LPI Wiki - User contributions [en]

LPIC-2 Objectives V5.0

2023-10-23T15:57:01Z

GMatthewRice: /* 201.1 Linux Kernel (weight: 2) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

The [[LPIC-2_Objectives_V4|version 4.5 of the LPIC-2 Objectives]] are still online.
 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 201: System Startup''===

====201.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux startup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====201.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====201.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialization and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====201.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 202: Filesystem and Devices''===

====202.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====202.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 203: Advanced Storage Device Administration''===

====203.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====203.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====203.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 204: Advanced Networking Configuration''===

====204.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====204.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====204.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 205: System Maintenance''===

====205.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====205.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====205.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 206: Configuration Management''===

====206.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====206.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====206.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a Router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure Shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security Tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:50:45Z

GMatthewRice: /* Version Information */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

The [[LPIC-2_Objectives_V4|version 4.5 of the LPIC-2 Objectives]] are still online.
 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialization and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a Router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure Shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security Tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:50:28Z

GMatthewRice: /* Version Information */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

The [[LPIC-2_Objectives_V4|version 4.5 of the LPIC-2 Objectives]] are still online.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialization and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a Router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure Shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security Tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:49:25Z

GMatthewRice: /* 200.3 Bootloaders and System Recovery (weight: 4) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialization and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a Router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure Shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security Tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:48:56Z

GMatthewRice: /* 212.4 Security tasks (weight: 4) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a Router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure Shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security Tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:48:42Z

GMatthewRice: /* 212.3 Advanced Secure shell (SSH) (weight: 3) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a Router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure Shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:48:28Z

GMatthewRice: /* 212.1 Configuring a router (weight: 4) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a Router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:48:08Z

GMatthewRice: /* 210.3 LDAP client usage (weight: 2) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP Client Usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:47:53Z

GMatthewRice: /* 210.2 PAM authentication (weight: 3) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:47:40Z

GMatthewRice: /* 210.1 DHCP configuration (weight: 2) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP Configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:47:18Z

GMatthewRice: /* 207.3 Securing a DNS server (weight: 2) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS Server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:47:04Z

GMatthewRice: /* 207.2 Create and maintain DNS zones (weight: 3) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and Maintain DNS Zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:46:37Z

GMatthewRice: /* 207.1 Basic DNS server configuration (weight: 3) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:46:10Z

GMatthewRice: /* 204.2 Backup operations (weight: 3) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup Operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:45:45Z

GMatthewRice: /* 204.1 Make and install programs from source (weight: 2) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and Install Programs from Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:45:14Z

GMatthewRice: /* 205.1 Runtime networking configuration (weight: 3) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime Networking Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and install programs from source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:44:39Z

GMatthewRice: /* 203.1 Operating the Linux filesystem (weight: 4) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux Filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime networking configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and install programs from source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V5.0

2023-10-23T15:44:09Z

GMatthewRice: /* 200.3 Bootloaders and System recovery (weight: 4) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, mail).
** Internet Server (web server and reverse proxy).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are A DRAFT version 5.0.0.

 

==Addenda==

 
 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V5.0|English]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 
 

==Objectives: Exam 201==

===''Topic 200: System Startup''===

====200.1 Linux Kernel (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}

'''Key Knowledge Areas:'''

* Understanding the Linux starup process

* Understanding the Linux kernel architecture, including kernel modules

* Linux kernel release and versioning scheme

* Linux kernel modules

* DKMS

* udev

'''Partial list of the used files, terms and utilities:'''

* Bootloader

* Kernel

* Initramfs

* Init

* Udev

* mkinitramfs

* uname

* Module configuration files in /etc/

* modules.dep

* depmod

* modinfo

* modprobe

* insmod

* lsmod

* rmmod

* dmesg

* lshw

* lspci

* lsusb

* udevmonitor

* udevadm monitor

* /etc/udev

* /proc

* /proc/sys

* /etc/sysctl.conf, /etc/sysctl.conf.d/

* sysctl

 

====200.2 Sytemd Startup Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}

'''Key Knowledge Areas:'''

* Systemd concepts

* Systemd unit types (Service, Socket, Target, Slice)

* Systemd System and User Slices

* Systemd Override and Drop-In Units

* Awareness of SystemV init and OpenRC

'''Partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

 

====200.3 Bootloaders and System Recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* GRUB version 2

* GRUB shell

* GRUB configuration

* GRUB password security

* systemd-boot installation

* systemd-boot configuration

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialization and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''Partial list of the used files, terms and utilities:'''

* mount

* fsck

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* bootctl

* loader.conf

* efibootmgr

* efivar

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====200.4 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE and iPXE for both BIOS and UEFI

'''Partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 201: Filesystem and Devices''===

====203.1 Operating the Linux filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types as well as using systemd mount, swap and automount units.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* The concept of systemd mount and swap units

* Configuring systemd automount units

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

'''Partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

* systemctl

 

====203.2 Storage Device Integrity and Encryption (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}

'''Key Knowledge Areas:'''

* Query, understand and monitor SMART values

* Understand the concepts and disk and file system encryption

* Understand the concepts of dm-crypt and LUKS

* Use LUKS to encrypt storage devices

* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)

* Awareness of WWID, WWN, LUN numbers

'''Partial list of the used files, terms and utilities:'''

* smartd

* smartctl

* cryptsetup

* /etc/crypttab

 
 

===''Topic 202: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

* Understanding the RAID levels 0, 1, 5 and 10

* Awareness of the RAID levels 6, 7 and 50

* Recovery of a failed RAID device

* Replacement of a failed disk within a RAID device

'''Partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Logical Volume Manager (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''Partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 

====204.3 Basic ZFS Operations (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and managa a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features

'''Partial list of the used files, terms and utilities:'''

* VDEV
* Zpool
* zfs

 
 

===''Topic 203: Advanced Networking Configuration''===

====205.1 Runtime networking configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand IPv4 and IPv6 addressing and routing

* Manage wireless network interfaces

* Manage links, addresses and routes using iproute2

* Awareness of VLANs, bridges and bonds

'''Partial list of the used files, terms and utilities:'''

* ip

* iw

* iwconfig

* iwlist

* wpa_supplicant

* iwd

 

====205.2 Persistent Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.
|}

'''Key Knowledge Areas:'''

