Domain Name Server
Key Knowledge Areas | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
Basic DNS server configuration | • BIND 9.x configuration files, terms and utilities • Defining the location of the BIND zone files in BIND configuration files • Reloading modified configuration and zone files • Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers |
• /etc/named.conf • /var/named/ • /usr/sbin/rndc • kill • host • dig |
Create and maintain DNS zones | • BIND 9 configuration files, terms and utilities • Utilities to request information from the DNS server • Layout, content and file location of the BIND zone files • Various methods to add a new host in the zone files, including reverse zones |
• /var/named/ • zone file syntax • resource record formats • named-checkzone • named-compilezone • masterfile-format • dig • nslookup •host |
Securing a DNS server | • BIND 9 configuration files • Configuring BIND to run in a chroot jail • Split configuration of BIND using the forwarders statement • Configuring and using transaction signatures (TSIG) •Awareness of DNSSEC and basic tools • Awareness of DANE and related records |
• /etc/named.conf • /etc/passwd • DNSSEC • dnssec-keygen • dnssec-signzone |
Web Services
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
Implementing a web server | • Apache 2.4 configuration files, terms and utilities • Apache log files configuration and content • Access restriction methods and files • mod_perl and PHP configuration • Client user authentication files and utilities • Configuration of maximum requests, minimum and maximum servers and clients •Apache 2.4 virtual host implementation (with and without dedicated IP addresses) • Using redirect statements in Apache’s configuration files to customize file access |
• access logs and error logs • .htaccess • httpd.conf • mod_auth_basic, mod_authz_host mod_access_compat • htpasswd • AuthUserFile, AuthGroupFile • apachectl, apache2ctl • httpd, apache2 |
Apache configuration for HTTPS | • SSL configuration files, tools and utilities • Generate a server private key and CSR for a commercial CA • Generate a self-signed Certificate • Install the key and certificate, including intermediate CAs • Configure Virtual Hosting using SNI • Awareness of the issues with Virtual Hosting and use of SSL • Security issues in SSL use, disable insecure protocols and ciphers |
• Apache2 configuration files • /etc/ssl/, /etc/pki/ • openssl, CA.pl • SSLEngine, SSLCertificateKeyFile, SSLCertificateFile • SSLCACertificateFile, SSLCACertificatePath • SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable |
Implementing a proxy server | •Squid 3.x configuration files, terms and utilities • Access restriction methods • Client user authentication methods • Layout and content of ACL in the Squid configuration files |
• squid.conf • acl • http_access |
Implementing Nginx as a web server and a reverse proxy | • Nginx • Reverse Proxy • Basic Web Server |
• /etc/nginx/ • nginx |
File Sharing
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
SAMBA Server Configuration | • Samba 4 documentation • Samba 4 configuration files • Samba 4 tools and utilities and daemons • Mounting CIFS shares on Linux • Mapping Windows user names to Linux user names • User-Level, Share-Level and AD security |
• smbd, nmbd, winbindd • smbcontrol, smbstatus, testparm, smbpasswd, nmblookup •samba-tool • net • smbclient • mount.cifs • /etc/samba/ • /var/log/samba/ |
NFS Server Configuration | • NFS version 3 configuration files • I/O redirection • NFS tools and utilities • Access restrictions to certain hosts and/or subnets • Mount options on server and client •TCP Wrappers • Awareness of NFSv4 |
• /etc/exports • exportfs • showmount • nfsstat • /proc/mounts • /etc/fstab • rpcinfo • mountd • portmapper |
Network Client Management
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
DHCP configuration | • DHCP configuration files, terms and utilities • Subnet and dynamically-allocated range setup • Awareness of DHCPv6 and IPv6 Router Advertisements |
• dhcpd.conf • dhcpd.leases • DHCP Log messages in syslog or systemd journal • arp • dhcpd • radvd • radvd.conf |
PAM authentication | • PAM configuration files, terms and utilities • passwd and shadow passwords • Use sssd for LDAP authentication |
• /etc/pam.d/ • pam.conf • nsswitch.conf • pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss • sssd.conf |
LDAP client usage | • LDAP utilities for data management and queries • Change user passwords • Querying the LDAP directory |
• ldapsearch • ldappasswd • ldapadd • ldapdelete |
Configuring an OpenLDAP server | • OpenLDAP • Directory based configuration • Access Control • Distinguished Names • Changetype Operations • Schemas and Whitepages • Directories • Object IDs, Attributes and Classes |
• slapd • slapd-config • LDIF • slapadd • slapcat • slapindex • /var/lib/ldap/ • loglevel |
E-Mail Services
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
