Hi there, here comes the summary of the changes made to the 202 objectives draft.
A diff of the changes made in the meantime is available in the wiki: https://wiki.lpi.org/pubwiki/index.php?title=LPIC-2_Objectives_V5.0&type=revision&diff=5839&oldid=5781 Please note that there are some open questions at the end of this mail. ## Big changes * Objective 210.1 (DHCP Configuration) got an additional weight due to the amount of IPv6 knowledge in the new version. This consumed one weight in exam 202. * Objective 210.2 (PAM Authentication) got an additional weight due to the 2FA aspects added. This consumed one weight in exam 202. * Objective 211.1 was renamed to 'Managing Email Transfer' * Objective 212.3 (Advanced Secure Shell (SSH)) was moved to exam 201. This freed up three weights in exam 202. * Objective 212.1 (Routing and Packet Filtering) was renamed to "Routing and Packet Filtering" * Objective 212.4 (Security Tasks) systemd specific aspects were moved to their own objective in exam 201. This freed up two weights in exam 202. * Objective 212.4 was renamed to 'Security Assessment and Intrusion Prevention' and received an additional weight due to some additional content added (see below). This consumed one weight in exam 202. * Objective 212.5 (Virtual Private Networks) was extended and now has a weight of five. This consumed two weights in exam 202. * Topic 212 was renamed to 'Network Security' ## Smaller changes 207.1 (Basic DNS Server Configuration): * host is kept because dig is not always available * kill was removed * Added 'Understanding the principles of the Domain Name System' * Awareness of alternate DNS servers was kept since they may be seen in the field. Awareness means knowing what they are, not setting them up or implementing any configuration 207.2 (Create and Maintain DNS Zones): * dig and host were removed here (but not in 207.2) 207.3 (Securing a DNS Server): * Key & Signing Policy (KASP), dnssec-policy and tsig-keygen were added * dnssec-keygen and dnssec-signzone were removed 208.1 (HTTP Protocol): * HTTP versions were extended to cover 1.1, 2 and 3 (although we do not explicitly mention QUIC) * Added 'Understanding the principles of proxy servers and application layer gateways' 208.4 (NGINX Configuration): * The configuration of setup similar to the ones tested in 208.3 is kept since candidates are expected to set up NGINX as a standard web server, not just as a reverse proxy. 209.1 (Samba File Server Configuration): * nmbd was kept in the objective since candidates will most likely stumble upon it during their studies. Knowing that is recently not needed is part of the studies and is stated explicitly in the Samba wiki documentation on setting up a domain member * Added a note that setting up an AD domain is not part of the objective, we are focussing on integrating in an existing domain. Setting up the domain is an LPIC-300 topic. That said, in a training scenario I would still set up an AD domain using Samba (it is really really easy and I would tell candidates that it is not relevant for the exam) and then use the Samba DC not just for joining a Samba file server, but also for the LDAP and Kerberos client topics. 210.1 (DHCP Configuration): * Awareness of KEA is included 210.2 (210.2 PAM Authentication): * sssd was kept since it may be used with an AD domain * pam_oath and pam_otp were moved here from 210.4 * /etc/users.oath and oathtool were added to complement pam_oath * Preparing SSHD for 2FA was added 210.3 (210.3 LDAP Client Usage): * States that the setup of an LDAP server is not part of the objectives. A Samba AD DC would be sufficient and likely be available for teaching the file server domain join in 209.1 anyway 210.4 (210.4 Authentication Mechanisms and Standards): * Stated that setting up the various services is not part of this objective * Removed kinit, klist and kdestroy 211.1 (Using Email Servers ): * Nullmailer is kept to allow providing basic mail services without a full MTA when using an external mail relay 212.1 (Routing and Packet Filtering): * Renamed to Routing and Packet Filtering * The right way to ask about nft is hard. To me it seems that nft itself is not commonly used, but instead the iptables compatibility commands or higher level frameworks like firewall are used. I've adjust this objective to include nftables, use nft to query rules and iptables/ip6tables as well as firewalld to set rules * Added "Understand the concepts of routing, network address translation and packet filtering" * Understand the concepts and differences of iptables and nftables * Query packet filter rule set using nft * Configure packet filter rules using iptables and ip6tables compatibility commands 212.4 (Security Assessment and Intrusion Prevention): * Added conceptual knowledge of network intrusion and detection systems, network security scanners and packet sniffers, along with awareness (NOT implementation!) of snort, suricata, openvas, metasploit and wireshark. * renamed to "Security Assessment and Intrusion Prevention" 212.5 (Virtual Private Networks): * OpenVPN was added back to this objective, the hint to compatibility for regulated use cases seems to be important. The weight of this objective was bumped from 3 to 5. ## Open Questions * Shall we stick with Postfix, switch to exim or reduce the mail topic to no longer including configuring an MTA? * How should we tackle nftables? The way it is right now or is there a better approach? * Shall we reduce Wireguard to awareness level and re-focus on OpenVPN? Looking forward to your comments, Fabian On Mon, Oct 23, 2023 at 7:43 PM Fabian Thorns <[email protected]> wrote: > Dear all, > > This thread is supposed to capture the discussion of the objectives draft > for exam 201-500. The current draft for the new version is available in the > LPI wiki: > > https://wiki.lpi.org/wiki/LPIC-2_Objectives_V5.0#Objectives:_Exam_202 > > Please note that this document will be edited as the discussion goes. > Please use the history and diff features of the wiki to keep track of > changes. > > The major change proposals can be summarized like this: > > - Topic 208, HTTP Services, was restructured to have generic objectives on > HTTP and TLS, as well as individual topics on Apache HTTPD and NGINX. By > summarizing aspects of HTTP and encryption, we can now cover both servers > in greater detail without any repetition of common aspects. > > - Objective 208.3 (old), Squid, is gone > > - Objective 210.4 is no longer on configuration OpenLDAP, but is instead > an overview of authentication mechanisms which includes more recent > technologies. > > - Objective 221.1, Postfix, now includes SASL authentication > > - Objective 212.1, Configuring a router, now includes some basic aspects > of firewalld > > - Objective 212.2 (old), FTP servers is gone > > - Objective 212.3, SSH, was changed to avoid overlaps with LPIC-1 and now > includes SSH-CA > > - Objective 212.4, Security tasks, now includes systemd based security > mechanisms > > - Objective 212.5 now covers VPN in a more generic fashion and Wireguard > instead of OpenVPN > > There are, of course, numerous smaller changes, fixes and improvements. > > Looking forward to your feedback, > > Fabian > > -- > Fabian Thorns <[email protected]> GPG: F1426B12 > Director of Product Development, Linux Professional Institute > -- Fabian Thorns <[email protected]> GPG: F1426B12 Director of Product Development, Linux Professional Institute
_______________________________________________ lpi-examdev mailing list [email protected] https://list.lpi.org/mailman/listinfo/lpi-examdev
