Dave Phillips <[EMAIL PROTECTED]> writes: > (ISC)²**CISSP CBK Domains:* > ... cut ...
I previously argued we should look at the SSCP domains, instead of CISSP. The SSCP domains are system security, and all seven (7) domains map very well into actual "objectives/tasks" that you can do on a system. ;) 1. Access Controls 2. Administration 3. Audit and Monitoring 4. Risk, Response and Recovery 5. Crytography 6. Data Communications 7. Malicious Code/Malware From: G. Matthew Rice <[EMAIL PROTECTED]> > * Access Control > SELinux > Other MAC systems > host-based access control Do we cover all discretionary access controls (DAC) in LPIC-1, 2 or other 3 (LDAP, Samba) exams? If so, then nevermind. If not, you want to add them. - DAC: Legacy POSIX ACLs (in LPIC-1/2) - DAC: Extended POSIX ACLs (again, are they elsewhere?) Definitely Mandatory and Role-Based (MAC/RBAC) go here though. - MAC: SELinux, LSM-based options - RBAC: SELinux, other LSM-based options? It's easy to "lose track" of what to cover. But if you start recognizing different implementations of DAC, MAC and RBAC, it's much easier to realize what you can cover, and what's left for LPIC-1/2 or other level 3 exams. I'd argue DAC is probably game outside of the Security, which should focus on MAC/RBAC (and maybe only tasks where DAC is related). > * Application Security > Service hardening The CISSP can actually go all over on that one. In reality, for a "systems security practitioner," it breaks down into a couple of different categories. > * Cryptography > OpenSSL > GPG > Encrypted filesystems There are several concepts to break into tasks: - Confidentiality (e.g., encryption) - Non-repudiation (e.g., signature) And there two implementation: - Real-time/protocol (e.g., transport level) - Non-real-time/file (e.g., GPG) In the SSCP, this is not just Crypto, but Data Comm and even Malware considerations. Real-world tasks really define a broad range to cover over those three domains alone for just these concepts. > * Operations Security > host configuration management > * Network Security > Intrustion Detection > Network Security Scanning > Netfilter/iptables > OpenVPN > Network Monitoring The CISSP domains really go into networking beyond what a "systems security practitioner" should be tested on, at least from the standpoint of Linux. That's why I really prefer the SSCP domains. It's not that some of the CISSP concepts aren't valid. But if you're covering Linux, it's really difficult to map a lot of concepts in the CISSP CBK into a set of Linux tasks that can be tested on, especially when there is enough system-level to deal with that does tie into networking. > Anyone care to refine this? > Should we actually use these names for topics or keep some > our own (eg. Application Security vs Service Hardening)? Again, I think the seven (7) domains of the SSCP do very well as "top-level" objectives. Don't know if they should be the same seven (7) used, but if we're going outside of them (like the CISSP really does), then we're going to have increasing difficulty writing tasked-based questions that will stress Linux, and not more generic concepts. _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
