SEC506: Securing Linux/Unix

Associated Certification: GIAC Certified UNIX Security Administrator (GCUX)

Find ways to take this course: Online   |   Watch a free preview of this course
Course Syllabus  ·  36 CPEs  ·   Laptop Requirements

SEC506: Securing Linux/Unix provides in-depth coverage of Linux and Unix security issues that include specific configuration guidance and practical, real-world examples, tips, and tricks. We examine how to mitigate or eliminate general problems that apply to all Unix-like operating systems, including vulnerabilities in the password authentication system, file system, virtual memory system, and applications that commonly run on Linux and Unix.

The course will teach you the skills to use freely available tools to handle security issues, including SSH, AIDE, sudo, lsof, and many others. SANS' practical approach uses hands-on exercises every day to ensure that you will be to use these tools as soon as you return to work. We will also put these tools to work in a special section that covers simple forensic techniques for investigating compromised systems.


  • Memory Attacks, Buffer Overflows
  • File System Attacks, Race Conditions
  • Trojan Horse Programs and Rootkits
  • Monitoring and Alerting Tools
  • Unix Logging and Kernel-Level Auditing
  • Building a Centralized Logging Infrastructure
  • Network Security Tools
  • SSH for Secure Administration
  • Server Lockdown for Linux and Unix
  • Controlling Root Access with sudo
  • SELinux and chroot() for Application Security
  • DNSSEC Deployment and Automation
  • mod_security and Web Application Firewalls
  • Secure Configuration of BIND and Apache
  • Forensics Investigation of Linux Systems


Course Syllabus


This course tackles some of the most important techniques for protecting your Linux/Unix systems from external attacks. But it also covers what constitutes those attacks, so that you know what you are defending against. This is a full-disclosure course with in-class demos of actual exploits and hands-on exercises to experiment with various examples of malicious software, as well as different techniques for protecting Linux/Unix systems.

CPE/CMU Credits: 6


Memory Attacks and Overflows

  • Stack and Heap Overflows
  • Format String Attacks
  • Stack Protection

Vulnerability Minimization

  • Minimization vs. Patching
  • OS Minimization
  • Patching Strategies

Boot-Time Configuration

  • Reducing Services
  • systemd vs init
  • Email Configuration
  • Legacy Services

Encrypted Access

  • Session Hijacking Exploits
  • The Argument For Encryption
  • SSH Configuration

Host-Based Firewalls

  • IP Tables and Other Alternatives
  • Simple Single-Host Firewalls
  • Managing and Automating Rule Updates

Continuing our exploration of Linux/Unix security issues, this course day focuses on local exploits and access control issues. What do attackers do once they gain access to your systems? How can you detect their presence? How do you protect against attackers with physical access to your systems? What can you do to protect against mistakes (or malicious activity) by your own users?

CPE/CMU Credits: 6


Rootkits and Malicious Software

  • Backdoors and Rootkits
  • Kernel Rootkits
  • chkrootkit and rkhunter

File Integrity Assessment

  • Overview of AIDE
  • Basic Configuration
  • Typical Usage

Physical Attacks and Defenses

  • Known Attacks
  • Single User Mode Security
  • Boot Loader Passwords

User Access Controls

  • Password Threats and Defenses
  • User Access Controls
  • Environment Settings

Root Access Control With Sudo

  • Features and Common Uses
  • Configuration
  • Known Issues and Work-Arounds

Warning Banners

  • Why?
  • Suggested Content
  • Implementation Issues

Kernel Tuning For Security

  • Network Tuning
  • System Resource Limits
  • Restricting Core Files

Monitoring your systems is critical for maintaining a secure environment. This course day digs into the different logging and monitoring tools available in Linux/Unix, and looks at additional tools for creating a centralized monitoring infrastructure such as Syslog-NG. Along the way, the course introduces a number of useful SSH tips and tricks for automating tasks and tunneling different network protocols in a secure fashion.

CPE/CMU Credits: 6


Automating Tasks With SSH

  • Why and How
  • Public Key Authentication
  • ssh-agent and Agent Forwarding


  • Conceptual Overview
  • SSH Configuration
  • Tools and Scripts

Linux/Unix Logging Overview

  • Syslog Configuration
  • System Accounting
  • Process Accounting
  • Kernel-Level Auditing

SSH Tunneling

  • X11 Forwarding
  • TCP Forwarding
  • Reverse Tunneling Issues

Centralized Logging With Syslog-NG

  • Why You Care
  • Basic Configuration
  • Hints and Hacks for Tunneling Log Data
  • Log Analysis Tools and Strategies

This course examines common application security tools and techniques. The SCP-Only Shell will be presented as an example of using an application under chroot() restriction, and as a more secure alternative to file sharing protocols like anonymous FTP. The SELinux application whitelisting mechanism will be examined in depth. Tips for troubleshooting common SELinux problems will be covered and students will learn how to craft new SELinux policies from scratch for new and locally developed applications. Significant hands-on time will be provided for students to practice these concepts.

CPE/CMU Credits: 6


chroot() for Application Security

  • What is chroot()?
  • How Do You chroot()?
  • Known Security Issues

The SCP-Only Shell

  • What It Is and How It Works
  • Configuring chroot() directory
  • Automounter Hacks for Large-Scale Deployments

SELinux Basics

  • Overview of Functionality
  • Navigation and Command Interface
  • Troubleshooting Common Issues

SELinux and the Reference Policy

  • Tools and Prerequisites
  • Creating and Loading an Initial Policy
  • Testing and Refining Your Policy
  • Deploying Policy Files

This course is a full day of in-depth analysis on how to manage some of the most popular application level services securely on a Linux/Unix platform. We will tackle the practical issues involved with securing two of the most commonly used Internet servers on Linux and Unix: BIND and Apache. Beyond basic security configuration information, we will take an in-depth look at topics like DNSSEC and Web Application Firewalls with mod_security and the Core Rules.

