Les Bell has taken more time to develope the preliminary Security
objectives. He has reviewed the task list for completion, filling in gap
in the current task list and implementing them into the objectives. His
files are attached.
Please review and comment as previously requested :)
Thank-you Les!
-Kara
---------- Forwarded message ----------
Date: Mon, 4 Jun 2001 12:45:34 -0500 (CDT)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Preliminary Kernel Objectives
In order to assist in speedy objective development, I've tried to start
developing some preliminary objectives for our tasks, based on the most
recent organizational structure. (I've only received one response to the
last thread on organizing!)
The objectives are definitely not complete in current form, nor are they
the concrete foundation we're forced to work with. The tasks are our
foundation (also attached). The goal is to create objectives which cover
these tasks and fill in the technical gaps and details.
Our Level 1 objectives
(http://www.lpi.org/http://www.lpi.org/p-obj-101.html and p-obj-102.html)
should provide a good outline for what form and style objectives should be
written in. I've modified slightly (including bullets for specified files
and tools covered) but the rest should be developed in the same fashion as
the current Level 1 objectives. There's no need to obsess over this step
at this stage, as I plan to have this completed in a stage of formal
review.
I would like either comments, changes, and additions as well as assistance
completing (technically) the objectives I've posted; your comments and
submissions for replacement or additional objectives; and your comments
for supplementary objectives (if any).
Please begin by reviewing the current objectives for Level 1 at the URLs
listed above. Next review the task file for this group. Finally, review
the preliminary objectives file and comment. Please note that the
preliminary objectives file associates the current task numbers with the
affiliated objective. Please continue to refer to these task IDs when
commenting, reorganizing, etc. objectives.
I will continue submitting preliminary objective files for various
categories today and tomorrow. I would like good discussion and progress
toward finalizing objectives in progress by Wednesday. By Friday, those of
you interested in the contract positions to finalize objectives should be
able to begin review. By next week, I would like to publish our objectives
for public review and begin collecting preliminary items.
The next 10 days are going to be crazy, and I greatly appreciate your time
and dedication to development. We are moving extremely quickly, and
everyone is very excited about our current developments!
Please contact me if you are available 6/8 - 6/12 for contract objective
review and development. I apologize that this will encompass a weekend,
but it is necessary for succeeding with our current development schedule.
Slots are filling for the Item Writing session planned for the week of
June 18. If you had hoped to participate in this event, please contact me
to discuss availability, expenses, etc. It is likely that a two team
approach (6/18 - 6/20, 6/20 - 6/22) will be used, allowing for flexible
travel arrangements.
--
Kara Pritchard Phone: 618-398-7360
Author, RHCE Exam Cram
Director of Exam Development http://www.lpi.org/
Site Manager http://www.LinuxUsersGroups.org/
--
Security Objectives
[3.4.3, 3.4.6, 3.2.1, 3.2.2, 3.4.1, 3.4.2, 3.4.4, 3.4.5, 6.4.1, 6.4.3,
6.4.4, 6.4.5]
Objective: Configure a filtering router using ipchains and related tools
The candidate should be able to: Configure ipchains to perform IP
masquerading. State the significance of Network Address Translation and
Private Network Addresses in protecting a network. Configure ipchains port
redirection. List filtering rules using ipchains. Write ipchains rules
that accept or block datagrams based upon source or destination protocol,
port and address. Save and reload an ipchains configuration. Use settings
in /proc/sys/net/ipv4 to respond to DOS attacks. Use
/proc/sys/net/ipv4/ip_forward to turn IP forwarding on and off. Use tools
such as PortSentry to block port scans and vulnerability probes.
Includes tools and files such as:
* ipchains
* /proc/sys/net/ipv4
* /etc/services
[3.7.1, 3.7.2, 3.7.3, 3.7.4]
Objective: Secure FTP
The candidate should be able to: Configure an anonymous download FTP
server. Configure an FTP server to allow anonymous uploads. List
additional precautions to be taken if anonymous uploads are permitted.
Configure guest users and groups with chroot jail. Configure ftpaccess to
deny access to named users or groups.