* Understand the architecture and configuration of NetworkMananger

* Understand the architecture and configuration of systemd-networkd and systemd-resolved

* Configure manual IPv4 and IPv6 addresses and routes

* Configure automatic IPv4 and IPv6 configuration

'''Partial list of the used files, terms and utilities:'''

* nmcli

* nmtui

* systemctl

* networkctl

* resolvectl

* hostnamectl

* Systemd network units

 

====205.3 Network Troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}

'''Key Knowledge Areas:'''

* Determine what network configuration framework a system use

* Utilities to gain information about the network configuration

* Identify common issues in network configuration and relate symptoms to configuration issues

* Awareness of ifupdown, Wicked and netplan

'''Partial list of the used files, terms and utilities:'''

* ip

* ping

* ss

* lsof

* nc

* /etc/network/interfaces, /etc/sysconfig/network-scripts

* mtr

* hostname

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

 
 

===''Topic 204: System Maintenance''===

====204.1 Make and install programs from source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''Partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====204.2 Backup operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Understand the conepts of backups, including common backup strategies

* Knowledge about directories that have to be included in backups

* Understand application aspects of backup consistency

* Understand how to leverage file system or block device snapshots for backups

* Awareness of borg, including features and use cases

* Awareness of network backup solutions such as Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, disks or other backup media

* Perform partial and manual backups using Linux standard tools

* Verify the integrity of backup files

* Partially or fully restore backups

'''Partial list of the used files, terms and utilities:'''

* Full, differential and incremental backups

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====204.3 Resource Management (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

|}

'''Key Knowledge Areas:'''

* Measure CPU, memory, disk and I/O usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

* Manage resource consumption of systemd slices, scopes and services

* Awareness of Cgroups

'''Partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* systemctl

* systemd-cgls

* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs

* MemoryMin, MemoryLow, MemoryHigh, MemoryMax

* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec

 
 

===''Topic 205: Configuration Management''===

====205.1 Ansible Basics (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use Asible to perform basic system configuration management and administration.
|}

'''Key Knowledge Areas:'''

* Understand the principles of automated system configuration and software installation

* Understand how Ansible interacts with remote systems

* Understand the requirements of Ansible on a target node

* Create and maintain inventory files

* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers

* Awareness of dynamic inventory

* Awareness of cloud-init

'''Partial list of the used files, terms and utilities:'''

* ansible.cfg

* ansible-playbook

* ansible-doc

 

====205.2 Ansible Modules (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}

'''Key Knowledge Areas:'''

* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy

* Understand and use important Ansible tasks

'''Partial list of the used files, terms and utilities:'''

* file

* copy

* template

* ini_file

* lineinfile

* patch

* replace

* user

* group

* command

* shell

* service

* systemd

* cron

* apt

* debconf

* yum

* git

* debug

* ansible-galaxy

 

====205.3 Ansible Templates and Variables (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to understand variables and facts and Ansible and write simple Jinja2 templates.
|}

'''Key Knowledge Areas:'''

* Set and use variables and facts

* Maintain secrets using Ansible vaults

* Write Jinja2 templates, including using common filters, loops and conditionals

'''Partial list of the used files, terms and utilities:'''

* Jinja2 syntax

* ansible-vault

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* named.conf

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 HTTP Protocol (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.
|}

'''Key Knowledge Areas:'''

* Understanding the principles of HTTP version 1.1 and HTTP version 2.0

* Understanding the principle of virtual hosts

* Application Server Integration

'''The following is a partial list of the used files, terms and utilities:'''

* HTTP methods and status codes

* HTTP headers

* HTTP cookies

* CGI, FastCGI, WSGI, AJP

 

====208.2 HTTPS, PKI and TLS (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.
|}

'''Key Knowledge Areas:'''

* Cyptographic concenpts

* TLS and SNI

* X.509 certificates, including important fields for HTTPS

* PKI

* Generate a self-signed Certificate

* Generate a server private key and CSR for a commercial CA

* Install the key and certificate, including intermediate CAs

* Let's Encrypt for certificate procurement

* Security issues in SSL use, awareness of insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Symetric and asymetric cryptography

* Hash functions

* Key exchange algorithms

* Perfect forward secrecy

* Certification Authorities

* ACME, including challenges

* openssl

* certbot

 

====208.3 Apache HTTPD Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache HTTPD 2.4 architecture, configuration files, terms and utilities

* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* Apache log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Using redirect statements in Apache's configuration files to customize file access

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* mod_php and PHP FPM

* mod_python and Python WSGI

* Configuration of maximum requests, minimum and maximum servers and clients

* Awareness of mod_security and mod_evasive

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

* apachectl, apache2ctl

* httpd, apache2

 

====208.4 NGINX Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* NGINX architecture, configuration files, terms and utilities

* NGINX virtual host implementation (with and without dedicated IP addresses)

* HTTPS configuration for IP and name-based virtual hosts

* NGINX log files configuration and content

* Access restriction methods and files

* Client user authentication files and utilities

* Configure redirects

* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP

* Configuration of maximum requests, minimum and maximum servers and clients

'''The following is a partial list of the used files, terms and utilities:'''

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba File Server Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-level security

* Active Directory membership

'''The following is a partial list of the used files, terms and utilities:'''

* samba, smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 and 4 configuration files

* NFS tools and utilities

* Access restrictions to specific hosts and/or subnets

* Mount options on server and client

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* ISC DHCP configuration files, terms and utilities for DHCPv4

* ISC DHCP configuration files, terms and utilities for DHCPv6

* radvd configuration files, terms and utilities for IPv6 SLAAC

* Subnet and dynamically-allocated DHCP range setup

* Subnet and host-specific DHCP range setup

* DHCPv4 and DHCPv6 options for PXE boot

* Awareness of KEA

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd6.conf

* dhcpd.leases

* dhcpd6.leases

* radvd.conf

* dhcpd

* radvd

* DHCP Log messages in syslog or systemd journal

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* Understand key concepts of LDAP

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Authentication Mechanisms and Standards (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should bei understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services.
|}

'''Key Knowledge Areas:'''

* Directory service and authentication standards

* Domains and authentication management systems

* Web-based authentication standards

* Multi-factor authentication and one-time passwords (OTP)

* Understanding the most important properties and use cases of relevant procotols and standards

