Topic 331: Cryptography
| Key Knowledge Areas | The following is a partial list of the used files, terms and utilities: | |
|---|---|---|
| X.509 Certificates and Public Key Infrastructures | • Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions • Understand trust chains and public key infrastructures, including certificate transparency • Generate and manage public and private keys • Create, operate and secure a certification authority • Request, sign and manage server and client certificates • Revoke certificates and certification authorities • Basic feature knowledge of Let's Encrypt, ACME and certbot • Basic feature knowledge of CFSSL |
• openssl (including relevant subcommands) • OpenSSL configuration • PEM, DER, PKCS • CSR • CRL • OCSPSP |
| X.509 Certificates for Encryption, Signing and Authentication | • Understand SSL, TLS, including protocol versions and ciphers • Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS • Configure Apache HTTPD with mod_ssl to serve certificate chains and adjust the cipher configuration (no cipher-specific knowledge) • Configure Apache HTTPD with mod_ssl to authenticate users using certificates • Configure Apache HTTPD with mod_ssl to provide OCSP stapling • Use OpenSSL for SSL/TLS client and server tests repositories |
• httpd.conf • mod_ssl • openssl (including relevant subcommands) |
| Encrypted File Systems | • Understand block device and file system encryption • Use dm-crypt with LUKS1 to encrypt block devices • Use eCryptfs to encrypt file systems, including home directories and PAM integration • Awareness of plain dm-crypt • Awareness of LUKS2 features • Conceptual understanding of Clevis for LUKS devices and Clevis PINs for TMP2 and Network Bound Disk Encryption (NBDE)/Tang |
• cryptsetup (including relevant subcommands) • cryptmount • /etc/crypttab • ecryptfsd • ecryptfs-* commands • mount.ecryptfs, umount.ecryptfs • pam_ecryptfs |
| DNS and Cryptography | • Understand the concepts of DNS, zones and resource records • Understand DNSSEC, including key signing keys, zone signing keys and relevant DNS records such as DS, DNSKEY, RRSIG, NSEC, NSEC3 and NSEC3PARAM • Configure and troubleshoot BIND as an authoritative name server serving DNSSEC secured zones • Manage DNSSEC signed zones, including key generation, key rollover and re-signing of zones • Configure BIND as an recursive name server that performs DNSSEC validation on behalf of its clients • Understand CAA and DANE, including relevant DNS records such as CAA and TLSA • Use CAA and DANE to publish X.509 certificate and certificate authority information in DNS • Use TSIG for secure communication with BIND • Awareness of DNS over TLS and DNS over HTTPS • Awareness of Multicast DNS |
• named.conf • dnssec-keygen • dnssec-signzone • dnssec-settime • dnssec-dsfromkey • rndc (including relevant subcommands) • dig • delv • openssl (including relevant subcommands) |
Host Security
| Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
|---|---|---|
| Host Hardening | • Configure BIOS and boot loader (GRUB 2) security • Disable unused software and services • Understand and drop unnecessary capabilities for specific systemd units and the entire system • Understand and configure Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and Exec-Shield • Black and white list USB devices attached to a computer using USBGuard • Create an SSH CA, create SSH certificates for host and user keys using the CA and configure OpenSSH to use SSH certificates • Work with chroot environments • Use systemd units to limit the system calls and capabilities available to a process • Use systemd units to start processes with limited or no access to specific files and devices • Use systemd units to start processes with dedicated temporary and /dev directories and without network access • Understand the implications of Linux Meltdown and Spectre mitigations and enable/disable the mitigations • Awareness of polkit • Awareness of the security advantages of virtualization and containerization |
• grub.cfg • systemctl • getcap • setcap • capsh • sysctl • /etc/sysctl.conf • /etc/usbguard/usbguard-daemon.conf • /etc/usbguard/rules.conf • usbguard • ssh-keygen • /etc/ssh/ • ~/.ssh/ • /etc/ssh/sshd_config • chroot |
| Host Intrusion Detection | • Use and configure the Linux Audit system • Use chkrootkit • Use and configure rkhunter, including updates • Use Linux Malware Detect • Automate host scans using cron • Use RPM and DPKG package management tools to verify the integrity of installed files • Configure and use AIDE, including rule management • Awareness of OpenSCAP |
• auditd • auditctl • ausearch, aureport • auditd.conf • audit.rules • pam_tty_audit.so • chkrootkit • rkhunter • /etc/rkhunter.conf • maldet • conf.maldet • rpm • dpkg • aide • /etc/aide/aide.conf |
