Rh413 Redhat Server Hardening

Daniel333Daniel333 Posts: 2,073Member ■■■■■■□□□□
All,

Thinking of taking Redhat's server hardening exam for fun next. Any recommendations on self study mateirals and labs?

https://www.redhat.com/en/services/training/rh413-red-hat-server-hardening
-Daniel

Comments

  • wolfinsheepsclothingwolfinsheepsclothing Posts: 155Member
    I liked this exam. Do you have a background in security hardening/STIG'd images? The exam is on RHEL 6 fwiw. Be sure you're comfortable with PAM params, auditd rules, setting up an IPA server/users, etc. It's a 4 hour exam, but if you're comfortable with the content, you will have a lot of time left over.
  • brombulecbrombulec Posts: 186Member ■■■□□□□□□□
    And pay attention to IPA config and PAM config. It's a little bit tricky - just do the IPA tasks before PAM.
    This exam is very interesting but if you can do and understand all the tasks in comprehensive review from official course book you're good to go.
  • wolfinsheepsclothingwolfinsheepsclothing Posts: 155Member
    brombulec wrote: »
    And pay attention to IPA config and PAM config. It's a little bit tricky - just do the IPA tasks before PAM.
    This exam is very interesting but if you can do and understand all the tasks in comprehensive review from official course book you're good to go.
    Yes! Good point brombulec. The PAM config files that are pertinent to this course are overwritten anytime authconfig is run.
  • asummersasummers Posts: 157Member
    When I was looking at Red Hat exams this was the one that I was most wearly of. It covers alot of material - but doesn't go too deep into each.

    Also found finding the materials tough - as the exam objectives were a little vague.

    Really you want to try and find out what the RH413 course contains - that would be a good base
  • VeritiesVerities Posts: 1,162Member
    Sander Van Vugt is going to be releasing a 20 hour video course for EX413. Super stoked since its going to probably end up on Safari Books like the rest of his videos.
  • VeritiesVerities Posts: 1,162Member
    Also, here's a link to the DISA STIGs for the uninitiated:

    http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx

    Based on what Wolf said, focus on the RHEL 6 STIG. It's painful to go through each check since there's usually a couple hundred, but you will learn a lot.
  • JockVSJockJockVSJock Posts: 1,118Member
    Agreed on knowing PAM modules and configuration like the back of your hand.

    If you want to get experience in hardening, look at the DISA Stigs, which are designed for RHEL, however could be applied to Fedora and Cent OS.

    Also check out Bastille Linux.

    BASTILLE-LINUX
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • VeritiesVerities Posts: 1,162Member
    JockVSJock wrote: »

    Also check out Bastille Linux.

    BASTILLE-LINUX

    Interesting...first I've heard of this Bastille-Linux. Have you used it before Jock? If so, what do you like/dislike about it?
  • JockVSJockJockVSJock Posts: 1,118Member
    Verities wrote: »
    Interesting...first I've heard of this Bastille-Linux. Have you used it before Jock? If so, what do you like/dislike about it?

    Sadly, you can lock yourself out of a perfectly good running version of Linux, so you have to be very careful when you implement it. However that happened to me back in 2002/2003...so the software may have changed to prevent that.

    However on a positive note, it does a very good job of hardening whatever version of Linux you throw at it. You kind of have to know a little about Linux to install it.

    Looks like the News and Updates isn't very active, however looks like the project is still active.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • brombulecbrombulec Posts: 186Member ■■■□□□□□□□
    I think that looking at Oracle Enterprise Linux is a good choice.
    Also AppArmor from SuSE is a good source of information :)
    You can also use SCCS from Symantec : https://www.symantec.com/products/threat-protection/data-center-security/control-compliance-suite
    This is a security scanner with very good explanations for all of STIG related issues.

    On RHEL7/Fedora you can use OpenSCAP - this is great tool for system scanning.
  • VeritiesVerities Posts: 1,162Member
    @Jock - Sounds nice, pretty much like automated STIGs. You can do the same thing with them if you're not careful.

    @Brombulec - I concur, OpenScap is an excellent utility that I use when manually hardening systems. Currently working on getting it working in Satellite 6.
  • JockVSJockJockVSJock Posts: 1,118Member
    I remember this as I was driving in to work this morning.

    SANS has a number of Linux/UNIX hardening classes which would be another way to gain more knowledge on this subject:

    https://www.sans.org/course/securing-linux-unix
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • VeritiesVerities Posts: 1,162Member
    JockVSJock wrote: »
    I remember this as I was driving in to work this morning.

    SANS has a number of Linux/UNIX hardening classes which would be another way to gain more knowledge on this subject:

    https://www.sans.org/course/securing-linux-unix

    Wow..that costs over $2k more than the official RHEL course.
  • varelgvarelg Posts: 790Banned
    brombulec, isn't Oracle Linux simply rebranded RHEL?
    I am posioning the forums.
  • wolfinsheepsclothingwolfinsheepsclothing Posts: 155Member
    varelg wrote: »
    brombulec, isn't Oracle Linux simply rebranded RHEL?
    *cough* stolen *cough* :)
  • BodanelBodanel Posts: 214Member ■■■□□□□□□□
    No *cough*, just stolen. I hate oracle (lower o) for their vision of acquire, embrace, extinguish. All the opensource products that oracle acquired are practically dead so I give a particular finger to oracle.

