Difference between revisions of "LPIC-2 Objectives V5.0"
From LPI Wiki
FabianThorns (Talk | contribs) (→208.1 HTTP Protocol (weight: 2)) |
FabianThorns (Talk | contribs) (→204.4 (212.3) Advanced Secure Shell (SSH) (weight: 3)) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 177: | Line 177: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy">201. | + | ====<span style="color:navy">201.3 systemd Security (weight: 2)</span>==== |
{| | {| | ||
| Line 224: | Line 224: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy">201. | + | ====<span style="color:navy">201.4 Bootloaders and System Recovery (weight: 4)</span>==== |
{| | {| | ||
| Line 313: | Line 313: | ||
<br/> | <br/> | ||
| − | ===''Topic | + | ===''Topic 202: Advanced Storage Device Administration''=== |
| − | ====<span style="color:navy">202. | + | ====<span style="color:navy">202.1 Storage Device Integrity and Encryption (weight: 3)</span>==== |
{| | {| | ||
| Line 355: | Line 355: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">202.2 Configuring RAID (weight: 4)</span>==== |
{| | {| | ||
| Line 391: | Line 391: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">202.3 Logical Volume Manager (weight: 4)</span>==== |
{| | {| | ||
| Line 431: | Line 431: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">202.4 Basic ZFS Operations (weight: 2)</span>==== |
{| | {| | ||
| Line 461: | Line 461: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 203: Advanced Networking Configuration''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">203.1 Runtime Networking Configuration (weight: 3)</span>==== |
{| | {| | ||
| Line 501: | Line 501: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">203.2 Persistent Network Configuration (weight: 4)</span>==== |
{| | {| | ||
| Line 545: | Line 545: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">203.3 Network Troubleshooting (weight: 4)</span>==== |
{| | {| | ||
| Line 596: | Line 596: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 204: System Maintenance''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">204.1 Make and Install Programs from Source (weight: 2)</span>==== |
{| | {| | ||
| Line 652: | Line 652: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">204.2 Backup Operations (weight: 3)</span>==== |
{| | {| | ||
| Line 704: | Line 704: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">204.3 Resource Management (weight: 4)</span>==== |
{| | {| | ||
| Line 777: | Line 777: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">204.4 Advanced Secure Shell (SSH) (weight: 3)</span>==== |
{| | {| | ||
| Line 826: | Line 826: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 205: Configuration Management''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">205.1 Ansible Basics (weight: 4)</span>==== |
{| | {| | ||
| Line 868: | Line 868: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">205.2 Ansible Modules (weight: 3)</span>==== |
{| | {| | ||
| Line 932: | Line 932: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">205.3 Ansible Templates and Variables (weight: 4)</span>==== |
{| | {| | ||
| Line 965: | Line 965: | ||
==Objectives: Exam 202== | ==Objectives: Exam 202== | ||
| − | ===''Topic | + | ===''Topic 206: Domain Name Server''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">206.1 Basic DNS Server Configuration (weight: 3)</span>==== |
{| | {| | ||
| Line 1,007: | Line 1,007: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">206.2 Create and Maintain DNS Zones (weight: 3)</span>==== |
{| | {| | ||
| Line 1,047: | Line 1,047: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">206.3 Securing a DNS Server (weight: 2)</span>==== |
{| | {| | ||
| Line 1,088: | Line 1,088: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 207: HTTP Services''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">207.1 HTTP Protocol (weight: 2)</span>==== |
{| | {| | ||
| Line 1,126: | Line 1,126: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">207.2 HTTPS, PKI and TLS (weight: 4)</span>==== |
{| | {| | ||
| Line 1,180: | Line 1,180: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">207.3 Apache HTTPD Configuration (weight: 4)</span>==== |
{| | {| | ||
| Line 1,244: | Line 1,244: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">207.4 NGINX Configuration (weight: 4)</span>==== |
{| | {| | ||
| Line 1,285: | Line 1,285: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 208: File Sharing''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">208.1 Samba File Server Configuration (weight: 4)</span>==== |
{| | {| | ||
| Line 1,333: | Line 1,333: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">208.2 NFS Server Configuration (weight: 3)</span>==== |
{| | {| | ||
