35+ Cyber Security Courses at SANS Cyber Defense Initiative® in Washington, DC! Save up to $300 thru 10/16.

Network Security 2014

Las Vegas, NV | Sun, Oct 19 - Mon, Oct 27, 2014
This event is over,
but there are more training opportunities.

SEC506: Securing Linux/Unix

Mon, October 20 - Sat, October 25, 2014

I have been a Unix systems administrator for a couple of decades, but in SEC506 I learned something new every day.

Sheryl Coppenger, NCI Inc.

It sparked my interest to get a deeper understanding of how to secure my systems at work and at home. The instructor's experience as a forensics examiner is of great interest and a definite plus. Great experience!

Tim Horne, Honeywell Aerospace

Experience in-depth coverage of Linux and Unix security issues. Examine how to mitigate or eliminate general problems that apply to all Unix-like operating systems, including vulnerabilities in the password authentication system, file system, virtual memory system, and applications that commonly run on Linux and Unix. This course provides specific configuration guidance and practical, real-world examples, tips, and tricks.

Throughout this course you will become skilled at utilizing freely available tools to handle security issues, including SSH, AIDE, sudo, lsof, and many others. SANS' practical approach with hands-on exercises every day ensures that you can start using these tools as soon as you return to work. We will also put these tools to work in a special section that covers simple forensic techniques for investigating compromised systems.


  • Memory Attacks, Buffer Overflows
  • File System Attacks, Race Conditions
  • Trojan Horse Programs and Rootkits
  • Monitoring and Alerting Tools
  • Unix Logging and Kernel-Level Auditing
  • Building a centralized logging infrastructure
  • Network Security Tools
  • SSH for Secure Administration
  • Server "lockdown" for Linux and Unix
  • Controlling root access with sudo
  • SELinux and chroot() for application security
  • DNSSEC deployment and automation
  • mod_security and Web Application Firewalls
  • Secure Configuration of BIND, Sendmail, Apache
  • Forensic Investigation


Course Syllabus

Hal Pomeranz
Mon Oct 20th, 2014
9:00 AM - 5:00 PM


This course tackles some of the most important techniques for protecting your Linux/Unix systems from external attacks. But it also covers what those attacks are so that you know what you're defending against. This is a full-disclosure course with in-class demos of actual exploits and hands-on exercises to experiment with various examples of malicious software, as well as different techniques for protecting Linux/Unix systems.

CPE/CMU Credits: 6


Memory Attacks and Overflows

  • Stack and Heap Overflows
  • Format String Attacks
  • Stack Protection

Vulnerability Minimization

  • Minimization vs. Patching
  • OS Minimization
  • Patching Strategies

Boot-Time Configuration

  • Reducing Services
  • Disabling inetd/xinetd
  • Dealing with Sendmail
  • Basic SSH configuration

Encrypted Access

  • Session Hijacking Exploits
  • The Argument For Encryption
  • SSH Configuration

Host-Based Firewalls

  • IP Tables and Other Alternatives
  • Simple Single-Host Firewalls
  • Managing and Automating Rule Updates

Hal Pomeranz
Tue Oct 21st, 2014
9:00 AM - 5:00 PM


Continuing our exploration of Linux/Unix security issues, this course focuses in on local exploits and access control issues. What do attackers do once they gain access to your systems? How can you detect their presence? How do you protect against attackers with physical access to your systems? What can you do to protect against mistakes (or malicious activity) by your own users?

