On 29/11/2017 00:15, Ingo Wichmann wrote: > Hi there, > > I think 110.1 and 110.2 need a clean up. > > What's the difference between "Perform security administration tasks" > and "Setup host security"?
I think the average sysadmin out there would have these concepts in mind: perform security administration tasks: sweep user accounts for inactive ones and remove them. Stop and deinstall defunk and unneeded services. Examine fail2ban et all logs to see if rules need more tweaking etc etc setup host security: create firewall rules table; set allowed_hosts in various daemon configs, etc etc The distinction is the second category can be done by automation because it's the usual, the first category needs eyeballs because you are looking for the unusual > > Why is "Set or change user passwords and password aging information." in > 110.1 and "Awareness of shadow passwords and how they work." in 110.2? Why two categories? We no longer have passwords in /etc/passwd anywhere, we do not have "shadow passwords" either, we only have local Unix passwords and they always go in one place, protected by permissions > > I'd prefer, if we would move all network related stuff to 110.2 and > rename 110.2 to "basic network security". And 110.1 to "host security". > > netstat-> ss: > We should replace netstat with ss, because netstat comes from the legacy > net-tools. Agreed. Old farts like me who prefer netstat are very welcome to learn it on their own time > > ulimit: > Does anybody still use ulimit and /etc/security/limits.conf? Wouldn't > you use loginctl and/or systemd-run for that? I'd actually forgotten there even is a thing called ulimits > > Wifi: > I think canditates should be able to check whether they use an encrypted > connection using network-manager I would extend this to some knowledge of what kinf of connection, as in "WEP=bad" "WPA="ok-ish" > > iptables: > if we get rid of TCP wrappers we could include simple iptables usage: > close single ports using iptables. In my opinion, thats much more common > today. Agreed. All I would expect an LPI-1 grad to know about iptables is how to set connection tracking and then allow deny a port or range of ports to/from a host or range of hosts. > > Ingo > > _______________________________________________ > lpi-examdev mailing list > [email protected] > http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev > -- Alan McKinnon [email protected] _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