| Line 1,380: | Line 1,380: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 209: Network Client Management''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">209.1 DHCP Configuration (weight: 3)</span>==== |
{| | {| | ||
| Line 1,432: | Line 1,432: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">209.2 PAM Authentication (weight: 4)</span>==== |
{| | {| | ||
| Line 1,476: | Line 1,476: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">209.3 LDAP Client Usage (weight: 2)</span>==== |
{| | {| | ||
| Line 1,512: | Line 1,512: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">209.4 Authentication Mechanisms and Standards (weight: 2)</span>==== |
{| | {| | ||
| Line 1,555: | Line 1,555: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 210: Email Services''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">210.1 Managing Email Transfer (weight: 4)</span>==== |
{| | {| | ||
| Line 1,609: | Line 1,609: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">210.2 Managing Email Delivery (weight: 2)</span>==== |
{| | {| | ||
| Line 1,639: | Line 1,639: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">210.3 Managing Mailbox Access (weight: 2)</span>==== |
{| | {| | ||
| Line 1,672: | Line 1,672: | ||
<br /> | <br /> | ||
| − | ===''Topic | + | ===''Topic 211: Network Security''=== |
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">211.1 Routing and Packet Filtering (weight: 4)</span>==== |
{| | {| | ||
| Line 1,732: | Line 1,732: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">211.2 Security Assessment and Intrusion Prevention (weight: 3)</span>==== |
{| | {| | ||
| Line 1,775: | Line 1,775: | ||
<br /> | <br /> | ||
| − | ====<span style="color:navy"> | + | ====<span style="color:navy">211.3 Virtual Private Networks (weight: 5)</span>==== |
{| | {| | ||
Latest revision as of 16:08, 9 May 2024
Contents
- 1 Overview of Tasks
- 2 Exams
- 3 Version Information
- 4 Addenda
- 5 Translations of Objectives
- 6 Objectives: Exam 201
- 7 Objectives: Exam 202
- 8 Future Change Considerations
Overview of Tasks
These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, LPIC-1 must be obtained in order to receive the certification. Exams may be taken in any order but all of the requirements must be met.
To pass LPIC-2, the candidate should be able to:
- Administer a small to medium-sized site.
- Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
- LAN server (Samba, NFS, DNS, DHCP, client management).
- Internet Gateway (firewall, VPN, SSH, mail).
- Internet Server (web server and reverse proxy).
- Supervise assistants.
- Advise management on automation and purchases.
Exams
In order to be certified LPIC-2, the candidate must pass both the 201 and 202 exams and be a holder of an active LPIC-1 certification.
Version Information
These objectives are A DRAFT version 5.0.0.
The version 4.5 of the LPIC-2 Objectives are still online.
Addenda
Translations of Objectives
The following translations of the objectives are available on this wiki:
- English
If you would like to help translating the objectives, please contact Fabian
Objectives: Exam 201
Topic 201: System Startup
201.1 Linux Kernel (weight: 3)
|
Weight |
3 |
| Description | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules. |
Key Knowledge Areas:
- Understanding the Linux startup process
- Understanding the Linux kernel architecture, including kernel modules
- Linux kernel release and versioning scheme
- Linux kernel modules
- DKMS
- udev
Partial list of the used files, terms and utilities:
- Bootloader
- Kernel
- Initramfs
- Init
- Udev
- mkinitramfs
- uname
- Module configuration files in /etc/
- modules.dep
- depmod
- modinfo
- modprobe
- insmod
- lsmod
- rmmod
- kmod
- dmesg
- lshw
- lspci
- lsusb
- udevadm monitor
- /etc/udev
- /proc
- /proc/sys
- /etc/sysctl.conf, /etc/sysctl.conf.d/
- sysctl
201.2 Sytemd Startup Configuration (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup. |
Key Knowledge Areas:
- Systemd concepts
- Systemd unit types (Service, Socket, Target, Slice)
- Systemd System and User Slices
- Systemd Override and Drop-In Units
- Awareness of SystemV init and OpenRC
Partial list of the used files, terms and utilities:
- /usr/lib/systemd/
- /etc/systemd/
- /run/systemd/
- systemctl
- systemd-delta
201.3 systemd Security (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to use systemd to protect and restrict processes started by systemd units. |
Key Knowledge Areas:
- Configure systemd units to run with specific privileges
- Configure systemd units with a private /tmp directory
- Use systemd to restrict device access of services
- Use systemd to manage network accessiability of services
- Awareness of capabilities and Cgroups
The following is a partial list of the used files, terms and utilities:
- User
- Group
- SupplementaryGroups
- PrivateTmp
- DeviceAllow
- IPAddressAllow
- IPAddressDeny