'''The following is a partial list of the used files, terms and utilities:'''

* LDAP

* Kerberos 5

* Active Directory

* FreeIPA

* Oauth2

* OpenID Connect

* kinit, klist, kdestroy

* pam_oath and pam_otp

 
 

===''Topic 211: Email Services''===

====211.1 Using Email Servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Configure Postfix for SASL authentication using cyrus-sasl

* Configure nullmailer for email relay

* Awareness of exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* /etc/aliases

* mail-related logs in /var/log/

* /etc/sasl2/smtpd.conf

* testsaslauthd

* nullmailer/me

* nullmailer/remotes

* nullmailer/defaultdomain

 

====211.2 Managing Email Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP configuration and administration

* Basic TLS configuration for Dovecot

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

* Understand the main concepts of firewalld

* Use firewalld to implement a simple edge node and router firewall

* Awareness of ufw and firewalld

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

* firewall-cmd

* /etc/firewalld/firewalld.conf

 

====212.3 Advanced Secure shell (SSH) (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Using SSH to forward local and remote ports

* Understand the concept of an SSH CA

* Use an SSH CA to manage SSH keys

* Awareness of SSH Banners

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication

* ssh-keygen

* AuthorizedPrincipalsFile

* TrustedUserCAKeys

* Banner

 

====212.4 Security tasks (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to secure the services running on a Linux server. This includes leveraging various systemd settings to manage the runtime configuration of services. Furthermore, the candidate is expected to scan systems for open ports and implement fail2ban.

|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Understand and configure fail2ban

* Configure systemd units to run with specific privileges

* Configure systemd units with a private /tmp directory

* Use systemd to restrict device access of services

* Use systemd to manage network accessiability of services

* Awareness of capabilitites and Cgroups

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* User

* Group

* SupplementaryGroups

* PrivateTmp

* DeviceAllow

* IPAddressAllow

* IPAddressDeny

* RestrictNetworkInterfaces

 

====212.5 Virtual Private Networks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* Understand the concepts of a virtual private network

* Understand the different requirements of a site-to-site and an end user VPN

* Wireguard

* Awareness of OpenVPN

* Awareness of the main differences between OpenVPN and Wireguard

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/wireguard/

* wg

* wg-quick

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Remove paths to commands and configuration files wherever possible

DevOps Tools Engineer Objectives V2.0

2023-06-22T12:23:27Z

GMatthewRice: /* 705.2 Prometheus Monitoring (weight: 6) */

__FORCETOC__
==Introduction==

This is a required exam for the Linux Professional Institute DevOps Tools Engineer certification. It covers basic skills in using tools commonly used to implement DevOps.

This page covers the currently released objective for the Linux Professional Institute DevOps Tools Engineer certification.

 

==Candidate Description==

The certification holder is either a professional software developer or a professional system administrator who is involved in the production of IT solutions which require a robust and efficient process to get from original source materials to a final deployed or distributable product or service with a particular focus on using Open Source technology. The certification holder has the ability to create, deliver and operate software using collaborative methods which address aspects of software development as well as system administration. In particular, the certification holder is adept at bridging the gap between the development and operations of a solution or product. The certification holder understands how these tools facilitate development and operational tasks in the delivery of stable, scalable and up to date services to users and customers.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 2.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[DevOps_Tools_Engineer_Objectives_V2.0|English]]

 

==Exams and Requirements==

The Linux Professional Institute DevOps Tools Engineer certification is awarded after passing this exam. There is no requirement to possess any other certifications. However, LPI recommends that all Linux Professional Institute DevOps Tools Engineers maintain at least one active certification in either system administration or software development. This certification should be at a level equivalent to LPIC-1.

 

==Objectives==

===''701 Software Engineering''===

====701.1 Modern Software Development (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to design software solutions suitable for modern runtime environments. Candidates should understand how services handle data persistence, sessions, status information, transactions, concurrency, security, performance, availability, scaling, load balancing, messaging, monitoring and APIs. Furthermore, candidates should understand the implications of agile and DevOps on software development.

|}

'''Key Knowledge Areas:'''

* Understand and design service based applications

* Understand common API concepts and standards

* Understand aspects of data storage, service status and session handling

* Design software to be run in containers

* Design software to be deployed to cloud services

* Awareness of risks in the migration and integration of monolithic legacy software

* Understand the concept of agile software development

* Understand the concept of DevOps and its implications to software developers and operators

'''The following is a partial list of the used files, terms and utilities:'''

* REST, JSON

* Service Oriented Architectures (SOA)

* Microservices

* Immutable servers

* Loose coupling

* Cross site scripting, SQL injections, verbose error reports, API authentication, consistent enforcement of transport encryption

* CORS headers and CSRF tokens

 

====701.2 Standard Components and Platforms for Software (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand services offered by common cloud platforms. They should be able to include these services in their application architectures and deployment toolchains and understand the required service configurations. Furthermore, the candidate should be aware of the commonly used open source implementations of the various services.

|}

'''Key Knowledge Areas:'''

* Features and concepts of object storage

* Features and concepts of relational and NoSQL databases

* Features and concepts of message brokers and message queues

* Features and concepts of big data services

* Features and concepts of application runtimes / PaaS

* Features and concepts of hosted applications / SaaS

* Features and concepts of function applications / FaaS

* Features and concepts of content delivery networks

* Awareness of identity and access management in cloud services

'''The following is a partial list of the used files, terms and utilities:'''

* Objects, Buckets, ACLs, S3

* MariaDB, MySQL, PostgreSQL,

* Redis, MongoDB, InfluxDB

* Elasticsearch and OpenSearch

* Kafka, MQTT

* IAM

 

====701.3 Source Code Management (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Git to manage and share source code. This includes creating and contributing to a repository as well as the usage of tags, branches and remote repositories. Furthermore, the candidate should be able to merge files and resolve merging conflicts.

|}

'''Key Knowledge Areas:'''

* Understand Git concepts and repository structure

* Manage files within a Git repository

* Manage branches and tags

* Work with remote repositories and branches as well as submodules

* Merge files and branches

* Awareness of SVN and CVS, including concepts of centralized and distributed SCM solutions

'''The following is a partial list of the used files, terms and utilities:'''

* git

* .gitignore

 