CPE/CMU Credits: 6


Rootkits and Malicious Software

  • Backdoors and Rootkits
  • Kernel Rootkits
  • chkrootkit and rkhunter

File Integrity Assessment

  • Overview of AIDE
  • Basic Configuration
  • Typical Usage

Physical Attacks and Defenses

  • Known Attacks
  • Single User Mode Security
  • Boot Loader Passwords

User Access Controls

  • Password Threats and Defenses
  • User Access Controls
  • Environment Settings

Root Access Control With Sudo

  • Features and Common Uses
  • Configuration
  • Known Issues and Work-Arounds

Warning Banners

  • Why?
  • Suggested Content
  • Implementation Issues

Kernel Tuning For Security

  • Network Tuning
  • System Resource Limits
  • Restricting Core Files

Hal Pomeranz
Wed Oct 22nd, 2014
9:00 AM - 5:00 PM


Monitoring your systems is critical for maintaining a secure environment. This course digs into the different logging and monitoring tools available in Linux/Unix, and looks at additional tools for creating a centralized monitoring infrastructure such as Syslog-NG. Along the way, the course introduces a number of useful SSH tips and tricks for automating tasks and tunneling different network protocols in a secure fashion.

CPE/CMU Credits: 6


Automating Tasks With SSH

  • Why and How
  • Public Key Authentication
  • ssh-agent and Agent Forwarding


  • Conceptual Overview
  • SSH Configuration
  • Tools and Scripts

Linux/Unix Logging Overview

  • Syslog Configuration
  • System Accounting
  • Process Accounting
  • Kernel-Level Auditing

SSH Tunneling

  • X11 Forwarding
  • TCP Forwarding
  • Reverse Tunneling Issues

Centralized Logging With Syslog-NG

  • Why You Care
  • Basic Configuration
  • Hints and Hacks for Tunneling Log Data
  • Log Analysis Tools and Strategies

Hal Pomeranz
Thu Oct 23rd, 2014
9:00 AM - 5:00 PM


This course examines common application security tools and techniques. The SCP-Only Shell will be presented as an example of using an application under chroot() restriction, and as a more secure alternative to file sharing protocols like anonymous FTP. The SELinux application whitelisting mechanism will be examined in depth. Tips for troubleshooting common SELinux problems will be covered and students will learn how to craft new SELinux policies from scratch for new and locally developed applications. Significant hands-on time will be provided for students to practice these concepts.

CPE/CMU Credits: 6


chroot() for Application Security

  • What is chroot()?
  • How Do You chroot()?
  • Known Security Issues

The SCP-Only Shell

  • What It Is and How It Works
  • Configuring chroot() directory
  • Automounter Hacks for Large-Scale Deployments

SELinux Basics

  • Overview of Functionality
  • Navigation and Command Interface
  • Troubleshooting Common Issues

SELinux and the Reference Policy

  • Tools and Prerequisites
  • Creating and Loading an Initial Policy
  • Testing and Refining Your Policy
  • Deploying Policy Files

Application Security Challenge Exercise

Hal Pomeranz
Fri Oct 24th, 2014
9:00 AM - 5:00 PM


This course is a full day of in-depth analysis on how to manage some of the most popular application level services securely on a Linux/Unix platform. We will tackle the practical issues involved with securing the three of the most commonly used Internet servers on Linux and Unix: BIND, Sendmail, and Apache. Beyond basic security configuration information, we will take an in-depth look at topics like DNSSec and Web Application Firewalls with mod_security and the Core Rules.

CPE/CMU Credits: 6



  • Common Security Issues
  • Split-horizon DNS
  • Configuration for Security
  • Running BIND chroot()ed


  • Implementation Issues
  • Generating Keys and Signing Zones
  • Key "Rollover"
  • Automation Tools


  • Common Security Issues
  • Secure Configurations
  • Running Sendmail as an Unprivileged User


  • Secure Directory Configuration
  • Configuration/Installation Choices
  • User Authentication
  • SSL Setup

Web Application Firewalls with mod_security

  • Introduction to Common Configurations
  • Dependencies and Prerequisites
  • Core Rules
  • Installation and Debugging

Hal Pomeranz
Sat Oct 25th, 2014
9:00 AM - 5:00 PM


This hands-on course is designed to be an information-rich introduction devoted to basic forensic principals and techniques for investigating compromised Linux and Unix systems. At a high level, it introduces the critical forensic concepts and tools that every administrator should know and provides a real-world compromise for students to investigate using the tools and strategies discussed in class.