- RestrictNetworkInterfaces
201.4 Bootloaders and System Recovery (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and system-boot are the bootloader of interest. Both BIOS and UEFI systems are covered. Furthermore, configuring PXE and iPXE boot is covered. |
Key Knowledge Areas:
- BIOS and UEFI
- GRUB version 2
- GRUB shell
- GRUB configuration
- GRUB password security
- systemd-boot installation
- systemd-boot configuration
- boot loader start and hand off to kernel
- kernel loading
- hardware initialization and setup
- daemon/service initialization and setup
- Know the different boot loader install locations on a hard disk or removable device.
- Overwrite standard boot loader options and using boot loader shells.
- Use systemd rescue and emergency modes.
- Understanding of PXE and iPXE for both BIOS and UEFI
Partial list of the used files, terms and utilities:
- mount
- fsck
- The contents of /boot/, /boot/grub/ and /boot/efi/
- EFI System Partition (ESP)
- GRUB
- grub-install
- bootctl
- loader.conf
- efibootmgr
- efivar
- UEFI shell
- initrd, initramfs
- Master boot record
- GUID Partition Table
- systemctl
- pxelinux.0
- pxelinux.cfg/
- uefi/shim.efi
- uefi/grubx64.efi
Topic 202: Advanced Storage Device Administration
202.1 Storage Device Integrity and Encryption (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device. |
Key Knowledge Areas:
- Query, understand and monitor SMART values
- Understand the concepts of disk and file system encryption
- Understand the concepts of dm-crypt and LUKS
- Use LUKS to encrypt storage devices
- Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)
- Awareness of WWID, WWN, LUN numbers
Partial list of the used files, terms and utilities:
- smartd
- smartctl
- cryptsetup
- /etc/crypttab
202.2 Configuring RAID (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5. |
Key Knowledge Areas:
- Software RAID configuration files and utilities
- Understanding the RAID levels 0, 1, 5 and 10
- Awareness of the RAID levels 6, 7 and 50
- Recovery of a failed RAID device
- Replacement of a failed disk within a RAID device
Partial list of the used files, terms and utilities:
- mdadm.conf
- mdadm
- /proc/mdstat
202.3 Logical Volume Manager (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes. |
Key Knowledge Areas:
- Tools in the LVM suite
- Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes
- Creating and maintaining snapshots
- Activating volume groups
Partial list of the used files, terms and utilities:
- /sbin/pv*
- /sbin/lv*
- /sbin/vg*
- mount
- /dev/mapper/
- lvm.conf
202.4 Basic ZFS Operations (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to create and manage a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features. |
Key Knowledge Areas:
- Understand the concepts of ZFS
- Create and use a ZFS file system
- Create and manage ZFS subvolumes, including quota
- Awareness of ZFS RAID features
Partial list of the used files, terms and utilities:
- VDEV
- Zpool
- zfs
Topic 203: Advanced Networking Configuration
203.1 Runtime Networking Configuration (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6. |
Key Knowledge Areas:
- Understand IPv4 and IPv6 addressing and routing
- Manage wireless network interfaces
- Manage links, addresses and routes using iproute2
- Awareness of VLANs, bridges and bonds
Partial list of the used files, terms and utilities:
- ip
- iw
- wpa_supplicant
- iwd
- iwctl
203.2 Persistent Network Configuration (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6. |
Key Knowledge Areas:
- Understand the architecture and configuration of NetworkMananger
- Understand the architecture and configuration of systemd-networkd and systemd-resolved
- Configure manual IPv4 and IPv6 addresses and routes
- Configure automatic IPv4 and IPv6 configuration
- Awareness of Netplan
Partial list of the used files, terms and utilities:
- nmcli
- nmtui
- systemctl
- networkctl
- resolvectl
- hostnamectl
- Systemd network units
203.3 Network Troubleshooting (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to identify and correct common network setup issues. |
Key Knowledge Areas:
- Determine what network configuration framework a system uses
- Utilities to gain information about the network configuration
- Identify common issues in network configuration and relate symptoms to configuration issues
- Awareness of ifupdown, Wicked and netplan
Partial list of the used files, terms and utilities:
- ip
- ping
- ss
- lsof
- nc
- /etc/network/interfaces, /etc/sysconfig/network-scripts
- mtr
- hostname
- /etc/resolv.conf
- /etc/hosts
- /etc/hostname
Topic 204: System Maintenance
204.1 Make and Install Programs from Source (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources. |
Key Knowledge Areas:
- Unpack source code using common compression and archive utilities.