Includes tools and files such as:
* ftpaccess, ftpusers, ftpgroups
* /etc/passwd
[5.2.2, 5.2.5, 5.2.7, 5.2.8, 5.2.9, 5.2.13, 5.2.16, 5.2.17, 5.2.18,
5.2.23, 6.3.1]
Objective: Configure the Secure Shell (SSH)
The candidate should be able to: Configure sshd to allow or deny root
logins, enable or disable X forwarding. Generate server keys. Generate a
user's public/private key pair. Add a public key to a user's
authorized_keys file. Configure ssh-agent for all users. Configure port
forwarding to tunnel an application protocol over ssh.Configure ssh to
support the ssh protocol versions 1 and 2. Disable non-root logins during
system maintenance. Configure trusted clients for ssh logins without a
password. Make multiple connections from multiple hosts to guard against
loss of connection to remote host following configuration changes.
Includes tools and files such as:
* ssh, sshd
* /etc/ssh/sshd_config
* ~/.ssh/identity.pub and identity, ~/.ssh/authorized_keys
[5.2.11]
Objective: Configure access control for services using tcpwrappers
The candidate should be able to: Configure tcpwrappers to allow
connections to specified servers from only certain hosts or subnets.
Includes tools and files such as:
* inetd.conf, tcpd
* hosts.allow, hosts.deny
[5.2.22, 6.2.2, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.3.5]
Objective: Miscellaneous security tasks
The candidate should be able to: Install and configure kerberos. Perform
basic security auditing of source code. Arrange to receive security alerts
from Bugtraq, CERT, CIAC or other sources. Be able to test for open mail
relays and anonymous FTP servers. Install and configure an intrusion
detection system such as snort or Tripwire. Update the IDS configuration
as new vulnerabilities are discovered. Apply security patches and bugfixes.
Includes tools and files such as:
* telnet
* Snort, Tripwire
1.1.5 Pre-configure ssh-agent system-wide
3.2.1 Turn on and off IP forwarding by changing the value of
/proc/sys/net/ipv4/ip_forward.
3.2.2 Use tcp_max_syn_backlog, tcp_syn_retries and tcp_syncookies to manage
syn connections and synflood attacks.
Subarea 4: CIDR
3.4.1 Configure ipchains to set up ip masquerading.
3.4.2 Use ipchains redirect to send input packets to IP servers
3.4.4 List firewall rules on a chain using ipchains.
3.7.1 Set up secure anonymous ftp server for web host clients
3.7.2 L1 Change the /etc/ftpaccess file to include the DENY keyword.
5.2.2 hi,L1 Set up secure shell
5.2.5 L1 Generate a SSH public/private key pair (in ~/.ssh/identity and
~/.ssh/identity.pub).
5.2.7 Configure a remote system to allow SSH logins with a public key by
adding the key to ~/.ssh/authorized_keys.
5.2.8 L1 Properly configure and use ssh-agent, including killing it off at
logout properly.
5.2.9 Manage multiple connections from multiple locations to prevent network
connection loss during sensitive remote system changes.
5.2.10 Set up special secure ports to allow remote administration as
superuser.
5.2.11 hi Use tcpwrappers or ipchains to manage remote access.
5.2.13 Use ssh's port forward ability to encrypt insecure connections to a
remote server and vice versa
5.2.16 Setup ssh to properly handle incoming and outgoing Ssh ver. 1 and ver.
2 connections
5.2.17 Disable ssh connections for everyone except root during system
maintenance
5.2.18 Setup trusted hosts for ssh connections that allow logins without
password
5.2.22 lo Setup kerberos to provide better security while allowing centralized
user account management
6.2.2 lo Perform basic security auditing of sensitive source code, such as
scanning for insecure usage of functions like 'strcpy' and 'sprintf'
6.2.7 Read bug track to learn about new security problems and fix them.
6.2.8 Check for open mail relays and anonymous ftp servers
6.2.9 lo Install and configure the snort intrusion detection tool
6.2.10 lo Update the snort configuration files to reflect newly-discovered
vulnurabilities
6.3.1 Disable logging on as root by changing the /etc/ssh/sshd_config by
entering DenyGroup root
6.3.5 hi Apply security bugfixes to important daemons
6.4.1 Change the firewall setup to block hosts that do portscans or test for
vulnerabilities
6.4.3 Set up ipchains to accept packets into your network by specific
network blocks.
6.4.4 Set up ipchains to deny ICMP packets into your network by specific
network blocks.
6.4.5 Set up ipchains to reject ICMP packets into your network.