====701.4 Continuous Integration and Continuous Delivery (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles and components of a continuous integration and continuous delivery pipeline. Candidates should understand how CI/CD pipelines support the development and release of software and how they integrate with source code repositories and the target runtime environment. Furthermore, candidates should be aware of commonly used CI/CD platforms.

|}

'''Key Knowledge Areas:'''

* Understand the concepts of Continuous Integration and Continuous Delivery

* Understand the components of a CI/CD pipeline, including builds, unit, integration and acceptance tests, artifact management, delivery and deployment

* Understand the concepts of GitOps

* Understand the role of build artifacts and caches

* Understand deployment best practices

* Awareness of Jenkins and Gitlab CI

* Awareness of Artifactory and Nexus

'''The following is a partial list of the used files, terms and utilities:'''

* Declarative Pipeline

* Production, Staging and Development Environments

* Feature toggles

* Preview releases

* Reconciliation loops

* A/B testing

* Blue-green and canary deployment

 

====701.5 Software Composition, Licensing and Open Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles of software licenses. This includes how software from multiple authors and sources are combined to implement a specific service and how licensing affects such compositions. Furthermore, the candidate should understand the concepts of open source software, including the most important aspects of common open source licenses.

|}

'''Key Knowledge Areas:'''

* Understand how an application is build out of multiple software components

* Awareness of dependency managers like NPM, gradle or composer

* Understand the concepts proprietary and open source software

* Understand the concepts of open source software licenses

* Awareness of commonly used open source licenses (GPL, LGPL, AGPL, BSD, MIT and Apache License)

* Awareness of license compatibility and multi licensing

'''The following is a partial list of the used files, terms and utilities:'''

* Software libraries

* Software Bill Of Materials

* Proprietary software

* Open Source Software and Free Software

* Copyleft open source software licenses

* Permissive open source software licenses

===''702 Application Container''===

====702.1 Application Container Management (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to operate Docker and Podman containers. This includes creating and interacting with containers as well as connecting containers to networks and storage volumes.

|}

'''Key Knowledge Areas:'''

* Understand the Docker and Podman architecture

* Use existing images from an OCI registry

* Operate and access containers

* Understand Docker networking concepts, including overlay networks

* Understand the concepts of DNS service discovery

* Connect container to container networks and use DNS for service discovery

* Understand Docker storage concepts

* Use Docker volumes for shared and persistent container storage

* Awareness of rootless containers

'''The following is a partial list of the used files, terms and utilities:'''

* docker container *

* docker network *

* docker image *

* docker volume *

* podman container *

* podman network *

* podman image *

* podman volume *

 

====702.2 Container Orchestration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to run and manage multiple containers that work together to provide a service. This includes the orchestration of Docker containers using Docker Compose.

|}

'''Key Knowledge Areas:'''

* Understand the application model of Docker Compose and Podman Compose

* Create and run Docker Compose Files (version 3 or later)

* Define services, networks and volumes, along with their commonly used properties, in Docker Compose files

* Use Docker Compose to update running containers to newer images

'''The following is a partial list of the used files, terms and utilities:'''

* docker compose

* podman-compose

* docker-compose.yml

 

====702.3 Container Image Building (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up a runtime environment for containers. This includes running containers on a local workstation as well as setting up a dedicated container host. Furthermore, candidates should be aware of other container infrastructures, storage, networking and container specific security aspects. This objective covers the feature set of Docker version 17.06 or later and Docker Machine 0.12 or later.

Candidates should be able to build OCI container images. This includes creating Dockerfiles or Containerfiles, building containers and publishing container images on an existing OCI registry.

|}

'''Key Knowledge Areas:'''

* Create Dockerfiles and build images from Dockerfiles

* Understand OCI image names

* Upload images to a Docker registry

* Understand the principles of image scanners

* Understand security risks of container virtualization and container images and how to mitigate them

* Awareness Docker buildx, Docker Buildkit, Podman build and Buildah

'''The following is a partial list of the used files, terms and utilities:'''

* docker image *

* docker login

* Dockerfile

* Containerfile

* .dockerignore

* FROM

* COPY

* ADD

* RUN

* VOLUME

* EXPOSE

* USER

* WORKDIR

* ENV

* ARG

* CMD

* ENTRYPOINT

 

===''703 Kubernetes''===

====703.1 Kubernetes Architecture and Usage (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major components of Kubernetes. Furthermore, candidates should be able to interact with an existing Kubernetes platform to retrieve information about the current Kubernetes state, and create, modify and delete resources.

|}

'''Key Knowledge Areas:'''

* Understand the major components and services in a Kubernetes cluster

* Configure kubectl to use an existing Kubernetes cluster

* Use kubectl to get information about Kubernetes resources

* Use kubectl to create, modify and delete resources

* Awareness of Kubernetes Operators

'''Partial list of the used files, terms and utilities:'''

* API-Server, etcd, Controller Manager, Scheduler

* ~/.kube/config

* kubectl get

* kubectl describe

* kubectl apply

* kubectl create

* kubectl run

* kubectl expose

* kubectl scale

* kubectl set

* kubectl edit

* kubectl explain

* kubectl config

* kubectl logs

* kubectl exec

 

====703.2 Basic Kubernetes Operations (weight: 7)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 7
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up applications running on Kubernetes. This includes understanding the most important kinds of Kubernetes resources, including their most important properties.

|}

'''Key Knowledge Areas:'''

* Understanding the use of YAML files to declare Kubernetes resources

* Understanding the principle of a Pod

* Understanding how to use Deployments, including scaling and rolling updates

* Understanding how to make services accessible using Services and Ingress

* Understanding how to use storage using PersistentVolumeClaims

* Awareness of other Kubernetes orchestration resources, i.e. DaemonSets, StatefulSets, Jobs and CronJobs

'''Partial list of the used files, terms and utilities:'''

* Pods

* ReplicaSets

* Deployments

* Services

* Ingress

* PersistentVolumeClaims

* ConfigMaps

* Secrets

 

====703.3 Kubernetes Package Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Helm to install software on Kubernetes.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of Charts, Releases and Values

* Installation, upgrading and uninstalling software using Helm

* Specify custom values to configure software installed using Helm

* Awareness of Kustomize

* Awareness of Flux CD and Argo CD

'''The following is a partial list of the used files, terms and utilities:'''

* helm install

* helm upgrade

* helm list

* helm uninstall

* values.yaml

 