Using e-mail servers | • Configuration files for postfix •Basic TLS configuration for postfix • Basic knowledge of the SMTP protocol • Awareness of sendmail and exim |
• Configuration files and commands for postfix • /etc/postfix/ • /var/spool/postfix/ • sendmail emulation layer commands • /etc/aliases • mail-related logs in /var/log/ |
Managing E-Mail Delivery | • Understanding of Sieve functionality, syntax and operators • Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size • Awareness of procmail |
• Conditions and comparison operators • keep, fileinto, redirect, reject, discard, stop • Dovecot vacation extension |
Managing Remote E-Mail Delivery | • Dovecot IMAP and POP3 configuration and administration • Basic TLS configuration for Dovecot • Awareness of Courier |
• /etc/dovecot/ • dovecot.conf • doveconf • doveadm |
Configuring a router | • iptables and ip6tables configuration files, tools and utilities • Tools, commands and utilities to manage routing tables. • Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6) • Port redirection and IP forwarding • List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address • Save and reload filtering configurations |
• /proc/sys/net/ipv4/ • /proc/sys/net/ipv6/ • /etc/services • iptables • ip6tables |
Securing FTP servers | • Configuration files, tools and utilities for Pure-FTPd and vsftpd • Awareness of ProFTPd • Understanding of passive vs. active FTP connections |
• vsftpd.conf • important Pure-FTPd command line options |
Secure shell (SSH) | • OpenSSH configuration files, tools and utilities • Login restrictions for the superuser and the normal users • Managing and using server and client keys to login with and without password • Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes |
• ssh • sshd • /etc/ssh/sshd_config • /etc/ssh/ • Private and public key files • PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol |
Security tasks | • Tools and utilities to scan and test ports on a server • Locations and organizations that report security alerts as Bugtraq, CERT or other sources • Tools and utilities to implement an intrusion detection system (IDS) • Awareness of OpenVAS and Snort |
• telnet • nmap • fail2ban • nc • iptables |
OpenVPN | • OpenVPN | • /etc/openvpn/ • openvpn |
Capacity Planning
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
Measure and Troubleshoot Resource Usage | • Measure CPU usage • Measure memory usage • Measure disk I/O • Measure network I/O • Measure firewalling and routing throughput • Map client bandwidth usage • Match / correlate system symptoms with likely problems • Estimate throughput and identify bottlenecks in a system including networking |
• iostat • netstat • w • top • sar • processes blocked on I/O • blocks out • vmstat • pstree, ps • Isof • uptime • swap • blocks in |
Predict Future Resource Needs | • Use monitoring and measurement tools to monitor IT infrastructure usage. • Predict capacity break point of a configuration • Observe growth rate of capacity usage • Graph the trend of capacity usage • Awareness of monitoring solutions such as Icinga2, Nagios, collectd, MRTG and Cacti. |
• diagnose • predict growth • resource exhaustion |
Linux Kernel
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
Kernel Components | • Kernel 2.6.x, 3.x and 4.x documentation | • /usr/src/linux/ • /usr/src/linux/Documentation/ • zImage • bzImage • xz compression |
Compiling a kernel | • /usr/src/linux/ • Kernel Makefiles • Kernel 2.6.x/3.x make targets • Customize the current kernel configuration. • Build a new kernel and appropriate kernel modules. • Install a new kernel and any modules. • Ensure that the boot manager can locate the new kernel and associated files. • Module configuration files • Use DKMS to compile kernel modules. • Awareness of dracut |
• mkinitrd • mkinitramfs • make • make targets (all, config, xconfig, menuconfig, gconfig, oldconfig, mrproper, zImage, bzImage, modules, modules_install, rpm-pkg, binrpm-pkg, deb-pkg) • gzip • bzip2 • module tools • /usr/src/linux/.config • /lib/modules/kernel-version/ • depmod • dkms |
Kernel runtime management and troubleshooting | • Use command-line utilities to get information about the currently running kernel and kernel modules • Manually load and unload kernel modules • Determine when modules can be unloaded • Determine what parameters a module accepts • Configure the system to load modules by names other than their file name. • /proc filesystem • Content of /, /boot/ , and /lib/modules/ • Tools and utilities to analyze information about the available hardware • udev rules |
• /lib/modules/kernel-version/modules.dep • module configuration files in /etc/ • /proc/sys/kernel/ • /sbin/depmod • /sbin/rmmod • /sbin/modinfo • /bin/dmesg • /sbin/lspci • /usr/bin/lsdev • /sbin/lsmod • /sbin/modprobe • /sbin/insmod • /bin/uname •/usr/bin/lsusb • /etc/sysctl.conf, /etc/sysctl.d/ • /sbin/sysctl • udevmonitor • udevadm monitor • /etc/udev/ |
