M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2)
See Part 1, S1, for the description of the first day of this tutorial.
|Rik Farrow, Security Consultant
10:30 a.m.6:00 p.m.
Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.
The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want todownload a KNOPPIX image from https://www.knoppix.org, burn it to a CD, and try it with the notebook you plan on using for the class.
- Using and modifying KNOPPIX Linux boot CD
- Elevation of privilege and suid shells
- Rootkits, and finding rootkits (chkrootkit)
- Sleuth Kit (looking at intrusion timelines)
- iptables and netfilter
- cfengine configuration
- Vulnerability scanning with nessus
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.
M2 Solaris Internals & Architecture: Performance and Resource Management
Who should attend: System administrators, performance analysts, application architects,
database administrators, software developers, and capacity planners.
Anyone interested in the overall organization and structure of the
Solaris kernel and in discovering how to apply that knowledge to
performance tools and resource controls. The course is based on the
Solaris 8 and 9 releases, but has applicability to earlier releases.
Networking (TCP/IP, STREAMS) facilities and performance are not covered.
James Mauro and Richard McDougall, Sun Microsystems, Inc.
10:30 a.m.6:00 p.m.
As an operating
system, Solaris has evolved considerably, with some
significant changes made to the UNIX SVR4 source base on which the
early system was built. An understanding of how the system is
organized is required in order to design and develop applications
that take maximum advantage of the various features of the operating
system, understand the data made available via bundled system
utilities, and optimally configure and tune a Solaris system for
a particular application or load.
- Virtual memory system
- Virtual file system
- The multi-threaded process model
- The kernel dispatcher
- Scheduling classes
- Filesystem implementation
- Resource control facilities
- Resource management facilities
For each topic, we cover the performance and observability
aspects, including relevant bundled commands and utilities and the
interpretation of the data they present.
James Mauro (M2) is a Senior Staff Engineer in the Performance and
Availability Engineering group at Sun Microsystems. Jim's
currently focused on quantifying and improving
enterprise platform availability, including minimizing recovery
times for data services and Solaris. Jim co-developed a framework
for system availability measurement and benchmarking and is
working on implementing this framework within Sun.
Richard McDougall (M2) is an established engineer in the Performance Application
Engineering group at Sun Microsystems, where he focuses on large systems
performance and architecture. He has over twelve years of performance tuning,
application/kernel development, and capacity planning experience on many
different flavors of UNIX. Richard has written a wide range of papers and
tools to measure, monitor, trace, and size UNIX systems,
including the memory sizing methodology for Sun, the set of tools known as
MemTool to allow fine-grained instrumentation of memory for Solaris, the
recent Priority Paging memory algorithms in Solaris, and many of the
unbundled tools for Solaris.
M3 Linux Systems Administration
Who should attend: System administrators who plan to implement a Linux solution in a production environment. Attendees should be familiar with the basics of system administration in a UNIX/Linux environment: user-level commands, administration commands, and TCP/IP networking. Both novices and gurus should leave the tutorial having learned something.
Joshua Jensen, IBM
10:30 a.m.6:00 p.m.
From a single server to a network of workstations, the Linux environment can be a daunting task for administrators knowledgeable on other platforms. Starting with a single server and finishing with a multi-server, 1,000+ user environment, case studies will provide practical information for using Linux in the real world.
Topics include (with an emphasis on security):
- Installation features
- Disk partitioning and RAID
- User accounts
- NFS and NIS
- Security through packet filtering and SSH
- New developments (journaling file systems, VPNs, and more)
At the completion of the tutorial, attendees should feel confident in their ability to set up and maintain a secure and useful Linux network. The instructor invites questions during the presentation.