===''705 Security and Observability''===

====705.1 Cloud Native Security (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major kinds of IT threats against cloud native infrastructure, as well as common approaches to prevent such attacks and mitigate their risk. This includes handling security aspects of foreign software as well as common standards for authentication and authorization.

|}

'''Key Knowledge Areas:'''

* Understand core IT infrastructure components and their role in deployment

* Understand common IT infrastructure security risks and ways to mitigate them

* Understand supply chain security and dependencies on foreign code

* Understand common application security risks and ways to mitigate them

* Understand the concepts of asymmetric cryptography and digital certificates

* Understand the principles of common standard for authentication and authorization

* Understand how to manage user credentials and how to use advanced authentication technologies

'''The following is a partial list of the used files, terms and utilities:'''

* Service exploits, brute force attacks, and denial of service attacks

* Security updates, packet filtering and application gateways

* Buffer overflows, SQL injections

* API access, permissions, verbosity and rate limits

* Common Vulnerabilities and Exposures (CVE)

* CVE IDs and CVE scores

* Public key, private key, X.509 certificate, certificate authority

* Single sign-on (SSO)

* OAuth2, OpenID Connect and SAML

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

 

====705.2 Prometheus Monitoring (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of monitoring for application and IT infrastructures. They should be familiar with the architecture and components of Prometheus. The candidate should be able to set up Prometheus and use PromQL to query monitoring data.

|}

'''Key Knowledge Areas:'''

* Understand goals of IT operations and service provisioning, including nonfunctional properties such as availability, latency, responsiveness

* Understand and identify metrics and indicators to monitor and measure the technical functionality of a service

* Understand and identify metrics and indicators to monitor and measure the logical functionality of a service

* Understand the concepts of Prometheus, including Exporters, Pushgateway, Alertmanager and Grafana

* Understand the architecture of Prometheus

* Set up Prometheus and configure file based service discovery

* Monitor containers and microservices using Prometheus

* Use PromQL to retrieve log data

* Aggregate metrics for specific labels

* Aggregate metrics over time

* Awareness of common exporters

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* Prometheus, Exporters, AlertManager, Grafana

* Label selectors

* Instant vectors and aggregate functions

* Range vectors and aggregate functions

* Node Exporter and Blackbox Exporter

 

====705.3 Log Management and Analysis (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of log files in operations and troubleshooting. They should be understand the major properties and features of commonly used Open Source logging stacks.

|}

'''Key Knowledge Areas:'''

* Understand how application and system logging works

* Understand the architecture and features of commonly used open source logging stacks

'''The following is a partial list of the used files, terms and utilities:'''

* Elasticsearch and OpenSearch

* Logstash and filebeat

* Fluentd and FluentBit

* Kibana

* Loki and promtail

* Grafana

* Greylog2

 

====705.4 Tracing (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the concepts and importance of tracing and be familiar with the architecture of OpenTelemetry.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of tracing

* Understanding the concepts of OpenTelemetry

* Awareness of commonly used open source telemetry analysis tools

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* OpenTelemetry

* Spans and Distributed Traces

* Contexts, Span and Trace IDs

* Span attributes, events, links, status and kind

* Grafana Tempo

* Jaeger

DevOps Tools Engineer Objectives V2.0

2023-06-22T12:15:39Z

GMatthewRice:

__FORCETOC__
==Introduction==

This is a required exam for the Linux Professional Institute DevOps Tools Engineer certification. It covers basic skills in using tools commonly used to implement DevOps.

This page covers the currently released objective for the Linux Professional Institute DevOps Tools Engineer certification.

 

==Candidate Description==

The certification holder is either a professional software developer or a professional system administrator who is involved in the production of IT solutions which require a robust and efficient process to get from original source materials to a final deployed or distributable product or service with a particular focus on using Open Source technology. The certification holder has the ability to create, deliver and operate software using collaborative methods which address aspects of software development as well as system administration. In particular, the certification holder is adept at bridging the gap between the development and operations of a solution or product. The certification holder understands how these tools facilitate development and operational tasks in the delivery of stable, scalable and up to date services to users and customers.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 2.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[DevOps_Tools_Engineer_Objectives_V2.0|English]]

 

==Exams and Requirements==

The Linux Professional Institute DevOps Tools Engineer certification is awarded after passing this exam. There is no requirement to possess any other certifications. However, LPI recommends that all Linux Professional Institute DevOps Tools Engineers maintain at least one active certification in either system administration or software development. This certification should be at a level equivalent to LPIC-1.

 

==Objectives==

===''701 Software Engineering''===

====701.1 Modern Software Development (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to design software solutions suitable for modern runtime environments. Candidates should understand how services handle data persistence, sessions, status information, transactions, concurrency, security, performance, availability, scaling, load balancing, messaging, monitoring and APIs. Furthermore, candidates should understand the implications of agile and DevOps on software development.

|}

'''Key Knowledge Areas:'''

* Understand and design service based applications

* Understand common API concepts and standards

* Understand aspects of data storage, service status and session handling

* Design software to be run in containers

* Design software to be deployed to cloud services

* Awareness of risks in the migration and integration of monolithic legacy software

* Understand the concept of agile software development

* Understand the concept of DevOps and its implications to software developers and operators

'''The following is a partial list of the used files, terms and utilities:'''

* REST, JSON

* Service Oriented Architectures (SOA)

* Microservices

* Immutable servers

* Loose coupling

* Cross site scripting, SQL injections, verbose error reports, API authentication, consistent enforcement of transport encryption

* CORS headers and CSRF tokens

 

====701.2 Standard Components and Platforms for Software (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand services offered by common cloud platforms. They should be able to include these services in their application architectures and deployment toolchains and understand the required service configurations. Furthermore, the candidate should be aware of the commonly used open source implementations of the various services.

|}

'''Key Knowledge Areas:'''

* Features and concepts of object storage

* Features and concepts of relational and NoSQL databases

* Features and concepts of message brokers and message queues

* Features and concepts of big data services

* Features and concepts of application runtimes / PaaS

* Features and concepts of hosted applications / SaaS

* Features and concepts of function applications / FaaS

* Features and concepts of content delivery networks

* Awareness of identity and access management in cloud services

'''The following is a partial list of the used files, terms and utilities:'''

