M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2)
Rik Farrow, Security Consultant
9:00 a.m.5:00 p.m.
See Part 1, S1, for the description of the first day of this tutorial.
Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.
The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.
- Elevation of privilege and suid shells
- Rootkits, and finding rootkits (chkrootkit)
- Sleuth Kit (looking at intrusion timelines)
- iptables and netfilter
- Tracking down DoS floods
- Cfengine configuration
- Vulnerability scanning with nessus
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.
M2 Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems,
and Charlie Kaufman, Microsoft
9:00 a.m.5:00 p.m.
Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.
First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.
We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.
Armed with this conceptual knowledge of the toolkit of tricks, we describe and
critique current standards.
- What problems are we trying to solve?
- Key distribution
- Trust hierarchies
- Public key (PKI) vs. secret key solutions
- Handshake issues
- Man-in-middle defense
- Perfect forward secrecy
- Reflection attacks
- PKI standards
- Real-time protocols
- IPsec (including AH, ESP, and IKE)
- Secure email
- Web security
Radia Perlman (M2) is a Distinguished Engineer at Sun Microsystems. She is known
for her contributions to bridging (spanning tree algorithm) and routing (link
state routing), as well as security (sabotage-proof networks). She is the
author of Interconnections: Bridges, Routers, Switches, and Internetworking
Protocols and co-author of Network Security: Private Communication in a
Public World, two of the top ten networking reference books, according to
Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.
Charlie Kaufman (M2) is Security Architect for the Common Language Runtime group at
Microsoft. He is editor of the new Internet Key Exchange
(IKEv2) protocol for the IPsec working group of IETF. He has contributed
to a number of IETF standards efforts, including chairing the Web
Transaction Security WG and serving as a member of the Internet
Architecture Board (IAB). He served on the National Academy of Sciences
expert panel that wrote the book Trust in Cyberspace. He was previously a
Distinguished Engineer at IBM, where he was Chief Security Architect for
Lotus Notes and Domino, and before that Network Security Architect for
Digital. He holds over 25 patents in the fields of computer security and
computer networking. He is coauthor of Network Security: Private
Communication in a Public World (Prentice Hall, 2002).
M3 Advanced Solaris System Administration Topics
Peter Baer Galvin, Corporate Technologies, Inc.
9:00 a.m.5:00 p.m.
Who should attend: UNIX administrators who need more knowledge of Solaris administration, especially the next-generation features of Solaris 10.
We will discuss the major new features of recent Solaris releases, including which to use (and how) and which to avoid. This in-depth course will provide the information you need to run a Solaris installation effectively. This tutorial has been updated to include Solaris 10 and several other new
- Installing and upgrading
- Planning your installation, filesystem layout, post-installation steps
- Installing (and removing) patches and packages
- Advanced features of Solaris
- Filesystems and their uses
- The /proc filesystem and commands
- The Kernel
- Kernel and performance tuning: new features, adding devices, tuning, debugging commands
- Enhancing Solaris
- Virtual IP: configuration and uses
- Performance: how to track down and resolve bottlenecks
- Tools: useful free tools, tool use strategies
- Security: locking down Solaris, system modifications, tools, zones, privileges
- Resource management: fair share scheduler
- Resources and references
Peter Baer Galvin (S8, M3, T3) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles
for Byte and other magazines. He wrote the "Pete's Wicked World" and
"Pete's Super Systems" columns at SunWorld. He is currently
contributing editor for Sys Admin, where he manages the Solaris
Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web
services, performance tuning, and high availability.
M4 Perl for System Administration: The Power and the Praxis
David N. Blank-Edelman, Northeastern University
9:00 a.m.5:00 p.m.
Who should attend: System and
network administrators with at least advanced-beginner to intermediate Perl skills, who would like to make their jobs easier and less stressful in times of sysadmin crisis.
Perl was originally created to help with system administration, so
it is a wonder there isn't more instructional material
available to help people in our field use Perl to their
advantage. This tutorial hopes to begin to remedy this situation by presenting
six solid hours of instruction on using Perl for system
The morning section, based on the instructor's O'Reilly book, will concentrate on the
power of Perl for sysadmin tasks. This jam-packed survey will take a
multi-platform look at using Perl in cutting-edge and old-standby
system administration domains.