| Resource Control | • Understand and configure ulimits • Understand cgroups, including classes, limits and accounting • Manage cgroups and process cgroup association • Understand systemd slices, scopes and services • Use systemd units to limit the system resources processes can consume • Awareness of cgmanager and libcgroup utilities |
• ulimit • /etc/security/limits.conf • pam_limits.so • /sys/fs/group/ • /proc/cgroups • systemd-cgls • systemd-cgtop |
Access Control
| Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
|---|---|---|
| Discretionary Access Control | • Understand and manage file ownership and permissions, including SetUID and SetGID bits • Understand and manage access control lists • Understand and manage extended attributes and attribute classes |
• getfacl • setfacl • getfattr • setfattr |
| Mandatory Access Control | • Understand the concepts of type enforcement, role based access control, mandatory access control and discretionary access control • Configure, manage and use SELinux • Awareness of AppArmor and Smack |
• getenforce • setenforce • selinuxenabled • getsebool • setsebool • togglesebool • fixfiles • restorecon • setfiles • newrole • setcon • runcon • chcon • semanage • sestatus • seinfo • apol • seaudit • audit2why • audit2allow • /etc/selinux/* |
Network Security
| Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
|---|---|---|
| Network Security | • Understand wireless networks security mechanisms • Configure FreeRADIUS to authenticate network nodes • Use Wireshark and tcpdump to analyze network traffic, including filters and statistics • Use Kismet to analyze wireless networks and capture wireless network traffic • Identify and deal with rogue router advertisements and DHCP messages • Awareness of aircrack-ng and bettercap |
• radiusd • radmin • radtest • radclient • radlast • radwho • radiusd.conf • /etc/raddb/* • wireshark • tshark • tcpdump • kismet • ndpmon |
| Network Intrusion Detection | • Implement bandwidth usage monitoring • Configure and use Snort, including rule management • Configure and use OpenVAS, including NASL |
• ntop • snort • snort-stat • pulledpork.pl • /etc/snort/* • openvas-adduser • openvas-rmuser • openvas-nvt-sync • openvassd • openvas-mkcert • openvas-feed-update • /etc/openvas/* |
| Packet Filtering | • Understand common firewall architectures, including DMZ • Understand and use iptables and ip6tables, including standard modules, tests and targets • Implement packet filtering for IPv4 and IPv6 • Implement connection tracking and network address translation • Manage IP sets and use them in netfilter rules • Awareness of nftables and nft • Awareness of ebtables • Awareness of conntrackd |
• iptables • ip6tables • iptables-save • iptables-restore • ip6tables-save • ip6tables-restore • ipset |
| Virtual Private Networks | • Understand the principles of bridged and routed VPNs • Understand the principles and major differences of the OpenVPN, IPsec, IKEv2 and WireGuard protocols • Configure and operate OpenVPN servers and clients • Configure and operate IPsec servers and clients using strongSwan • Configure and operate WireGuard servers and clients • Awareness of L2TP |
• /etc/openvpn/ • openvpn • /etc/strongswan.conf • /etc/strongswan.d/ • /etc/swanctl/swanctl.conf • /etc/swanctl/ • swanctl • /etc/wireguard/ • wg • wg-quick • ip |
Threats and Vulnerability Assessment
| Key Knowledge Areas: | The following is a partial list of the used files, terms and utilities: | |
|---|---|---|
| Common Security Vulnerabilities and Threats | • Conceptual understanding of threats against individual nodes • Conceptual understanding of threats against networks • Conceptual understanding of threats against application • Conceptual understanding of threats against credentials and confidentiality • Conceptual understanding of honeypots |
• Trojans • Viruses • Rootkits • Keylogger • DoS and DDoS • Man in the Middle • ARP and NDP forgery • Rogue Access Points, Routers and DHCP servers • Link layer address and IP address spoofing • Buffer Overflows • SQL and Code Injections • Cross Site Scripting • Cross Site Request Forgery • Privilege escalation • Brute Force Attacks • Rainbow tables • Phishing • Social Engineering |
| Penetration Testing | • Understand the concepts of penetration testing and ethical hacking • Understand legal implications of penetration testing • Understand the phases of penetration tests, such as active and passive information gathering, enumeration, gaining access, privilege escalation, access maintenance, covering tracks • Understand the architecture and components of Metasploit, including Metasploit module types and how Metasploit integrates various security tools • Use nmap to scan networks and hosts, including different scan methods, version scans and operating system recognition • Understand the concepts of Nmap Scripting Engine and execute existing scripts • Awareness of Kali Linux, Armitage and the Social Engineer Toolkit (SET) |
• nmap |