* Objects, Buckets, ACLs, S3

* MariaDB, MySQL, PostgreSQL,

* Redis, MongoDB, InfluxDB

* Elasticsearch and OpenSearch

* Kafka, MQTT

* IAM

 

====701.3 Source Code Management (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Git to manage and share source code. This includes creating and contributing to a repository as well as the usage of tags, branches and remote repositories. Furthermore, the candidate should be able to merge files and resolve merging conflicts.

|}

'''Key Knowledge Areas:'''

* Understand Git concepts and repository structure

* Manage files within a Git repository

* Manage branches and tags

* Work with remote repositories and branches as well as submodules

* Merge files and branches

* Awareness of SVN and CVS, including concepts of centralized and distributed SCM solutions

'''The following is a partial list of the used files, terms and utilities:'''

* git

* .gitignore

 

====701.4 Continuous Integration and Continuous Delivery (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles and components of a continuous integration and continuous delivery pipeline. Candidates should understand how CI/CD pipelines support the development and release of software and how they integrate with source code repositories and the target runtime environment. Furthermore, candidates should be aware of commonly used CI/CD platforms.

|}

'''Key Knowledge Areas:'''

* Understand the concepts of Continuous Integration and Continuous Delivery

* Understand the components of a CI/CD pipeline, including builds, unit, integration and acceptance tests, artifact management, delivery and deployment

* Understand the concepts of GitOps

* Understand the role of build artifacts and caches

* Understand deployment best practices

* Awareness of Jenkins and Gitlab CI

* Awareness of Artifactory and Nexus

'''The following is a partial list of the used files, terms and utilities:'''

* Declarative Pipeline

* Production, Staging and Development Environments

* Feature toggles

* Preview releases

* Reconciliation loops

* A/B testing

* Blue-green and canary deployment

 

====701.5 Software Composition, Licensing and Open Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles of software licenses. This includes how software from multiple authors and sources are combined to implement a specific service and how licensing affects such compositions. Furthermore, the candidate should understand the concepts of open source software, including the most important aspects of common open source licenses.

|}

'''Key Knowledge Areas:'''

* Understand how an application is build out of multiple software components

* Awareness of dependency managers like NPM, gradle or composer

* Understand the concepts proprietary and open source software

* Understand the concepts of open source software licenses

* Awareness of commonly used open source licenses (GPL, LGPL, AGPL, BSD, MIT and Apache License)

* Awareness of license compatibility and multi licensing

'''The following is a partial list of the used files, terms and utilities:'''

* Software libraries

* Software Bill Of Materials

* Proprietary software

* Open Source Software and Free Software

* Copyleft open source software licenses

* Permissive open source software licenses

===''702 Application Container''===

====702.1 Application Container Management (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to operate Docker and Podman containers. This includes creating and interacting with containers as well as connecting containers to networks and storage volumes.

|}

'''Key Knowledge Areas:'''

* Understand the Docker and Podman architecture

* Use existing images from an OCI registry

* Operate and access containers

* Understand Docker networking concepts, including overlay networks

* Understand the concepts of DNS service discovery

* Connect container to container networks and use DNS for service discovery

* Understand Docker storage concepts

* Use Docker volumes for shared and persistent container storage

* Awareness of rootless containers

'''The following is a partial list of the used files, terms and utilities:'''

* docker container *

* docker network *

* docker image *

* docker volume *

* podman container *

* podman network *

* podman image *

* podman volume *

 

====702.2 Container Orchestration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to run and manage multiple containers that work together to provide a service. This includes the orchestration of Docker containers using Docker Compose.

|}

'''Key Knowledge Areas:'''

* Understand the application model of Docker Compose and Podman Compose

* Create and run Docker Compose Files (version 3 or later)

* Define services, networks and volumes, along with their commonly used properties, in Docker Compose files

* Use Docker Compose to update running containers to newer images

'''The following is a partial list of the used files, terms and utilities:'''

* docker compose

* podman-compose

* docker-compose.yml

 

====702.3 Container Image Building (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up a runtime environment for containers. This includes running containers on a local workstation as well as setting up a dedicated container host. Furthermore, candidates should be aware of other container infrastructures, storage, networking and container specific security aspects. This objective covers the feature set of Docker version 17.06 or later and Docker Machine 0.12 or later.

Candidates should be able to build OCI container images. This includes creating Dockerfiles or Containerfiles, building containers and publishing container images on an existing OCI registry.

|}

'''Key Knowledge Areas:'''

* Create Dockerfiles and build images from Dockerfiles

* Understand OCI image names

* Upload images to a Docker registry

* Understand the principles of image scanners

* Understand security risks of container virtualization and container images and how to mitigate them

* Awareness Docker buildx, Docker Buildkit, Podman build and Buildah

'''The following is a partial list of the used files, terms and utilities:'''

* docker image *

* docker login

* Dockerfile

* Containerfile

* .dockerignore

* FROM

* COPY

* ADD

* RUN

* VOLUME

* EXPOSE

* USER

* WORKDIR

* ENV

* ARG

* CMD

* ENTRYPOINT

 

===''703 Kubernetes''===

====703.1 Kubernetes Architecture and Usage (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major components of Kubernetes. Furthermore, candidates should be able to interact with an existing Kubernetes platform to retrieve information about the current Kubernetes state, and create, modify and delete resources.

|}

'''Key Knowledge Areas:'''

* Understand the major components and services in a Kubernetes cluster

* Configure kubectl to use an existing Kubernetes cluster

* Use kubectl to get information about Kubernetes resources

* Use kubectl to create, modify and delete resources

* Awareness of Kubernetes Operators

'''Partial list of the used files, terms and utilities:'''

* API-Server, etcd, Controller Manager, Scheduler

* ~/.kube/config

* kubectl get

* kubectl describe

* kubectl apply

* kubectl create

* kubectl run

* kubectl expose

* kubectl scale

* kubectl set

* kubectl edit

* kubectl explain

* kubectl config

* kubectl logs

* kubectl exec

 

====703.2 Basic Kubernetes Operations (weight: 7)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 7
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up applications running on Kubernetes. This includes understanding the most important kinds of Kubernetes resources, including their most important properties.

|}

'''Key Knowledge Areas:'''