In the afternoon, we'll look at ways to use short Perl programs to solve time-critical sysadmin
problems. Focusing on a set of battle stories, we'll discuss various approaches to dealing with crises with the help of Perl.
- Secure Perl scripting
- Dealing with files and filesystems
- Source control
- Log files
- Dealing with SQL databases via DBI and ODBC
- Email as a sysadmin tool (including spam analysis)
- Network directory services: NIS, DNS, LDAP, ADSI
- Network management: SNMP and WBEM
You'll walk away from this class with Perl
approaches and techniques that can help you solve your daily system
administration problems. You'll have new ideas for writing
small Perl programs to get you out of big sysadmin pinches. On top
of all this, you are likely to have deepened your knowledge of Perl.
David N. Blank-Edelman (S11, M4) is the Director of Technology
at the Northeastern University College of Computer and Information Science
and the author of the O'Reilly book Perl for System Administration. He has
spent the last 19 years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology
Group, and the MIT Media Laboratory. He has given several successful invited talks off the beaten path at LISA and is the LISA '05 Program Chair.
M5 Inside the Linux Kernel (Updated for Version 2.6)
Theodore Ts'o, IBM
9:00 a.m.5:00 p.m.
Who should attend: Application programmers and kernel developers. You should be reasonably familiar with C
programming in the UNIX environment, but no prior experience with the UNIX or Linux kernel code is assumed.
This tutorial will give you an introduction to the structure of the Linux kernel, the basic features it provides, and the most important algorithms it employs.
The Linux kernel aims to achieve conformance with existing standards and compatibility with existing operating systems; however, it is not a reworking of existing UNIX kernel code. The Linux kernel was written from scratch to provide both standard and novel features, and it takes advantage of the best practice of existing UNIX kernel designs.
Although the material will focus on the latest release version of the Linux kernel (v. 2.6), it will also address aspects of the development kernel codebase (v. 2.7) where its substance differs from 2.6. It will not contain any detailed examination of the source code but will, rather, offer an overview and roadmap of the kernel's design and functionality.
- How the kernel is organized (scheduler, virtual memory system,
filesystem layers, device driver layers, networking stacks)
- The interface between each module and the rest of the kernel
- Kernel support functions and algorithms used by each module
- How modules provide for multiple implementations of similar functionality
- Ground rules of kernel programming (races, deadlock conditions)
- Implementation and properties of the most important algorithms
- Comparison between Linux and UNIX kernels, with emphasis on differences in algorithms
- Details of the Linux scheduler
- Its VM system
- The ext2fs filesystem
- The requirements for portability between architectures
Theodore Ts'o (M5) has been a Linux kernel developer since almost the very
beginnings of Linux: he implemented POSIX job control in the
0.10 Linux kernel. He is the maintainer and author of the Linux COM
serial port driver and the Comtrol Rocketport driver, and he architected
and implemented Linux's tty layer. Outside of the kernel, he is
the maintainer of the e2fsck filesystem consistency checker. Ted
is currently employed by IBM Linux Technology Center.
M6 VoIP Principles and Practice
Heison Chak, SOMA Networks
9:00 a.m.5:00 p.m.
Who should attend: Managers and system administrators involved in the evaluation, design,
implementation, and deployment of VoIP infrastructures. Participants do
not need prior exposure to VoIP but should be familiar with network
principles. Attendees will come away from this tutorial with a foundation
in VoIP enabling strategic and cost-effective VoIP deployments in a
varierty of environments.
This tutorial will cover VoIP principles, and their interaction and
interface with the PSTN and IP networks. While CODECs, protocols, quality,
and some IETF standards are being discussed, this tutorial is also filled
with practical examples. Asterisk, which is open-source PBX software, will be used to demonstrate some of the unique features of VoIP.
