With the upcoming objectives, I like to give my input. Last year I
created a tool named Lynis [1], and covered the same question "what
should be in it?".
Although I also think that some parts belong to LPIC-1 or LPIC-2, there
are still some things which could still be in this exam. Maybe as a few
extra objectives (common knowledge you should still know, even if it was
already in a previous exam). Beside that, the speciality exams should be
a challenge imho and require people to study tools they never used, can
increase this challenge (caution: make use of tools which common and
exist for some years). Also asking why some specific thing/option is
secure or not, can help in increasing the difficulty.
Some objectives I can see as being useful (some already mentioned):
- Bootloader: hardening file permissions, password, check "backdoors"
and determine which weaknesses are present (physical access, other boot
media)
- Kernel: Being able to deal with kernel modules and protecting against
unwanted loading of them. Also hardening and tuning of for example
network related sysctl options.
- Being able to harden the PAM system (pam_tally for example, but also
how rules work, can be layered, or how logging/auditing can be
achieved/improved)
- Configure sudoers and be able to find basic flaws in a config
- Maybe hardening of default tools for non privileged users
- Basic hardening of e-mail services (Sendmail, Postfix, maybe Exim/Qmail?)
- Basic hardening of applications: Apache, MySQL, PHP, OpenSSH and Squid
(disabling unwanted modules, don't show product identification in
banners, headers, filter access)
- Service and packages: hardening and disabling of unneeded
packages/services
- Networking: configuring iptables, sniffing with tcpdump
- Log files: Handling of log files, how to rotate, configure and setup a
safe place to store them (like sending them via a tunnel to a remote host?)
- Encryption: usage of OpenSSL, some common practices like encrypting
locally stored data (and filesystems)
- Security frameworks: decent knowledge of SELinux and maybe some of
grsecurity and AppArmor, or at least know what it can do.
- Process accounting
- Shell: shell restrictions (limiting permissions, but also processes,
file access, network access), chrooting of accounts, etc
- File integrity: Tripwire usage and maybe some basic stuff of the
others (AIDE, Samhain, Osiris)
- Malware: Identify basic malware (like nasty scripts often found in
(web) temp dirs)
- Malware scanning: ClamAV, chkrootkit, rkhunter
- Other defensive or offensive tools like Snort, Nmap, Nessus, John the
Ripper, etc etc (I think the BackTrack livecd [2] should give some
decent amount of examples for this)
Lots of these objectives can simply be tested by showing a configuration
snippet and ask "what is wrong here?". That way you don't have to know
every single tool, but still can apply some basic brain power to catch
the flaws. Others can be tested by "You want to achieve X, which tool
would you use?".
Using the CBK domains sounds like a good idea to me.
Last, but not least, I do hope that this examination tests security
insight of people and does not focus at remembering program
parameters/switches ;)
Best regards,
Michael Boelen
[1] http://www.rootkit.nl/projects/lynis.html
[2] http://www.remote-exploit.org/backtrack.html
G. Matthew Rice wrote:
Hi everyone,
I've (finally) put up the draft objectives for the LPIC-3 303 Security exam.
It is at:
https://group.lpi.org/publicwiki/bin/view/Examdev/LPIC-303
It isn't big on details yet (I'll be adding some of those tomorrow) and there
are certain things that I didn't add because I would like some feedback from
everyone here first.
So, any comments on the utility of adding some of these to the exam.
1. host-base access control
This means things like more tcp wrappers, pam and things like password
cracking. Do we need more than what is in lpic-2/3 exams already?
2. bootloader security
There must be more to it that 'put a password on it' :)
3. encrypted filesystems
I'm thinking that the time isn't right for this. Someone at the office won't
stop pestering me about them, though, so...
4. secure remote access
Meaning, adding vnc, rdesktop, ??? to the exam.
And is there anything else that you think is really missing?
Regards,
_______________________________________________
lpi-examdev mailing list
[email protected]
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
