"Bryan J. Smith" <[EMAIL PROTECTED]> wrote: >> Okay, I've looked at this the last few days and I've come to the "opinion" that we should try to map the "top-level" of all LPIC-3 Security exam questions to the 7 Common Body of Knowledge (CBK) of the ISC2' System Security Certified Practitioner (SSCP) exam. I believe we should use an existing framework to "nail down" how we are going to start defining the tasks. <<
Good thinking, Bryan - I was thinking along similar lines, though with reference to the CISSP. I'm of the opinion that a senior administrator - such as an LPIC-3 would probably be - should be able to bridge the gap between management thinking and concerns about security rather than being pure "hacker" type. As is often remarked the skills required to secure corporate information resources are *not* the same - or even the converse of - those required to hack into those systems, and I feel that we should be keeping that in mind. I'd like to just throw one other idea into the pot, though, which occurred to me at the weekend, but I haven't had time to give much further consideration, and that is this: instead of modelling the structure of another certification exam, should we perhaps structure our topics after the controls that are listed in Annex A (Control objectives and controls) of BS 7799.2? After all, that is a standard language which is more widely known than either the CISSP or SSCP CBK domains, and is also more formally defined (ISC2, for example, claims copyright on the CBK, which could also cause some problems). For those who haven't seen BS 7799.2, and the related ISO/IEC 17799, the major headings or classifications in Annex A are: * Security policy * Organizational security * Asset classification and control * Personnel security * Physical and environmental security * Communications and operations management * Access control * System development and maintenance * Business continuity management * Compliance Obviously, some of these do not directly relate to a Linux-specific certification. Also, there's a lot more detail under those headings; for example A.9, Access control: A.9.1 Business requirement for access control A.9.2 User access management A.9.3 User responsibilities A.9.4 Network access control A.9.5 Operating system access control A.9.6 Application access control A.9.7 Monitoring system access and use A.9.8 Mobile computing and teleworking And so on and so forth. It's not too difficult to map many of the detailed controls to the tools and techniques that we're all familiar with, such as PAM, LDAP, Tripwire, IPSec implementations, Snort and so on. As I said, I haven't given this a lot of thought so far, so I'm just throwing it out for discussion. However, I think the fact that the ISO 17799 and BS7799.2 standards are becoming the standard framework for ISMS's internationally (the US is moving towards adoption of a future version of BS7799.2, as I understand it, and many US companies use it already), coupled with the detailed structure, make this interesting, at least. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] _______________________________________________ lpi-examdev mailing list [EMAIL PROTECTED] http://list.lpi.org/mailman/listinfo/lpi-examdev
