Bob’s interweb party house

Beyond RHCE, Red Hat offers “certificates of expertise” which, when stacked together, become advanced certifications.

The RHCSS, Red Hat Certified Security Specialist, requires three exams:

The RHCDS, Red Hat Certified Datacenter Specialist, requires three exams:

The RHCA, the ultimate commercial-facing certification in the Red Hat family (there are further certs available for trainers and those conducting examinations, but to me those fall into the “academic” classification). RHCA requires five exams: the three from the RHCDS cert, one from the RHCSS cert, and one additional:

For now, let’s focus on the RHCSS, and more granularly on the first exam of the trifecta required for the RHCSS, the Network Services exam. Since there is an overwhelming lack of curriculum, study guides, etc., online or in print, I present here the objectives from Red Hat’s own course description, as well as links to books that will most certainly aid in your studying, as well as being permanent references on the relevant topics.

RHS333: Red Hat Enterprise Security: Network Services

What you will learn:

RHS333 goes beyond the essential security coverage offered in the RHCE curriculum and delves deeper into the security features, capabilities, and risks associated with the most commonly deployed services. Among the topics covered in this four-day, hands-on course are the following:

1. The Threat Model and Protection Methods
* Internet threat model and the attacker’s plan
* System security and service availability
* An overview of protection mechanisms
2. Basic Service Security
* SELinux
* Host-based access control
* Firewalls using Netfilter and iptables
* TCP wrappers
* xinetd and service limits
3. Cryptography
* Overview of cryptographic techniques
* Management of SSL certificates
* Using GnuPG
4. Logging and NTP
* Time synchronization with NTP
* Logging: syslog and its weaknesses
* Protecting log servers
5. BIND and DNS Security
* BIND vulnerabilities
* DNS Security: attacks on DNS
* Access control lists
* Transaction signatures
* Restricting zone transfers and recursive queries
* DNS Topologies
* Bogus servers and blackholes
* Views
* Monitoring and logging
* Dynamic DNS security
6. Network Authentication: RPC, NIS, and Kerberos
* Vulnerabilities
* Network-managed users and account management
* RPC and NIS security issues
* Improving NIS security
* Using Kerberos authentication
* Debugging Kerberized Services
* Kerberos Cross-Realm Trust
* Kerberos Encryption
7. Network File System
* Overview of NFS versions 2, 3, and 4
* Security in NFS versions 2 and 3
* Improvements in security in NFS4
* Troubleshooting NFS4
* Client-side mount options
8. OpenSSH
* Vulnerabilities
* Server configuration and the SSH protocols
* Authentication and access control
* Client-side security
* Protecting private keys
* Port-forwarding and X11-forwarding issues
9. Electronic Mail with Sendmail
* Vulnerabilities
* Server topologies
* Email encryption
* Access control and STARTTLS
* Anti-spam mechanisms
10. Postfix
* Vulnerabilities
* Security and Postfix design
* Configuring SASL/TLS
11. FTP
* Vulnerabilities
* The FTP protocol and FTP servers
* Logging
* Anonymous FTP
* Access control
12. Apache security
* Vulnerabilities
* Access control
* Authentication: files, passwords, Kerberos
* Security implications of common configuration options
* CGI security
* Server side includes
* suEXEC
13. Intrusion Detection and Recovery
* Intrusion risks
* Security policy
* Detecting possible intrusions
* Monitoring network traffic and open ports
* Detecting modified files
* Investigating and verifying detected intrusions
* Recovering from, reporting, and documenting intrusions