Customizing SysV-init system startup | • Systemd • SysV init • Linux Standard Base Specification (LSB) |
• /usr/lib/systemd/ • /etc/systemd/ • /run/systemd/ • systemctl • systemd-delta • /etc/inittab • /etc/init.d/ • /etc/rc.d/ • chkconfig • update-rc.d • init and telinit |
System Recovery | • BIOS and UEFI • NVMe booting • GRUB version 2 and Legacy • grub shell • boot loader start and hand off to kernel • kernel loading • hardware initialisation and setup • daemon/service initialisation and setup • Know the different boot loader install locations on a hard disk or removable device. • Overwrite standard boot loader options and using boot loader shells. •Use systemd rescue and emergency modes. |
• mount fsck • inittab, telinit and init with SysV init • The contents of /boot/, /boot/grub/ and /boot/efi/ • EFI System Partition (ESP) • GRUB • grub-install • efibootmgr • UEFI shell • initrd, initramfs • Master boot record • systemctl |
Alternate Bootloaders | • SYSLINUX, ISOLINUX, PXELINUX • Understanding of PXE for both BIOS and UEFI • Awareness of systemd-boot and U-Boot |
• syslinux • extlinux • isolinux.bin • isolinux.cfg • isohdpfx.bin • efiboot.img • pxelinux.0 • pxelinux.cfg/ • uefi/shim.efi • uefi/grubx64.efi |
Filesystem and Devices | • The concept of the fstab configuration • Tools and utilities for handling swap partitions and files • Use of UUIDs for identifying and mounting file systems • Understanding of systemd mount units |
• /etc/fstab • /etc/mtab • /proc/mounts • mount and umount • blkid • sync • swapon • swapoff |
Maintaining a Linux filesystem | • Tools and utilities to manipulate and ext2, ext3 and ext4 • Tools and utilities to perform basic Btrfs operations, including subvolumes and snapshots • Tools and utilities to manipulate XFS • Awareness of ZFS |
• mkfs (mkfs.*) • mkswap • fsck (fsck.*) • tune2fs, dumpe2fs and debugfs • btrfs, btrfs-convert • xfs_info, xfs_check, xfs_repair, xfsdump and xfsrestore • smartd, smartctl |
Creating and configuring filesystem options | • autofs configuration files • Understanding of automount units • UDF and ISO9660 tools and utilities • Awareness of other CD-ROM filesystems (HFS) • Awareness of CD-ROM filesystem extensions (Joliet, Rock Ridge, El Torito) • Basic feature knowledge of data encryption (dm-crypt / LUKS) |
• mkfs (mkfs.*) • mkswap • /etc/auto.master • /etc/auto.[dir] • mkisofs • cryptsetup |
Network Configuration
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
Basic networking configuration | • Utilities to configure and manipulate ethernet network interfaces • Configuring basic access to wireless networks |
• ip • ifconfig • route • arp • iw • iwconfig • iwlist |
Advanced Network Configuration and Troubleshooting | • Utilities to manipulate routing tables • Utilities to configure and manipulate ethernet network interfaces • Utilities to analyze the status of the network devices • Utilities to monitor and analyze the TCP/IP traffic |
• ip • ifconfig • route • arp • ss • netstat • lsof • ping, ping6 • nc • tcpdump • nmap |
Troubleshooting Network Issues | • Location and content of access restriction files • Utilities to configure and manipulate ethernet network interfaces • Utilities to manage routing tables • Utilities to list network states. • Utilities to gain information about the network configuration • Methods of information about the recognized and used hardware devices • System initialization files and their contents (SysV init process) • Awareness of NetworkManager and its impact on network configuration |
• ip • ifconfig • route • ss • netstat • /etc/network/, /etc/sysconfig/network-scripts/ • ping, ping6 • traceroute, traceroute6 • mtr • hostname • System log files such as /var/log/syslog, /var/log/messages and the systemd journal • dmesg • /etc/resolv.conf • /etc/hosts • /etc/hostname, /etc/HOSTNAME • /etc/hosts.allow, /etc/hosts.deny |
System Maintenance
Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
---|---|---|
Make and install programs from source | • Unpack source code using common compression and archive utilities • Understand basics of invoking make to compile programs • Apply parameters to a configure script • Know where sources are stored by default |
• /usr/src/ • gunzip • gzip • bzip2 • xz • tar • configure • make • uname • install • patch |
Backup operations | • Knowledge about directories that have to be include in backups • Awareness of network backup solutions such as Amanda, Bacula, Bareos and BackupPC • Knowledge of the benefits and drawbacks of tapes, CDR, disk or other backup media • Perform partial and manual backups. • Verify the integrity of backup files. • Partially or fully restore backups. |
• /bin/sh • dd • tar • /dev/st* and /dev/nst* • mt • rsync |
Notify users on system-related issues | • Automate communication with users through logon messages • Inform active users of system maintenance |
• /etc/issue • /etc/issue.net • /etc/motd • wall • /sbin/shutdown • systemctl |