaves 24 Common Security Problems 2 Install Principals on Slaves 25 Account Proliferation 3 Synchronization of Database 26 The Kerberos Solution 4 Propagate Data to Slaves 27 Kerberos History 5 Create Stash on Slaves 28 Kerberos Implementations 6 Start Slave Daemons 29 Kerberos Concepts 7 Client Configuration 30 Kerberos Principals or 8 Install krb5.conf on Clients 31 Kerberos Safeguards 9 Client PAM Configuration 32 Kerberos Components 10DistributionInstall Client Host Keys 34 Authentication Process 11 Lab Tasks 35 Identification Types 12 1. Implementing Kerberos 36 Logging In 13 Gaining Privileges 15 Chapter 7 Using Privileges 17 ADMINISTERING AND USING KERBEROS 1 Kerberos Components and the KDC 19 Administrative Tasks 2 Kerberized Services Review 20 Key Tables 3 KDC Server Daemons 21 ManagingProhibited Keytabs 4 Configuration Files 22 Managing Principals 6 Utilities Overview 23 Viewing Principals 7 Adding, Deleting, and Modifying Principals 8 Chapter 6 Principal Policy 9 IMPLEMENTING KERBEROS 1 Overall Goals for Users 10 Plan Topology and Implementation 2 Signing In to Kerberos 11 Kerberos 5 Client Software 3 Ticket types 12 Kerberos 5 Server Software 4 Viewing Tickets 13 Synchronize Clocks 5 Removing Tickets 14 iii Passwords 15 2. File Integrity Checking with AIDE 13 Changing Passwords 16 Giving Others AccessEVALUATION17 Chapter 10 COPY Using Kerberized Services 19 ACCOUNTABILITY WITH KERNEL AUDITD 1 Kerberized FTP 20 Accountability and Auditing 2 Enabling KerberizedUnauthorized Services 21 Simple Session Auditing 3 OpenSSH and Kerberos 23 Simple Process Accounting & Command History 5 Lab Tasks 24 Kernel-Level Auditing 6 1. Using Kerberized Clients 25 Configuring the Audit Daemon 9 2. Forwarding Kerberos Tickets 33 Controlling Kernel Audit System 10 3. OpenSSH with Kerberos 37 Creating Audit Rules 11 4. Wireshark and Kerberos 43 Searching Audit Logs 13 Generating Audit Log Reports 14 Chapter 8 Audit Log Analysis 15 SECURING THE FILESYSTEM Reproduction 1 Lab Tasks 16 Filesystem Mount Options 2 1. Auditing Login/Logout 17 NFS Properties 3 2. Auditing File Access 22 NFS Export Option 4 3. Auditing Command Execution 26 NFSv4 and GSSAPI Auth 5 Implementing NFSv4 6 Chapter 11 Implementing Kerberos with NFS 8 SELINUX 1 GPG – GNU Privacy Guard 10 DAC vs. MAC 2 File Encryption with OpenSSL 12 Shortcomings of Traditional Unix Security 4 File Encryption With encfs 13or AppArmor 5 Linux Unified Key Setup (LUKS) 14 SELinux Goals 6 Lab Tasks 16 DistributionSELinux Evolution 7 1. Securing Filesystems 17 SELinux Modes 8 2. Securing NFS 20 Gathering SELinux Information 10 3. Implementing NFSv4 24 SELinux Virtual Filesystem 11 4. File Encryption with GPG 31 SELinux Contexts 12 5. File Encryption With OpenSSL 34 Managing Contexts 14 6. LUKS-on-disk format Encrypted Filesystem 37 The SELinux Policy 16 Choosing an SELinux Policy 17 Chapter 9 Policy LayoutProhibited 19 AIDE 1 Tuning and Adapting Policy 21 Host Intrusion Detection Systems 2 Booleans 22 Using RPM as a HIDS 4 Permissive Domains 24 Introduction to AIDE 5 Managing File Context Database 25 AIDE Installation 6 Managing Port Contexts 26 AIDE Policies 7 SELinux Policy Tools 27 AIDE Usage 8 Examining Policy 29 Lab Tasks 9 SELinux Troubleshooting 32 1. File Integrity Checking with RPM 10 SELinux Troubleshooting Continued 34 iv Lab Tasks 36 Advanced Authentication 7 1. Exploring SELinux Modes 37 Ident-based Authentication 8 2. Exploring AppArmorEVALUATION Modes [S12] 43 Lab Tasks COPY 9 3. SELinux Contexts in Action [R7] 47 1. Configure PostgreSQL 10 4. Exploring AppArmor [S12] 52 2. PostgreSQL with TLS 14 5. Managing SELinuxUnauthorized Booleans [R7] 57 3. PostgreSQL with Kerberos Authentication 17 6. Creating Policy with Audit2allow [R7] 62 4. Securing PostgreSQL with Web Based Applications 20 7. Creating & Compiling Policy from Source [R7] 69 Appendix A Chapter 12 SECURING EMAIL SYSTEMS 1 SECURING APACHE 1 SMTP Implementations 2 Apache Overview 2 Security Considerations 3 httpd.conf – Server Settings 3 chrooting Postfix 4 Configuring CGI 5 Email with GSSAPI/Kerberos Auth 5 Turning Off Unneeded Modules Reproduction 6 Lab Tasks 6 Delegating Administration 7 1. Postfix In a Change Root Environment 7 Apache Access Controls (mod_access) 8 HTTP User Authentication 10 Standard Auth Modules 11 HTTP Digest Authentication 12 TLS Using mod_ssl.so 13 Authentication via SQL 15 Authentication via LDAP 17 Authentication via Kerberos or18 Scrubbing HTTP Headers 19 Metering HTTP Bandwidth 20Distribution Lab Tasks 21 1. Hardening Apache by Minimizing Loaded Modules 23 2. Scrubbing Apache & PHP Version Headers 27 3. Protecting Web Content [R7] 31 4. Protecting Web Content [S12] 35 5. Using the suexec Mechanism 39 6. Create a TLS CA key pair 45 7. Using SSL CA Certificates with Apache 47 Prohibited 8. Enable Apache SSL Client Certificate Authentication 54 9. Enabling SSO in Apache with mod_auth_kerb 59 Chapter 13 SECURING POSTGRESQL 1 PostgreSQL Overview 2 PostgreSQL Default Config 3 Configuring TLS 4 Client Authentication Basics 5 v Typographic ConventionsEVALUATION COPY The fonts, layout, and typographic conventions of this book have been carefully chosen to increase readability. Please take a moment to familiarize yourself withUnauthorized them. A Warning and Solution A common problem with computer training and reference materials is the confusion of the numbers "zero" and "one" with the letters "oh" and 0The number OThe letter "ell". To avoid this confusion, this book uses a fixed-width font that makes "zero". "oh". each letter and number distinct. Typefaces Used and Their Meanings Reproduction The following typeface conventions have been followed in this book: fixed-width normal ) Used to denote file names and directories.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages74 Page
-
File Size-