- Understand basics of invoking make to compile programs.
- Apply parameters to a configure script.
- Know where sources are stored by default.
Partial list of the used files, terms and utilities:
- /usr/src/
- /usr/local/src/
- gunzip
- gzip
- bzip2
- xz
- zstd
- tar
- configure
- make
- uname
- install
- patch
204.2 Backup Operations (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to use system tools to back up important system data. |
Key Knowledge Areas:
- Understand the concepts of backups, including common backup strategies
- Knowledge about directories that have to be included in backups
- Understand application aspects of backup consistency
- Understand how to leverage file system or block device snapshots for backups
- Knowledge of the benefits and drawbacks of tapes, disks or other backup media, including cloud storage
- Perform partial and manual backups using Linux standard tools
- Verify the integrity of backup files
- Partially or fully restore backups
- Awareness of rclone, BorgBackup and restic
- Awareness of Bacula, Bareos and BackupPC
Partial list of the used files, terms and utilities:
- Full, differential and incremental backups
- dd
- tar
- /dev/st* and /dev/nst*
- mt
- rsync
204.3 Resource Management (weight: 4)
|
Weight |
4 |
|
Description |
Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features. |
Key Knowledge Areas:
- Measure CPU, memory, disk and I/O usage.
- Match / correlate system symptoms with likely problems.
- Estimate throughput and identify bottlenecks in a system including networking.
- Manage resource consumption of systemd slices, scopes and services
- Awareness of Cgroups
Partial list of the used files, terms and utilities:
- iostat
- iotop
- vmstat
- ss
- iptraf-ng
- iftop
- ifstat
- pstree, ps
- w
- lsof
- top
- uptime
- sar
- swap
- systemctl
- systemd-cgls
- CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs
- MemoryMin, MemoryLow, MemoryHigh, MemoryMax
- IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec
204.4 Advanced Secure Shell (SSH) (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login. |
Key Knowledge Areas:
- OpenSSH configuration files, tools and utilities
- Login restrictions for the superuser and the normal users
- Using SSH to forward local and remote ports
- Understand the concept of an SSH CA
- Use an SSH CA to manage SSH keys
- Awareness of SSH Banners
The following is a partial list of the used files, terms and utilities:
- ssh
- sshd
- /etc/ssh/sshd_config
- /etc/ssh/
- PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication
- ssh-keygen
- AuthorizedPrincipalsFile
- TrustedUserCAKeys
Topic 205: Configuration Management
205.1 Ansible Basics (weight: 4)
|
Weight |
3 |
| Description | Candidates should be able to use Ansible to perform basic system configuration management and administration. |
Key Knowledge Areas:
- Understand the principles of automated system configuration and software installation
- Understand how Ansible interacts with remote systems
- Understand the requirements of Ansible on a target node
- Create and maintain inventory files
- Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers
- Awareness of dynamic inventory
- Awareness of cloud-init
Partial list of the used files, terms and utilities:
- ansible.cfg
- ansible-playbook
- ansible-doc
205.2 Ansible Modules (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks. |
Key Knowledge Areas:
- Understand and use Ansible roles and install Ansible roles from Ansible Galaxy
- Understand and use important Ansible tasks
Partial list of the used files, terms and utilities:
- file
- copy
- template
- ini_file
- lineinfile
- patch
- replace
- user
- group
- command
- shell
- service
- systemd
- cron
- apt
- debconf
- yum
- git
- debug
- ansible-galaxy
205.3 Ansible Templates and Variables (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to understand variables and facts and write simple Jinja2 templates. |
Key Knowledge Areas:
- Set and use variables and facts
- Maintain secrets using Ansible vaults
- Write Jinja2 templates, including using common filters, loops and conditionals
Partial list of the used files, terms and utilities:
- Jinja2 syntax
- ansible-vault