CPE/CMU Credits: 6


Tools Throughout

  • The Sleuth Kit
  • Foremost
  • chkrootkit
  • lsof and Other Critical OS Commands

Forensic Preparation and Best Practices

  • Basic Forensic Principles
  • Importance of Policy
  • Forensic Infrastructure
  • Building a Desktop Analysis Laboratory

Incident Response and Evidence Acquisition

  • Incident Response Process
  • Vital Investigation Tools
  • Taking a Live System Snapshot
  • Creating Bit Images

Media Analysis

  • File System Basics
  • MAC Times and Timeline Analysis
  • Recovering Deleted Files
  • Searching Unallocated Space
  • String Searches

Incident Reporting

  • Critical Elements of a Report
  • Lessons Learned
  • Calculating Costs

Additional Information

Each student should bring a properly configured laptop to class EVERY DAY. We will be using a number of different VMware images during the class, which will be provided to students on a DVD (yours to keep after the class is over). So it's important that the laptop you bring to class has a working DVD reader, enough disk space to unpack the VMware images, and enough CPU power and memory to run multiple VMware images simultaneously.

We recommend the following minimum hardware:

  • 2.2GHz Dual Core CPU or better
  • At least 4GB of RAM
  • At least 20GB of free disk space (free disk space is CRITICAL)
  • DVD drive (or DVD/CD combo drive)

Operating System:

Since we will be using VMware, you do not have to have Unix/Linux installed natively on your laptop (though you are welcome to do so if you like). Whatever operating system you choose, it is your responsibility to ensure that VMware is installed and working BEFORE arriving in class.

VMware Product Choice:

The VMware images provided in class should work with either the free VMware Player or Server products as well as VMware Workstation. Students have also used VMware Fusion on MacOS successfully.

Expect the Worst:

It is your responsibility to fully back up your system prior to class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security professionals looking to learn the basics of securing Unix operating systems
  • Experienced administrators looking for in-depth descriptions of attacks on Unix systems and how they can be prevented
  • Administrators needing information on how to secure common Internet applications on the Unix platform
  • Auditors, incident responders, and InfoSec analysts who need greater visibility into Linux and Unix security tools, procedures, and best practices

Students must possess at least a working knowledge of Unix. Most students who attend this course have a minimum of 3-5 years of Unix system administration experience.

  • Significantly reduce the number of vulnerabilities in the average Linux/Unix system by disabling unnecessary services
  • Protect your systems from buffer overflows, denial-of-service, and physical access attacks by leveraging OS configuration settings
  • Configure IP tables and ipilter host-based firewalls in to block attacks from outside
  • Deploy SSH to protect administrative sessions, and leverage SSH functionality to securely automate routine administrative tasks
  • Use sudo to control and monitor administrative access
  • Create a centralized logging infrastructure with Syslog-NG, and deploy log monitoring tools to scan for significant events
  • Use SELinux to effectively isolate compromised applications from harming other system services
  • Securely configure common Internet-facing applications such as Apache, BIND, and Sendmail
  • Investigate compromised Unix/Linux systems with the Sleuthkit, lsof, and other Open Source tools
  • Understand attacker rootkits and how to detect them with AIDE and rkhunter/chkrootkit

Author Statement

A wise man once said, "How are you going to learn anything if you know everything already?" And yet there seems to be a quiet arrogance in the Unix community that we've figured out all of our security problems, as if to say, "Been there, done that." All I can say is that what keeps me going in the Unix field, and the security industry in particular, is that there is always something new to learn, discover, or invent. In fifteen plus years on the job, what I've learned is how much more there is that I can learn. I think this is also true for the students in my courses. I regularly get comments back from students that say things like, "I've been using Unix for 20 years, and I still learned a lot in this class." That's really rewarding.

- Hal Pomeranz