What You Will Learn
Most new Information Security Professionals are more familiar with Windows than Linux, yet many of the critical tools used in today's offensive, defensive, ICS, and forensics positions require a strong understanding of Linux. This presents a serious challenge for those without the requisite experience because these systems are frequently utilized in highly exposed environments such as DMZs and the cloud. The irony is that now our information security platforms are creating new security risks. This Linux security course solves the problem by offering numerous hands-on exercises allowing students to quickly develop the Linux skills necessary to become a valuable asset to any Information Security team.
This Linux security training focuses on the fundamental aspects of Linux Administration, covering topics such as configuring a secure Linux system, working with the command line, and managing users and permissions. It also emphasizes the security aspects of these skills, teaching students how to secure their Linux systems and defend against potential attacks. You will learn how a misconfiguration introduces a vulnerability, how to attack that vulnerability and how to mitigate those risks. Upon completing the course, students will have the knowledge and skills required to secure Linux systems, identify potential security threats, and implement appropriate measures to prevent them. With our course, you can gain the experience necessary to become a skilled and confident Linux user, ensuring that you are an asset rather than a liability to your employer.
Who Should Attend
This Linux security class is suitable for a wide range of professionals who work with Linux systems and want to learn about securing them. Whether you are a system administrator, DevOps professional, security professional, network defender, blue-team, red-team, ICS, incident-responder, or cloud architect, this class will provide you with the knowledge and skills you need to secure your Linux-based infrastructure. By attending this class, you will learn about Linux security concepts, best practices, and tools, and how to implement them in your organization.
You Will Be Able To
In this course, you will gain essential skills that will transform the way you work with a Linux-based Operating System. Starting in section one, you will navigate around your computer with ease using the terminal and master advanced file management techniques to boost productivity. By section two, you will understand how to customize your environment and locate programs. We will also cover everything you need to know about user accounts and groups. In section three, we will discuss file and system access controls and techniques to maintain robust system security. With section four, you'll discover how to manage your computer's resources and monitor its performance, whether you're working with a server or cloud-based systems. Finally, in section five, you'll unlock the power of package management, remote server management via SSH, networking, and other impressive tips and tricks. With our course, you will gain the confidence and proficiency to achieve more with your computer than you ever thought possible!
Syllabus (30 CPEs)
-
Overview
In this gentle orientation to Linux you will be introduced to the operating system, kernel, and the terminal. Here we begin by discussing essential skills such as using a terminal to navigate and identify programs. You will learn how to find and execute Linux programs and how to refine the results returned using appropriate options and parameters found in the manual pages. We will cover how to find help when you don’t know how to use a command. We will teach you how history and command completion can level up your terminal skills and speed up your commands. Managing files within Linux is unique and we will cover various tips and tricks to make you an expert at this complicated subject. You will learn to know how and where files exist in the filesystem. This section concludes with a discussion on the Visual Editor which is a crucial skill for security and administration of any Linux system. By the end of this section, you will know how to use the terminal effectively, including understanding basic commands, file system navigation, and program execution. These skills will enable you to locate and launch programs, refine search results, and leverage manual pages.
Exercises
- lab1.1_intro_to_shell
- lab1.2_linux_commands
- lab1.3_tab_complete
- lab1.4_history
- lab1.5_navigating
- lab1.6_file_management
- lab1.7_file_management2
- lab1.8_vi
Topics
- Kernel, Operating System, and Distributions
- Terminals
- Manual pages
- Command History
- Navigation
- File Management
- Visual Editor
-
Overview
Digging into the terminal commands straight away is the best way to build muscle memory. This section builds off the terminal skills of section one. You will learn how to search for files within the filesystem and the various ways that grep can be used to search for information within files. Operating system functions and user experience are highly configurable, and we will learn how to modify our environment using variables and aliases and how that can be abused by a malicious actor. Every system contains some type of authentication mechanism for accounts and groups. We will explore how to manage accounts, discover and change the groups those accounts belong to, and how to switch between accounts. We will also cover how to manage file ownership. You will gain advanced file management techniques, including creating, copying, moving, and deleting files and directories, as well as using filters and pipes.
Exercises
- lab2.1_finding_files
- lab2.2_grep
- lab2.3_environment_variables
- lab2.4_aliases
- lab2.5_redirection_piping
- lab2.6_user_mgmt
- lab2.7_group_mgmt
- lab2.8 file_ownership
Topics
- Searching the Filesystem
- Various Forms of Grep
- Environment Variables and Aliases
- Account Management
- Switching users
- Group management
- File Ownership
-
Overview
Section three covers essential user access control concepts, including restricting administrative privileges, permissions, and security. Users interact with the filesystem in various ways with different levels of access. If you come to this class with a networking background, you know this as Authentication, Authorization, and Accounting. If you come into the class with a Windows background, you probably think of this as managing users and groups. We will translate those skills into the Linux world.