Objectives: Exam 202
Topic 206: Domain Name Server
206.1 Basic DNS Server Configuration (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging. |
Key Knowledge Areas:
- Understanding the principles of the Domain Name System
- BIND 9.x configuration files, terms and utilities
- Defining the location of the BIND zone files in BIND configuration files
- Reloading modified configuration and zone files
- Awareness of dnsmasq and PowerDNS as alternate name servers
The following is a partial list of the used files, terms and utilities:
- named.conf
- rndc
- named-checkconf
- host
- dig
206.2 Create and Maintain DNS Zones (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server. |
Key Knowledge Areas:
- BIND 9 configuration files, terms and utilities
- Utilities to request information from the DNS server
- Layout, content and file location of the BIND zone files
- Various methods to add a new host in the zone files, including reverse zones
The following is a partial list of the used files, terms and utilities:
- /var/named/
- zone file syntax
- resource record formats
- named-checkzone
- named-compilezone
- masterfile-format
206.3 Securing a DNS Server (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE. This objectives covers BIND version 9.16 or a later version. |
Key Knowledge Areas:
- BIND 9 configuration files
- Split configuration of BIND using the forwarders statement
- Configuring and using transaction signatures (TSIG)
- Key & Signing Policy (KASP)
- Awareness of DNSSEC and basic tools
- Awareness of DANE and related records
The following is a partial list of the used files, terms and utilities:
- /etc/named.conf
- DNSSEC
- dnssec-policy
- tsig-keygen
Topic 207: HTTP Services
207.1 HTTP Protocol (weight: 2)
|
Weight |
2 |
| Description | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards. |
Key Knowledge Areas:
- Understanding the principles of HTTP versions 1.1, 2 and 3
- Understanding the principle of virtual hosts
- Understanding the principles of proxy servers and application layer gateways
- Application Server Integration
The following is a partial list of the used files, terms and utilities:
- HTTP methods and status codes
- HTTP headers
- HTTP cookies
- CGI, FastCGI, WSGI, AJP
207.2 HTTPS, PKI and TLS (weight: 4)
|
Weight |
4 |
| Description | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption. |
Key Knowledge Areas:
- Cryptographic concepts
- TLS and SNI
- X.509 certificates, including important fields for HTTPS
- PKI
- Generate a self-signed Certificate
- Generate a server private key and CSR for a commercial CA
- Install the key and certificate, including intermediate CAs
- Let's Encrypt for certificate procurement
- Security issues in SSL use, awareness of insecure protocols and ciphers
The following is a partial list of the used files, terms and utilities:
- Symmetric and asymmetric cryptography
- Hash functions
- Key exchange algorithms
- Perfect forward secrecy
- Certification Authorities
- ACME, including challenges
- openssl
- certbot
207.3 Apache HTTPD Configuration (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access. |
Key Knowledge Areas:
- Apache HTTPD 2.4 architecture, configuration files, terms and utilities
- Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)
- HTTPS configuration for IP and name-based virtual hosts
- Apache log files configuration and content
- Access restriction methods and files
- Client user authentication files and utilities
- Using redirect statements in Apache's configuration files to customize file access
- Configure reverse proxies for HTTP, FastCGI, WSGI and AJP
- mod_php and PHP FPM
- mod_python and Python WSGI
- Configuration of maximum requests, minimum and maximum servers and clients
- Awareness of mod_security and mod_evasive
The following is a partial list of the used files, terms and utilities:
- access logs and error logs
- .htaccess
- httpd.conf
- mod_auth_basic, mod_authz_host and mod_access_compat
- htpasswd
- AuthUserFile, AuthGroupFile
- SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
- SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
- apachectl, apache2ctl
- httpd, apache2