Heison Chak (M6) is a system and network administrator who works for
SOMA Networks, focusing on network management and performance analysis
of data and voice networks. Heison has been an active member of the
Asterisk community. He started delivering tutorials at USENIX conferences and contributing
articles to ;login: in 2004.
- Toll bypass
- Interactive Voice Response System
- Text-to-speech applications
- Analog telephone adapter provisioning
- Call detail recording and blacklisting
- Echo training
M7 Seven Habits of the Highly Effective System Administrator
Mike Ciavarella, University
of Melbourne, and Lee Damon, University of Washington
9:00 a.m.5:00 p.m.
Who should attend: Junior system
administrators with anywhere from little to 3+ years of experience
in computer system administration. We will focus on enabling the
junior system administrator to "do it right the first time." Some topics will use UNIX-specific tools as examples, but the class is applicable to any sysadmin and
any OS. Most of the material covered is "the other 90%" of system administrationthings
every sysadmin needs to do and to know, but which aren't details of specific
We aim to accelerate the experience curve for junior system
administrators by teaching them the time-honored tricks (and
effective coping strategies) that experienced administrators take
for granted and which are necessary for successful growth of both
the administrator and the site.
The class covers many of the best practices that senior administrators
have long incorporated into their work. We will touch on tools you
should use, as well as tools you should try to avoid. We will touch
on things that come up frequently, as well as those which happen
only once or twice a year. We will look at a basic security approach.
- Why your computers should all agree on what time it is
- Why root passwords should not be the same on every computer
- Why backing up every filesystem on every computer is not always a good idea
- Policies: where you want them and where you might want to avoid them
- Ethical issues
- Growth and success as a solo sysadmin and as part of small, medium, and large teams
- Training, mentoring, and personal growth planning
- Site planning, budgeting, and logistics
- Books that can help you and your users
Mike Ciavarella (S7, S12, M7) has been producing and editing technical documentation since
he naively agreed to write application manuals for his first
employer in the early 1980s. He has been a technical editor for
MacMillan Press and has been teaching system administrators about
documentation for the past eight years. Mike has an Honours Degree in
Science from the University of Melbourne. After a number
of years working as Senior Partner and head of the Security Practice
for Cybersource Pty Ltd, Mike returned to his alma mater, the University
of Melbourne. He now divides his time between teaching software
engineering, providing expert testimony in computer security matters,
and trying to complete a Doctorate. In his ever-diminishing spare time,
Mike is a caffeine addict and photographer.
Lee Damon (M7, T8) has a B.S. in Speech Communication from Oregon State University. He
has been a UNIX system administrator since 1985 and has been active in SAGE
since its inception. He assisted in developing a mixed AIX/SunOS environment
at IBM Watson Research and has developed mixed environments for Gulfstream
Aerospace and QUALCOMM. He is currently leading the development effort
for the Nikola project at the University of Washington Electrical Engineering
Department. He is past chair of the SAGE Ethics and Policies Working Groups.
M8 System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Tenable Security, Inc.
9:00 a.m.5:00 p.m.
Who should attend: System and network administrators who are interested in
learning what's going on in their firewalls, servers, network,
and systems; anyone responsible for security and audit or
This tutorial covers techniques and software tools for
building your own log analysis system, from aggregating
all your data in a single place, through normalizing it,
searching, and summarizing, to generating statistics and
alerts and warehousing it. We will focus primarily on
open source tools for the UNIX environment, but will
also describe tools for dealing with Windows systems
and various devices such as routers and firewalls.
Marcus Ranum (M8) is Chief Security Officer at Tenable Security, Inc., and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
- Estimating log quantities and log system requirements
- Syslog: mediocre but pervasive logging protocol
- Back-hauling your logs
- Building a central loghost
- Dealing with Windows logs
- Logging on Windows loghosts
- Parsing and normalizing
- Finding needles in haystacks: searching logs
- I'm dumb, but it works: artificial ignorance
- Bayesian spam filters for logging
- Storage and rotation
- Databases and logs
- Leveraging the human eyeball: graphing log data
- Legalities of logs as evidence