We will learn how to ensure accounts have least-privilege access. Least privilege can be implemented in multiple ways, and we will cover how to do that with file level permissions and ownership. You will learn how to secure and appropriately leverage administrative credentials and closely guard them with Least Required Privilege. You will learn some of the tools available that can verify system settings are applied by auditing your system.
Exercises
- lab3.1_file_permissions
- lab3.2_file_permissions2
- lab3.3_special_permissions
- lab3.4_special_permissions2
- lab3.5_special_permissions3
- lab3.6_permission_practical
- lab3.7_sudoers_config
- lab3.8_sudoers_config2
- lab3.9_system_hardening
Topics
- File permissions
- Special permissions
- Sudoers
- SELinux and AppArmor
-
Overview
Resource management and system monitoring skills, such as understanding processes, system load, and memory usage, are fundamental to working with servers and cloud-based systems. As you move resources to the cloud and establish micro-services in containers, knowing how to limit the resources consumed is a good security practice and can prevent you from incurring unanticipated costs. Managing system resources is how we can maintain the availability of our servers and prevent you from losing time and money. Since everything in Linux is essentially a file, we can look at running process file information and how to manage the processes running on our distributions. In addition, we will look at what a core dump is and how it can be abused.
You will also learn several essential skills that enable your incident response process and continuous monitoring. Those essential skills will include things like scheduling tasks on Linux, keeping historical record of user activity, centralized logging, log rotation, and how to effectively manage and review those logs.
Exercises
- lab4.1_managing_processes
- lab4.2_jobs_control
- lab4.3_jobs_control2
- lab4.4_managing_crontab
- lab4.5_managing_services
- lab4.6_managing_logrotate
- lab4.7_managing_syslog
Topics
- Resource limits
- Process management and Scheduling
- Services, Systemd, and init
- Logging and Log Rotation
- Auditd
-
Overview
Section five provides you with the opportunity to delve into package management, remote server management via SSH, networking, and other advanced tips and tricks. Like any operating system, we must keep our distributions up to date or we may need a new tool installed to accomplish a task. Often this is done through a package manager. You will learn how to leverage python virtual environments, configure, and manage the built-in package manager, and compile packages after a code review. You will learn encryption of data (at rest and in transit), and how that provides the necessary confidentiality from prying eyes. We will cover how to properly leverage SSH, SCP, and OpenSSL to secure communications. Linux is the basis for most of the networking gear out there. You can even use it as a router and firewall if you wish. We will cover how to manage networking settings and the host-based firewall.
Exercises
- lab5.1_managing_python
- lab5.2_installing_with_apt
- lab5.3_installing_from_source
- lab5.4_ssh-keys
- lab5.5_ssh-config
- lab5.6_ssh-agent
- lab5.7_ssh-forwarding
- lab5.8_firewalls
Topics
- Python package management
- Installing and Running Open Source Software
- Linux package management
- SSH, Tunneling, and Post-Quantum Cryptography
- Networking and Firewalls
Laptop Requirements
Important! Bring your own system configured according to these instructions.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.
Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.
MANDATORY SEC406 SYSTEM HARDWARE REQUIREMENTS
- CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
- CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
- 8GB of RAM or more is required.
- 15GB of free storage space or more is required.
- At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
- Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY SEC406 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
- Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
- Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
- Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
- Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
- Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
- Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
- On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
- Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.
Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.
Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.
Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org
Author Statement
"Linux is an essential component of today's technology ecosystem, powering critical infrastructure across the spectrum. If you want to enhance your security knowledge and skills, there is no better place to start than SEC406. Our class offers a hands-on approach that will enable you to acquire the essential knowledge and skills required to effectively manage and secure a Linux system. When I look back on my own journey into the security field, I realize that taking a course on Linux Security would have been an invaluable first step. Join us and gain the expertise you need to succeed in the security industry and advance your career. Are you ready to take that first step?" – Charlie Goldner
"I’ve been thinking about how my career could have been different if this course had been available when I first started using computers. In those days, my lack of knowledge in Linux prevented me from utilizing the full potential of open-source tools. Fast forward to today, where technology is predominantly cloud based and reliant on Linux systems, these essential skills have never been more important. That is why I am so excited about bringing this course to a wider audience and assisting them in unleashing the power of Linux Administration and Security." – Mark Baggett
No scheduled events for this course.
Who Should Attend SEC406?
- Anyone who manages Linux servers and is responsible for ensuring the security of those systems.
- Everyone who deploys and manages applications on Linux-based cloud solutions.
- Security professionals who want to learn about Linux security best practices and how to implement them in their organization.
- Technology professionals who want to gain a deeper understanding of Linux security concepts and improve their skills in securing Linux systems.
- Anyone interested in learning about Linux security and how to protect their organization's systems and data from cyber threats.