207.4 NGINX Configuration (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access. |
Key Knowledge Areas:
- NGINX architecture, configuration files, terms and utilities
- NGINX virtual host implementation (with and without dedicated IP addresses)
- HTTPS configuration for IP and name-based virtual hosts
- NGINX log files configuration and content
- Access restriction methods and files
- Client user authentication files and utilities
- Configure redirects
- Configure reverse proxies for HTTP, FastCGI, WSGI and AJP
- Configuration of maximum requests, minimum and maximum servers and clients
The following is a partial list of the used files, terms and utilities:
- nginx
Topic 208: File Sharing
208.1 Samba File Server Configuration (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is configuring a Linux client to use a Samba server. Troubleshooting installations is also tested. Setting up and managing an Active Directory domain is not part of the objectives. |
Key Knowledge Areas:
- Samba 4 configuration files
- Samba 4 tools and utilities and daemons
- Mounting CIFS shares on Linux
- Mapping Windows user names to Linux user names
- User-level security
- Active Directory membership
The following is a partial list of the used files, terms and utilities:
- samba, smbd, nmbd, winbindd
- smbcontrol, smbstatus, testparm, smbpasswd
- samba-tool
- net
- smbclient
- mount.cifs
- /etc/samba/
208.2 NFS Server Configuration (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS. |
Key Knowledge Areas:
- NFS version 3 and 4 configuration files
- NFS tools and utilities
- Access restrictions to specific hosts and/or subnets
- Mount options on server and client
The following is a partial list of the used files, terms and utilities:
- /etc/exports
- exportfs
- showmount
- nfsstat
- /proc/mounts
- /etc/fstab
- rpcinfo
- mountd
- portmapper
Topic 209: Network Client Management
209.1 DHCP Configuration (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server. |
Key Knowledge Areas:
- ISC DHCP configuration files, terms and utilities for DHCPv4
- ISC DHCP configuration files, terms and utilities for DHCPv6
- radvd configuration files, terms and utilities for IPv6 SLAAC
- Subnet and dynamically-allocated DHCP range setup
- Subnet and host-specific DHCP range setup
- DHCPv4 and DHCPv6 options for PXE boot
- Awareness of Kea
The following is a partial list of the used files, terms and utilities:
- dhcpd.conf
- dhcpd6.conf
- dhcpd.leases
- dhcpd6.leases
- radvd.conf
- dhcpd
- radvd
- DHCP Log messages in syslog or systemd journal
209.2 PAM Authentication (weight: 4)
|
Weight |
4 |
| Description | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality as well as configuring 2 factor authentication. |
Key Knowledge Areas:
- PAM configuration files, terms and utilities
- passwd and shadow passwords
- Use sssd for LDAP authentication
- Use 2 factor authentication for SSH access
The following is a partial list of the used files, terms and utilities:
- /etc/pam.d/
- pam.conf
- nsswitch.conf
- pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss, pam_oath and pam_otp
- sssd.conf
- /etc/users.oath
- oathtool
- /etc/ssh/sshd_config (ChallengeResponseAuthentication, UsePAM)
209.3 LDAP Client Usage (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users. Setting up and managing an LDAP server is not part of this objective. |
Key Knowledge Areas:
- Understand key concepts of LDAP
- LDAP utilities for data management and queries
- Change user passwords
- Querying the LDAP directory
The following is a partial list of the used files, terms and utilities:
- ldapsearch
- ldappasswd
- ldapadd
- ldapdelete
209.4 Authentication Mechanisms and Standards (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services. Setting up the various services is not part of the objectives. |
Key Knowledge Areas:
- Directory service and authentication standards
- Domains and authentication management systems
- Web-based authentication standards
- Multi-factor authentication and one-time passwords (OTP)
- Understanding the most important properties and use cases of relevant protocols and standards
The following is a partial list of the used files, terms and utilities:
- LDAP
- Kerberos 5
- Active Directory