Joshua Jensen (S3, M3) has worked for IBM and Cisco Systems and was Red Hat's first instructor, examiner, and RHCE. He worked with Red Hat for 4 1/2
years, during which time he wrote and maintained large parts of the Red Hat
curriculum: Networking Services and Security, System Administration,
Apache and Secure Web Server Administration, and the Red Hat Certified
Engineer course and exam. Having been working with Linux since
1996, Joshua now finds himself having gone full circle, being now employed by IBM while
working with Red Hat Linux onsite at Cisco Systems. In his spare time
he dabbles in cats, fish, boats, and frequent flyer miles.
M4 Network Security Profiles: Protocol Threats, Intrusion Classes, and How Hackers Find Exploits
Who should attend: Administrators, managers, auditors, those being audited,
those responsible for responding to intrusions or responsible for network
resources that might be targets for crackers, hackers, or determined
Brad C. Johnson, SystemExperts Corporation
10:30 a.m.6:00 p.m.
Participants should understand the basics of TCP/IP networking. Examples will
code and show command-line arguments and GUI-based applications.
This tutorial is focused on helping you understand how people profile your
network to identify resources that might be vulnerable to attack. Simply put, the
more information somebody can generate about your site (by profiling it),
the more likely it is that they will be able to exploit something on it. This
course will also help you recognize common protocol threats and intrusion
- Profiling your network and system
- Methods and tools
- An example of a profile
- Awareness and statistics
- Examples of intrusions
- Common intrusion areas
- Web servers
- Web applications
- Wireless infrastructure
- Discovery/profiling tools
- Tools: sscan, typhoon, nessus, dsniff, whisker, Sam Spade,
Satan/Saint/Sara, nmap, Paros, cain, Websleuth
- Understanding protocol tunneling
- Protocol profiling threats
- Issues with handhelds
- Web infrastructure
Brad C. Johnson (M4) is vice president of SystemExperts Corporation.
He has participated in seminal industry initiatives such as the Open Software
Foundation, X/Open, and the IETF, and has been published in such journals as
Digital Technical Journal, IEEE Computer Society Press, Information Security
Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password
Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics
related to practical network security, penetration analysis, middleware,
and distributed systems. He holds a B.A. in computer science from Rutgers University and an M.S. in
applied management from Lesley University.
Advanced Perl Programming
Who should attend: Anyone with a journeyman-level knowledge of Perl programming who wants to hone Perl skills. This class will cover a wide variety of advanced topics in Perl, including
many insights and tricks for using these features effectively. After
completing this class, attendees will have a much richer understanding of
Perl and will be better able to make it part of their daily routine.
Tom Christiansen, Consultant
10:30 a.m.6:00 p.m.
- Symbol tables and typeglobs
- Symbolic references
- Useful typeglob tricks (aliasing)
- Overriding built-ins
- Mechanics of exporting
- Function prototypes
- Implications of reference counting
- Using weak references for self-referential data structures
- Data structure management, including serialization and persistence
- Fancy object-oriented programming
- Using closures and other peculiar referents as objects
- Overloading of operators, literals, and more
- Tied objects
- Managing exceptions and warnings
- When die and eval are too primitive for your taste
- The use warnings pragma
- Creating your own warnings classes for modules and objects
- Regular expressions
- Debugging regexes
- qr// operator
- Backtracking avoidance
- Interpolation subtleties
- Embedding code in regexes
- Programming with multiple processes or threads
- The thread model
- The fork model
- Shared memory controls
- Unicode and I/O layers
- Named Unicode characters
- Accessing Unicode properties
- Unicode combined characters
- I/O layers for encoding translation
- Upgrading legacy text files to Unicode
- Unicode display tips
- What's new in Perl lately
- Switch statement
- Defined-or operators
- Pre-compiled modules
- Dynamic handles
- Virtual I/O through strings
Tom Christiansen (M5) has been involved with Perl since day zero of its initial public release in 1987. Author of several books on Perl,
including The Perl Cookbook and Programming Perl from O'Reilly, Tom is
also a major contributor to Perl's online documentation. He holds
undergraduate degrees in computer science and Spanish and a Master's in
computer science. He now lives in Boulder, Colorado.