    Actually when Red Hat shipped an already patched kernel (not kernel and patches separated) they were trying to hit oracle not CentOS or Scientific LInux.
  • XavorXavor Posts: 161Member
    When I first got into IT we did STIGS on the Windows boxes, and I went through each item by hand. I learned a lot about the underpinnings of Windows and what gets reported back to Microsoft (boatloads).

    I have earmarked a goal to do puppet scripts to apply the RHEL STIGS, but I don't really have the time atm.

    Looking at the requirements, it doesn't look like SElinux is heavily involved? What about aide? I've used some locked down systems which had a lot of these controls configured. I assume the filesystem topic gets into facl and fine grained access controls? Where have you seen systems that heavily configured?
  • wolfinsheepsclothingwolfinsheepsclothing Posts: 155Member
    Xavor wrote: »
    When I first got into IT we did STIGS on the Windows boxes, and I went through each item by hand. I learned a lot about the underpinnings of Windows and what gets reported back to Microsoft (boatloads).

    I have earmarked a goal to do puppet scripts to apply the RHEL STIGS, but I don't really have the time atm.

    Looking at the requirements, it doesn't look like SElinux is heavily involved? What about aide? I've used some locked down systems which had a lot of these controls configured. I assume the filesystem topic gets into facl and fine grained access controls? Where have you seen systems that heavily configured?
    The usual SELinux stuff applies (correct context type for files/ports/etc). AIDE will definitely be used. With regard to such granular access, really depends on the Agency/type of information. You're right though; facls are not typically configured as part of a STIG baseline.
  • brombulecbrombulec Posts: 186Member ■■■□□□□□□□
    AIDE is one of the STIG's requirements. It is useful only if you have a habit of checking all logs everyday.
    But the facls should be one of things of each admin's checklist. For me it's mandatory part of server hardening.
  • XavorXavor Posts: 161Member
    @wolf/brom: Cool, thanks.

    @Daniel333, I would just keep labbing the materials. There are a lot of topics on bastion hosts (resurgence with AWS), STIGS, etc, and give the RHEL Security Guide a read through.
  • alias454alias454 Posts: 648Member
    @jock I don't think Bastille is being maintained as much for working with later versions of RHEL. You can look at lynis, which doesn't have a hardening mode but can do audits. SANS also talked about using BASTILLE when I took the GSEC course and found a lack of information on actual current working implementations on RHEL. From what I understand, the creator went to work at HP and continued to do development for HP-UX but I have not seen that codebase get pushed back out into the wild. Maybe someone else knows different and can share updated binaries?

    This probably isn't related to the course but I assume the real reason to take a hardening course is to learn about hardening systems so in that regard, this is related. Another tool in the same vein for hardening, audit, and compliance is a new project opensourced by Adobe name hubbleStack. HStack has some pretty awesome features for doing audit, compliance reporting, and mitigation. It is on my short list of side projects to check out.
    “I do not seek answers, but rather to understand the question.”
  • asummersasummers Posts: 157Member
    I think the main purpose would be to know what to harden, and how to do it. Automated tools would add a layer of abstraction where you don't know how to harden - you know how to run a program.

    The RH413 course and exam would be geared towards hardening the main areas - it won't cover everything - and of course STIGs are very useful to learning how things hang together.
  • VeritiesVerities Posts: 1,162Member
    asummers wrote: »
    I think the main purpose would be to know what to harden, and how to do it. Automated tools would add a layer of abstraction where you don't know how to harden - you know how to run a program.

    The RH413 course and exam would be geared towards hardening the main areas - it won't cover everything - and of course STIGs are very useful to learning how things hang together.

    Amen. I highly recommend people Work through some DISA STIGs (DoD systems) and/or OpenScap Security Guides (non DoD systems) manually. These guides will show you a well rounded approach at hardening your server.

    I've went through the RHEL 6 STIG manually and I learned a lot. However, I'm not prepared for the RHEL 7 STIG one yet though since its pretty brutal and still a draft that subject to major revision changes.
  • VeritiesVerities Posts: 1,162Member
  • brombulecbrombulec Posts: 186Member ■■■□□□□□□□
    I just got the book for HP security training on Linux RHEL 7. Quite interesting but some chapters are too general.
    Course description: http://h20195.www2.hp.com/v2/GetPDF.aspx/c04586449.pdf
  • VeritiesVerities Posts: 1,162Member
    The book any good Brombulec? I'm almost through Sander's videos that I mentioned above; he only has about half of the material available though. I was surprised at how much of the material is basically the DISA STIG for RHEL 6 v11.
  • brombulecbrombulec Posts: 186Member ■■■□□□□□□□
    I had no time last week to read more but it looks promising. Especially Kerberos, PAM and SELinux parts.
    Stay tuned :)
  • VeritiesVerities Posts: 1,162Member
    By the way the new full STIG and benchmark got released a few days ago; RHEL 6 v1 R12.
  • brombulecbrombulec Posts: 186Member ■■■□□□□□□□
    The STIG is invaluable source of information. Especially if you're preparing to EX413. I spent almost one month for preparations (3-4h per day) but it was fun especially with PAM (and my errors in configuration :D ) and IPA Server.
    I'm looking forward for the RHEL7 version of this exam :) but only to see the content - no more money for RH Exams :)
Sign In or Register to comment.