- FreeIPA
- Oauth2
- OpenID Connect
Topic 210: Email Services
210.1 Managing Email Transfer (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers. |
Key Knowledge Areas:
- Configuration files for postfix
- Basic TLS configuration for postfix
- Basic knowledge of the SMTP protocol
- Configure Postfix for SASL authentication using cyrus-sasl
- Configure nullmailer for email relay
- Awareness of exim
The following is a partial list of the used files, terms and utilities:
- Configuration files and commands for postfix
- /etc/postfix/
- /var/spool/postfix/
- /etc/aliases
- mail-related logs in /var/log/
- /etc/sasl2/smtpd.conf
- testsaslauthd
- nullmailer/me
- nullmailer/remotes
- nullmailer/defaultdomain
210.2 Managing Email Delivery (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email. |
Key Knowledge Areas:
- Understanding of Sieve functionality, syntax and operators
- Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size
The following is a partial list of the used files, terms and utilities:
- Conditions and comparison operators
- keep, fileinto, redirect, reject, discard, stop
- Dovecot vacation extension
210.3 Managing Mailbox Access (weight: 2)
|
Weight |
2 |
| Description | Candidates should be able to install and configure IMAP daemons. |
Key Knowledge Areas:
- Dovecot IMAP configuration and administration
- Basic TLS configuration for Dovecot
The following is a partial list of the used files, terms and utilities:
- /etc/dovecot/
- dovecot.conf
- doveconf
- doveadm
Topic 211: Network Security
211.1 Routing and Packet Filtering (weight: 4)
|
Weight |
4 |
| Description | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks. |
Key Knowledge Areas:
- Understand the concepts of routing, network address translation and packet filtering
- Understand the concepts and differences of iptables and nftables
- Query packet filter ruleset using nft
- List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address using iptables and ip6tables compatibility commands
- Tools, commands and utilities to manage routing tables.
- Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
- Port redirection and IP forwarding
- Understand the main concepts of firewalld
- Use firewalld to implement a simple edge node and router firewall
- Awareness of ufw
The following is a partial list of the used files, terms and utilities:
- /proc/sys/net/ipv4/
- /proc/sys/net/ipv6/
- /etc/sysctl.conf and /etc/sysctl.conf.d/
- /etc/services
- iptables
- ip6tables
- nft
- firewall-cmd
- /etc/firewalld/firewalld.conf
211.2 Security Assessment and Intrusion Prevention (weight: 3)
|
Weight |
3 |
| Description | Candidates should be able to confirm the effectiveness of security measures. This includes determining which services run on their servers. Furthermore, candidates should understand the concepts of tools commonly used to improve network security. |
Key Knowledge Areas:
- Scan and test open ports on a server
- Understand and configure fail2ban
- Understand the concepts of common features of network intrusion detection and prevention systems
- Understand the concepts of common features of network vulnerability scanners
- Understand the concepts of common features of packet sniffers
- Awareness of Snort and Suricata
- Awareness of OpenVAS and Metasploit
- Awareness of Wireshark
The following is a partial list of the used files, terms and utilities:
- fail2ban
- nmap
- nc
211.3 Virtual Private Networks (weight: 5)
|
Weight |
5 |
| Description | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections. |
Key Knowledge Areas:
- Understand the concepts of a virtual private network
- Understand the different requirements of site-to-site and dial-in VPN
- Basic configuration of OpenVPN as site-to-site and dial-in VPN
- Basic configuration of Wireguard as a site-to-site VPN
- Awareness of the main differences between OpenVPN and Wireguard
- Awareness of IPsec and IKE2
The following is a partial list of the used files, terms and utilities:
- /etc/openvpn/
- openvpn
- /etc/wireguard/
- wg
- wg-quick
Future Change Considerations
Future changes to the objective will/may include:
- Remove paths to commands and configuration files wherever possible
