Securing Linux and Unix Systems

1|Page

Course Objective

Duration 90 Hours

Course content has been designed for Security Professionals already proficient in Unix/Linux environment. Content delivery method would make extensive use Redhat and Kali Linux. For practicing Lab sessions participants would be provided with the software to practice in their in their laptop or desktop as each session would entail elaborate lab configuration.

Boot Security
Securing BIOS & Grub Explore & tighten the security of the INIT configuration Shell Security Securing Teletype Terminals (TTYs) and Pseudo Terminals (PTS) Restrict privileged login Use lsof to identify open files and sockets Syslog Security Analyzing syslog and Configure Syslog replication to preserve log-integrity Identify log discrepancies between Syslog hosts

Securing system with IPTables

IPTables modules and Access Control List (ACL) syntax Basics of packet matching Packet matching/handling based on common TCP streams UDP datagrams ICMP traffic Defining ACLs by specifying lists of interesting layer-4 ports Layer-3/4 IPTables default packet matching and default layer-2 behavior Writing rules to match packets based on layer-2 addresses Write rules with ACCEPT, DROP , REJECT and REDIRECT target Describe subnet layout Enable IP routing Update routing tables on the other Linux Hosts on the network Test routing through the Linux router Write ACEs to permit routing Implement stateful ACLs & examine traffic flows

Key Configuration files INIT Environment Examine INIT.D and RC hierarchies Propose methods of ensuring integrity of environment Kernel Modules Environment Explore various modules related configuration files PROC File System PROC hierarchy and PID tree and related descriptors SBIN Executables Expose SETGID and SETUID SBIN entries System Control Configuration Identify user space process Identify common variables influencing system and potential areas of concern with configuration User Accounts Environment Tighten security policy related to user accounts NSSWITCH Configuraton Identify various implementations Make changes to name resolver configuration DNS Client Resolution Configuration Identify key files governing client resolution Perform queries with incorrect resolution Correct resolution accordingly User Profiles Environment Identify system-wide and user-wide configurations and relevant profile files for $SHELL and GUI Posit suggestions to tighten baseline System Scheduler Environment Methods of tightening configuration

IPTables - Packet Matching & Handling

Implement IP masquerading Define Source NAT (SNAT) ACEs & test translations Implement Destination NAT (DNAT) ACEs Define DNAT multiples Create NETMAP subnet mappings - one-to-one NATs DMZ configuration Write Port Address Translation (PAT) rules to permit inbound traffic Configure DMZ forwarding (Routing) and Dual-DMZs for n-tiered web applications

Securing DNS server

DNS Server Configuration Key files across distributions and areas to enhance security posture Intersperse corrupt DNS values and evaluate influence

Course Content

Securing Linux and Unix Systems

2|Page

SELinux Security
Access Control Model (ACM) theories (DAC/MAC/nDAC) Advantages & caveats of Mandatory Access Control (MAC)models Explore DAC-based programs Subject & object labeling Identify key utilities & files, which dictate SELinux operating mode Explore the boot process as it relates to SELinux Discuss subject & object labeling Discuss the role of extended attributes (XATTRs) Alter the lables of specific objects Configure SELinux to automatically label objects per security policy Explain security tuples Use fixfiles to restore object labels on running system per security policy Use chcon to alter object security labels Use restorecon to restore object security context (labels) Explain the Targeted Policy's features Discuss policy transitions for domains Compare & contrast confined & unconfined states Explain the security contexts applied to subjects & objects Peruse key targeted binary policy files Identify the daemons The unconfined_t domain - subject label Install the targeted policy source files Identify & discuss TE and FC files Explore file_contexts context definition for objects Using run_init to initiate SELinux-protected daemons Use 'star' to archive XATTRs Using the AVC and SELinux logs - /var/log/messages Use SETools, for real-time statistics Using SEAudit graphical SELinux log-management tool Configure new application bindings

Network Intrusion Detection System (NIDS)

