Hello, as this thread turns out to be pretty quiet (luckily some of you shared offline, special thanks to Markus and Marc), I've put up an objectives draft for the new 303 exam:
https://wiki.lpi.org/wiki/LPIC-303_Objectives_V3.0 You can also see the changes since version 2.0: https://wiki.lpi.org/pubwiki/index.php?title=LPIC-303_Objectives_V3.0&type=revision&diff=&oldid=5056 Topics which were moved to exam 300 were dropped; instead, we now have a topic on vulnerabilities and penetration testing. Some questions I'd like to bring up with you are: * Shall we provide a list of relevant sub commands for tools like openssl (req, ca, ...)? * Shall we provide a list of relevant options for configuration files such as HTTPD? * If you said yes to the those two questions, for which commands / configuration files would so be that specific? * What do you think about cryptmount's relevance? * Shall we keep 'Implement bandwidth usage monitoring' in 334.2? I was tempted to drop it since it is complicated, at the edge of the topic and we don't cover traffic shaping anyway. * I've bounced nft back to awareness level. Do you agree? * How specific should we be about metasploit modules? Two topics we've discussed offline did not make it to the draft: * TPM2 * Microcode Updates / Secureboot If you'd like to see them in there, please propose a position and wording. Otherwise... I'm really looking to some corrections, additions, discussions... Don't be shy to speak up, it's just LPIC-3 :) Fabian On Thu, Feb 7, 2019 at 10:44 PM Fabian Thorns <[email protected]> wrote: > HI there, > > I think it's time to reanimate this thread. I've already had some great > offline discussions regarding LPIC-3, but I'd like to share some thoughts > with all of you and ask you to comment on them. > > For LPIC-303, some specific questions that came up so far were: > > * Shall we include a higher level cert/ca management tool in 325.1? If we > do, which one? cfssl? > > * Shall we break out resource limits from 326.1 into an own topic, along > with cgroups and systemd cgroup management? > > * Shall we include USB guard in 326.2? > > * How much SSSD shall we keep in 303, now that is intensely covered in > LPIC-300 and that basic SSSD knowledge is tested in LPIC-2? One might argue > that identity management could be addresses completely in LPIC-300 now. > > * Is wireguard stable enough to include questions about it already? > > With FreeIPA (and potentially user management + authentication) being > moved to LPIC-300 now, we need to reassign their weights. We could either > add topics to the objectives, increase the weight of the remaining > objectives, or do both. What do you think about a topic on penetration > testing, potentially focused on Metasploit and surrounding tools? Do you > think it's a good idea to cover tools which could be used in offensive > attacks, and to which extend would you test them (e.g., include > meterpreter?) Which other topics might be relevant for LPIC-303? > > Let's try to think about potential new topic in LPIC-303 a bit more, it's > a great opportunity for us to shape for focus of the exam. > > Regards, > > Fabian > > On Tue, Nov 27, 2018 at 12:55 AM Fabian Thorns <[email protected]> wrote: > >> Hi, >> >> by moving the objectives >> >> 326.3 User Management and Authentication (weight: 5) >> >> and >> >> 326.4 FreeIPA Installation and Samba Integration (weight: 4) >> >> from the 303 to the 300 exam we'll vacate nine weight points in exam 303. >> >> Some of these points should certainly be dedicated to penetration >> testing. Metasploit would be one of the potentials tools, but there are >> more for sure, and we should consider if there are other topics that should >> get some of those spare weights, too. >> >> What do you think? >> >> And, this might be quite important, are you aware of any 'dual use' >> considerations in your local legislation which might make it hard for >> candidates and trainers to (responsibly) use pentesting tools for exam >> preparation legally? >> >> Fabian >> >> >> >> On Tue, Oct 23, 2018 at 7:36 PM Markus Schade < >> [email protected]> wrote: >> >>> Also in regards to host hardening, the whole secure/trusted boot topic >>> is AFAIK currently nowhere addressed. >>> Microcode updates and where to check in cpuinfo and sysfs for cpu bugs >>> would also be nice. >>> >>> 325.3 >>> >>> We should mention LUKS2 >>> >>> Also there is clevis/tang for network bound disk encryption or TPM >>> unlocking. >>> >>> 328.4 >>> >>> Get rid of racoon. It's dead since 2014 >>> Replace with strongswan >>> >>> I'd really love to see wireguard here. I know it's not yet finalized, >>> but the configuration seems to be already stable. >>> >>> 320.6 >>> >>> should also include configuration of ciphers, macs and hostkey >>> algorithms all of which had to be set in the last years to disable >>> insecure suites. So candidates should not only see this in the field and >>> but should also be capable of setting these. >>> >>> Maybe have awareness of SSH CA. >>> >>> Best regards, >>> Markus >>> >>> >>> Am 18.10.2018 um 19:22 schrieb Marc Baudoin: >>> > Fabian Thorns <[email protected]> écrit : >>> >> >>> >> this thread is supposed to discuss exam 303. >>> >> >>> >> The current objectives are available here: >>> >> >>> >> https://wiki.lpi.org/wiki/LPIC-303_Objectives_V2 >>> >> >>> >> The current objectives for this exam seem quite fine to me, although >>> a few >>> >> tools might need to be updated (IPsec) / reconsidered. But I'm sure >>> you >>> >> will spot more discussion points in the objectives once you review >>> them >>> >> again. >>> > >>> > My 2 cents... >>> > >>> > 325.4 DNS and Cryptography >>> > >>> > This talks about DANE to illustrate a real-world use of DNSSEC. >>> > Adding the SSHFP RR should be considered as another example. >>> > >>> > 326.1 Host Hardening >>> > >>> > Considering what's known about Spectre, I think "Be aware of the >>> > security advantages of virtualization" should be dropped or >>> > rephrased. >>> > >>> > 326.3 User Management and Authentication >>> > >>> > Should pam_tally.so (not pam_tally2.so) be dropped? >>> > >>> > 326.4 FreeIPA Installation and Samba Integration >>> > >>> > The ipa-replica-prepare doesn't seem to exist anymore in current >>> > versions of FreeIPA. >>> > >>> > 327.2 Mandatory Access Control >>> > >>> > I couldn't find togglesebool in CentOS 7. I didn't checked in >>> > CentOS 6. Is it still available somewhere? >>> > >>> > Maybe the chcon command should be added. >>> > _______________________________________________ >>> > lpi-examdev mailing list >>> > [email protected] >>> > http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev >>> > >>> _______________________________________________ >>> lpi-examdev mailing list >>> [email protected] >>> http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev >> >> >> >> -- >> Fabian Thorns <[email protected]> GPG: F1426B12 >> Director of Certification Development, Linux Professional Institute >> > > > -- > Fabian Thorns <[email protected]> GPG: F1426B12 > Director of Certification Development, Linux Professional Institute > -- Fabian Thorns <[email protected]> GPG: F1426B12 Director of Certification Development, Linux Professional Institute
_______________________________________________ lpi-examdev mailing list [email protected] https://list.lpi.org/mailman/listinfo/lpi-examdev