CPE/CMU Credits: 6



  • Common Security Issues
  • Split-horizon DNS
  • Configuration for Security
  • Running BIND chroot()ed


  • Implementation Issues
  • Generating Keys and Signing Zones
  • Key "Rollover"
  • Automation Tools


  • Secure Directory Configuration
  • Configuration/Installation Choices
  • User Authentication
  • SSL Setup

Web Application Firewalls with mod_security

  • Introduction to Common Configurations
  • Dependencies and Prerequisites
  • Core Rules
  • Installation and Debugging

This hands-on course is designed to be an information-rich introduction to basic forensic principals and techniques for investigating compromised Linux and Unix systems. At a high level, it introduces the critical forensic concepts and tools that every administrator should know and provides a real-world compromise for students to investigate using the tools and strategies discussed in class.

CPE/CMU Credits: 6


Tools Throughout

  • The Sleuth Kit
  • Foremost
  • chkrootkit
  • lsof and Other Critical OS Commands

Forensic Preparation and Best Practices

  • Basic Forensic Principles
  • Importance of Policy
  • Forensic Infrastructure
  • Building a Desktop Analysis Laboratory

Incident Response and Evidence Acquisition

  • Incident Response Process
  • Vital Investigation Tools
  • Taking a Live System Snapshot
  • Creating Bit Images

Media Analysis

  • File System Basics
  • MAC Times and Timeline Analysis
  • Recovering Deleted Files
  • Searching Unallocated Space
  • String Searches

Incident Reporting

  • Critical Elements of a Report
  • Lessons Learned
  • Calculating Costs

Additional Information

Students need to bring a properly configured laptop to class EVERY DAY. Throughout the course we will be using a number of different VMware images that will be provided to students on a USB drive (which is yours to keep after the class is over). So it is important that the laptop you bring to class will let you read USB devices, and have enough disk space, CPU power, and memory to unpack the VMware images and run them.

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

We recommend the following minimum hardware:

  • 2GHz 64-bit I5 CPU or better
  • At least 8 GB of RAM
  • At least 50 GB of free disk space (free disk space is CRITICAL)
  • Working, unlocked USB ports

Operating System

Since we will be using VMware, you do not have to have Unix/Linux installed natively on your laptop (though you are welcome to do so if you like). Whatever operating system you choose, it is your responsibility to ensure that VMware is installed and working BEFORE arriving in class.

VMware Product Choice

The VMware images provided in class should work with the VMware Workstation Player (free from the VMware site) or Server products, as well as VMware Workstation. Students have also used VMware Fusion on MacOS successfully.

Anything Can Happen: Be Prepared

It is your responsibility to fully back up your system prior to class.


If you have additional questions about the laptop specifications, please contact

  • Security professionals looking to learn the basics of securing Unix operating systems.
  • Experienced administrators looking for in-depth descriptions of attacks on Unix systems and how they can be prevented.
  • Administrators needing information on how to secure common Internet applications on the Unix platform.
  • Auditors, incident responders, and information security analysts who need greater visibility into Linux and Unix security tools, procedures, and best practices.

Students must possess at least a working knowledge of Unix. Most students who attend this course have a minimum of 3-5 years of Unix system administration experience.

Related Courses

In this course, you will receive the following:

  • MP3 audio files of the complete course lecture
  • Significantly reduce the number of vulnerabilities in the average Linux/Unix system by disabling unnecessary services.
  • Protect your systems from buffer overflows, denial-of-service, and physical access attacks by leveraging OS configuration settings.
  • Configure host-based firewalls to block attacks from outside.
  • Deploy SSH to protect administrative sessions, and leverage SSH functionality to securely automate routine administrative tasks.
  • Use sudo to control and monitor administrative access.
  • Create a centralized logging infrastructure with Syslog-NG, and deploy log monitoring tools to scan for significant events
  • Use SELinux to effectively isolate compromised applications from harming other system services.
  • Securely configure common Internet-facing applications such as Apache and BIND.
  • Investigate compromised Linux/Unix systems with Sleuthkit, lsof, and other open-source tools.
  • Understand attacker rootkits and how to detect them with AIDE and rkhunter/chkrootkit.

"This course goes beyond securing Linux/Unix. It explains the reasons why, as well as how the attacker is able to penetrate the system. I recommend this for anyone who is involved in administering these systems." - Jeremy Kilgore, Bancfirst

"I have been a Unix systems administrator for a couple of decades, but in SEC506 I learned something new every day." - Sheryl Coppenger, NCI Inc.

"It sparked my interest to get a deeper understanding of how to secure my systems at work and at home. The instructor's experience as a forensics examiner is of great interest and a definite plus. Great experience!" - Tim Horne, Honeywell Aerospace

Author Statement

A wise man once said, "How are you going to learn anything if you know everything already?" And yet there seems to be a quiet arrogance in the Unix community that we have figured out all of our security problems, as if to say, "Been there, done that." All I can say is that what keeps me going in the Unix field, and the security industry in particular, is that there is always something new to learn, discover, or invent. In 20 plus years on the job, what I have learned is how much more there is that I can learn. I think this is also true for the students in my courses. I regularly get comments back from students who say things like, "I have been using Unix for 20 years, and I still learned a lot in this class." That is really rewarding.

- Hal Pomeranz

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

Find ways to take this course