* Understanding the use of YAML files to declare Kubernetes resources

* Understanding the principle of a Pod

* Understanding how to use Deployments, including scaling and rolling updates

* Understanding how to make services accessible using Services and Ingress

* Understanding how to use storage using PersistentVolumeClaims

* Awareness of other Kubernetes orchestration resources, i.e. DaemonSets, StatefulSets, Jobs and CronJobs

'''Partial list of the used files, terms and utilities:'''

* Pods

* ReplicaSets

* Deployments

* Services

* Ingress

* PersistentVolumeClaims

* ConfigMaps

* Secrets

 

====703.3 Kubernetes Package Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Helm to install software on Kubernetes.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of Charts, Releases and Values

* Installation, upgrading and uninstalling software using Helm

* Specify custom values to configure software installed using Helm

* Awareness of Kustomize

* Awareness of Flux CD and Argo CD

'''The following is a partial list of the used files, terms and utilities:'''

* helm install

* helm upgrade

* helm list

* helm uninstall

* values.yaml

 

===''705 Security and Observability''===

====705.1 Cloud Native Security (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major kinds of IT threats against cloud native infrastructure, as well as common approaches to prevent such attacks and mitigate their risk. This includes handling security aspects of foreign software as well as common standards for authentication and authorization.

|}

'''Key Knowledge Areas:'''

* Understand core IT infrastructure components and their role in deployment

* Understand common IT infrastructure security risks and ways to mitigate them

* Understand supply chain security and dependencies on foreign code

* Understand common application security risks and ways to mitigate them

* Understand the concepts of asymmetric cryptography and digital certificates

* Understand the principles of common standard for authentication and authorization

* Understand how to manage user credentials and how to use advanced authentication technologies

'''The following is a partial list of the used files, terms and utilities:'''

* Service exploits, brute force attacks, and denial of service attacks

* Security updates, packet filtering and application gateways

* Buffer overflows, SQL injections

* API access, permissions, verbosity and rate limits

* Common Vulnerabilities and Exposures (CVE)

* CVE IDs and CVE scores

* Public key, private key, X.509 certificate, certificate authority

* Single sign-on (SSO)

* OAuth2, OpenID Connect and SAML

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

 

====705.2 Prometheus Monitoring (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of monitoring for application and IT infrastructure. They should be familiar with the architecture and components of Prometheus. The candidate should be able to set up Prometheus and use PromQL to query monitoring data.

|}

'''Key Knowledge Areas:'''

* Understand goals of IT operations and service provisioning, including nonfunctional properties such as availability, latency, responsiveness

* Understand and identify metrics and indicators to monitor and measure the technical functionality of a service

* Understand and identify metrics and indicators to monitor and measure the logical functionality of a service

* Understand the concepts of Prometheus, including Exporters, Pushgateway, Alertmanager and Grafana

* Understand the architecture of Prometheus

* Set up Prometheus and configure file based service discovery

* Monitor containers and microservices using Prometheus

* Use PromQL to retrieve log data

* Aggregate metrics for specific labels

* Aggregate metrics over time

* Awareness of common exporters

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* Prometheus, Exporters, AlertManager, Grafana

* Label selectors

* Instant vectors and aggregate functions

* Range vectors and aggregate functions

* Node Exporter and Blackbox Exporter

 

====705.3 Log Management and Analysis (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of log files in operations and troubleshooting. They should be understand the major properties and features of commonly used Open Source logging stacks.

|}

'''Key Knowledge Areas:'''

* Understand how application and system logging works

* Understand the architecture and features of commonly used open source logging stacks

'''The following is a partial list of the used files, terms and utilities:'''

* Elasticsearch and OpenSearch

* Logstash and filebeat

* Fluentd and FluentBit

* Kibana

* Loki and promtail

* Grafana

* Greylog2

 

====705.4 Tracing (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the concepts and importance of tracing and be familiar with the architecture of OpenTelemetry.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of tracing

* Understanding the concepts of OpenTelemetry

* Awareness of commonly used open source telemetry analysis tools

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* OpenTelemetry

* Spans and Distributed Traces

* Contexts, Span and Trace IDs

* Span attributes, events, links, status and kind

* Grafana Tempo

* Jaeger

DevOps Tools Engineer Objectives V2.0

2023-06-22T12:14:01Z

GMatthewRice:

__FORCETOC__
==Introduction==

This is a required exam for the Linux Professional Institute DevOps Tools Engineer certification. It covers basic skills in using tools commonly used to implement DevOps.

This page covers the currently released objective for the Linux Professional Institute DevOps Tools Engineer certification.

 

==Candidate Description==

The certification holder is either a professional software developer or a professional system administrator who is involved in the production of IT solutions which require a robust and efficient process to get from original source materials to a final deployed or distributable product or service with a particular focus on using Open Source technology. The certification holder has the ability to create, deliver and operate software using collaborative methods which address aspects of software development as well as system administration. In particular, the certification holder is adept at bridging the gap between the development and operations of a solution or product. The certification holder understands how these tools facilitate development and operational tasks in the delivery of stable, scalable and up to date services to users and customers.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 2.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[DevOps_Tools_Engineer_Objectives_V2.0|English]]

 

==Exams and Requirements==

The Linux Professional Institute DevOps Tools Engineer certification is awarded after passing this exam. There is no requirement to possess another certifications. LPI recommends all Linux Professional Institute DevOps Tools Engineers to maintain at least one active certification in either system administration or software development. This certification should be on a level equivalent to LPIC-1.

 

==Objectives==

===''701 Software Engineering''===

====701.1 Modern Software Development (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to design software solutions suitable for modern runtime environments. Candidates should understand how services handle data persistence, sessions, status information, transactions, concurrency, security, performance, availability, scaling, load balancing, messaging, monitoring and APIs. Furthermore, candidates should understand the implications of agile and DevOps on software development.

|}

'''Key Knowledge Areas:'''

* Understand and design service based applications

* Understand common API concepts and standards

* Understand aspects of data storage, service status and session handling

* Design software to be run in containers

* Design software to be deployed to cloud services

* Awareness of risks in the migration and integration of monolithic legacy software

* Understand the concept of agile software development

* Understand the concept of DevOps and its implications to software developers and operators

'''The following is a partial list of the used files, terms and utilities:'''

* REST, JSON

* Service Oriented Architectures (SOA)

* Microservices

* Immutable servers

* Loose coupling

* Cross site scripting, SQL injections, verbose error reports, API authentication, consistent enforcement of transport encryption