Snort NIDS Installation Snort NIDS - Sniffer Mode Sniff IP packet headers - layer-3/4, data-link headers layer-2 Sniff application payload - layer-7 Sniff application/ip packet headers/data-link headers Sniff traffic traversing interesting interfaces Sniff encrypted streams Log traffic using default PCAP/TCPDump format Log traffic using ASCII mode & examine output Snort NIDS - Logging Mode Discuss logging mode concepts & applications Discuss directory structure created by ASCII logging mode Control verbosity of ASCII logging mode & examine output Enhance packet logging analysis by defaulting to binary logging Discuss default nomenclature for binary/TCPDump files Alter binary output options Use Snort NIDS to read binary/TCPDump files Prepare /etc/snort - configuration directory for NIDS operation Explore the snort.conf NIDS configuration file Discuss all snort.conf sections Download & install community rules Execute Snort in NIDS mode with TCPDump compliant output plugin Download & install Snort Vulnerability Research Team (VRT) rules Compare & contrast community rules to VRT rules Snort NIDS - Rules Configuration & Updates Understanding Snort rule syntax and pre-defined Snort rules Configure oinkmaster to automatic update Snort rules Configure Snort to log output to MySQL

Securing Squid Rootkits

Discuss rootkits concepts & applications Describe privilege elevation techniques Obtain & install T0rnkit - rootkit Identify system changes due to the rootkit Implement T0rnkit with AIDE Implement T0rnkit with chkrootkit to identify rootkits T0rnkit - rootkit - cleanup Implement N-DU rootkit Evaluate system changes Squid Access Control Lists (ACLs) o Define & test multiple HTTP-based time-based destination domain based ACLs o Exempt destination domains from being cached to ensure content freshness o Force cache usage o Configure delay pools - to support rate-limiting o Configure transparent proxy services o Reverse Proxy Configure forward proxy access for local subnet

Course Content

Securing Linux and Unix Systems

3|Page

Packet Capture Analysis

This section will use Kali Linux. Contents could change to keep the course content updated with latest available tools of the trade EtherealEthereal Graphical User Interface (GUI) Differentiate between promiscuous and non-promiscuous modes Capture Address Resolution Protocol (ARP) Packets using Capture Filters Discuss and Identify Protocol Data Units (PDUs) Identify default Ethereal capture file Peruse packet capture statistics Discuss time manipulations - relative to first packet actual time Reveal protocol information from layer-1 through 7 Identify network broadcasts in the packet stream Generate Layer-2 ARP traffic using PING and capture and analyze results Sniff traffic based on MAC addresses using Ethereal and Capture FIlters Sniff TCP traffic using Capture Filters in Ethereal Use Display Filters to parse TCP traffic Sniff FTP traffic Text-based Captures with Tethereal Discuss features and applications Identify 'tethereal' and invoke Enumerate network interfaces Sniff generic network traffic Suppress capture output Apply Capture Filters Capture UDP Traffic Capture TCP Traffic Wireless-based Captures & Analysis Discuss Wireless monitoring objectives Connect to remote system with wireless interface Enable wireless interface Sniff traffic on wireless network Port Forwarding - Pseudo-VPN Support /Local|Remote|Gateway/ Configure remote port forwarding using 'ssh' Test circumvention of local firewall using remote port forwarding Implement gateway ports to share forwarded /local|remote/ with connected users

Securing Web Server

Staging Scan with Nikto o Identify Staging targets and Perform comprehensive scans of targets o Watch web logs while scans are ongoing o Alter display of Web Scan Requests and Responses o Rule-out false-positives o Adjust security posture where applicable Production Scan o Identify PROD web instance o Discern useful metadata with reconnaissance o Drill deeper to determine more relevant attributes o Attempt to identify vulnerabilities on target o Peruse findings accordingly o Suggest methods of filtering false-positives SSL Scans o Enable SSL scanning on targets o Compare Staging and Production output o Examine supported ciphers on targets o Search for cipher weaknesses Nikto - Web Server Vulnerability Scanner Proxy Server Relay Scans o Update Nikto configuration to support Proxy Usage o Perform Proxy Scans from multiple Web Scanners

Reconnaissance & Vulnerability Assessment Using Kali Linux

NMAP reconnaissance tool to increase effectiveness Perform connect and SYN-based host/network reconnaissance Identify potential vulnerabilities on interesting hosts derived from reconnaissance Perform port sweeps Secure exposed daemons/services Prepare system for Nessus Using Openvas Perform network-based reconnaissance attack to determine vulnerabilities Using Metasploit, Armitage and Webgoat Using TCPWrappers security Using chattr applications & usage GNU Privacy Guard (GPG) Generate asymmetric RSA/DSA GPG/PGP usage keysCreate a local web of trust. Perform encrypts/decrypts and test data-exchanges. Use GPG/PGP with Mutt Mail User Agent (MUA)

Participants would receive a certificate from MostlyLinux Certificate would outline entire course content
Course Content