* CORS headers and CSRF tokens

 

====701.2 Standard Components and Platforms for Software (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand services offered by common cloud platforms. They should be able to include these services in their application architectures and deployment toolchains and understand the required service configurations. Furthermore, the candidate should be aware of the commonly used open source implementations of the various services.

|}

'''Key Knowledge Areas:'''

* Features and concepts of object storage

* Features and concepts of relational and NoSQL databases

* Features and concepts of message brokers and message queues

* Features and concepts of big data services

* Features and concepts of application runtimes / PaaS

* Features and concepts of hosted applications / SaaS

* Features and concepts of function applications / FaaS

* Features and concepts of content delivery networks

* Awareness of identity and access management in cloud services

'''The following is a partial list of the used files, terms and utilities:'''

* Objects, Buckets, ACLs, S3

* MariaDB, MySQL, PostgreSQL,

* Redis, MongoDB, InfluxDB

* Elasticsearch and OpenSearch

* Kafka, MQTT

* IAM

 

====701.3 Source Code Management (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Git to manage and share source code. This includes creating and contributing to a repository as well as the usage of tags, branches and remote repositories. Furthermore, the candidate should be able to merge files and resolve merging conflicts.

|}

'''Key Knowledge Areas:'''

* Understand Git concepts and repository structure

* Manage files within a Git repository

* Manage branches and tags

* Work with remote repositories and branches as well as submodules

* Merge files and branches

* Awareness of SVN and CVS, including concepts of centralized and distributed SCM solutions

'''The following is a partial list of the used files, terms and utilities:'''

* git

* .gitignore

 

====701.4 Continuous Integration and Continuous Delivery (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles and components of a continuous integration and continuous delivery pipeline. Candidates should understand how CI/CD pipelines support the development and release of software and how they integrate with source code repositories and the target runtime environment. Furthermore, candidates should be aware of commonly used CI/CD platforms.

|}

'''Key Knowledge Areas:'''

* Understand the concepts of Continuous Integration and Continuous Delivery

* Understand the components of a CI/CD pipeline, including builds, unit, integration and acceptance tests, artifact management, delivery and deployment

* Understand the concepts of GitOps

* Understand the role of build artifacts and caches

* Understand deployment best practices

* Awareness of Jenkins and Gitlab CI

* Awareness of Artifactory and Nexus

'''The following is a partial list of the used files, terms and utilities:'''

* Declarative Pipeline

* Production, Staging and Development Environments

* Feature toggles

* Preview releases

* Reconciliation loops

* A/B testing

* Blue-green and canary deployment

 

====701.5 Software Composition, Licensing and Open Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles of software licenses. This includes how software from multiple authors and sources are combined to implement a specific service and how licensing affects such compositions. Furthermore, the candidate should understand the concepts of open source software, including the most important aspects of common open source licenses.

|}

'''Key Knowledge Areas:'''

* Understand how an application is build out of multiple software components

* Awareness of dependency managers like NPM, gradle or composer

* Understand the concepts proprietary and open source software

* Understand the concepts of open source software licenses

* Awareness of commonly used open source licenses (GPL, LGPL, AGPL, BSD, MIT and Apache License)

* Awareness of license compatibility and multi licensing

'''The following is a partial list of the used files, terms and utilities:'''

* Software libraries

* Software Bill Of Materials

* Proprietary software

* Open Source Software and Free Software

* Copyleft open source software licenses

* Permissive open source software licenses

===''702 Application Container''===

====702.1 Application Container Management (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to operate Docker and Podman containers. This includes creating and interacting with containers as well as connecting containers to networks and storage volumes.

|}

'''Key Knowledge Areas:'''

* Understand the Docker and Podman architecture

* Use existing images from an OCI registry

* Operate and access containers

* Understand Docker networking concepts, including overlay networks

* Understand the concepts of DNS service discovery

* Connect container to container networks and use DNS for service discovery

* Understand Docker storage concepts

* Use Docker volumes for shared and persistent container storage

* Awareness of rootless containers

'''The following is a partial list of the used files, terms and utilities:'''

* docker container *

* docker network *

* docker image *

* docker volume *

* podman container *

* podman network *

* podman image *

* podman volume *

 

====702.2 Container Orchestration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to run and manage multiple containers that work together to provide a service. This includes the orchestration of Docker containers using Docker Compose.

|}

'''Key Knowledge Areas:'''

* Understand the application model of Docker Compose and Podman Compose

* Create and run Docker Compose Files (version 3 or later)

* Define services, networks and volumes, along with their commonly used properties, in Docker Compose files

* Use Docker Compose to update running containers to newer images

'''The following is a partial list of the used files, terms and utilities:'''

* docker compose

* podman-compose

* docker-compose.yml

 

====702.3 Container Image Building (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up a runtime environment for containers. This includes running containers on a local workstation as well as setting up a dedicated container host. Furthermore, candidates should be aware of other container infrastructures, storage, networking and container specific security aspects. This objective covers the feature set of Docker version 17.06 or later and Docker Machine 0.12 or later.

Candidates should be able to build OCI container images. This includes creating Dockerfiles or Containerfiles, building containers and publishing container images on an existing OCI registry.

|}

'''Key Knowledge Areas:'''

* Create Dockerfiles and build images from Dockerfiles

* Understand OCI image names

* Upload images to a Docker registry

* Understand the principles of image scanners

* Understand security risks of container virtualization and container images and how to mitigate them

* Awareness Docker buildx, Docker Buildkit, Podman build and Buildah

'''The following is a partial list of the used files, terms and utilities:'''

* docker image *

* docker login

* Dockerfile

* Containerfile

* .dockerignore

* FROM

* COPY

* ADD

* RUN

* VOLUME

* EXPOSE

* USER

* WORKDIR

* ENV

* ARG

* CMD

* ENTRYPOINT

 

===''703 Kubernetes''===

====703.1 Kubernetes Architecture and Usage (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major components of Kubernetes. Furthermore, candidates should be able to interact with an existing Kubernetes platform to retrieve information about the current Kubernetes state, and create, modify and delete resources.

|}

'''Key Knowledge Areas:'''

* Understand the major components and services in a Kubernetes cluster

* Configure kubectl to use an existing Kubernetes cluster

* Use kubectl to get information about Kubernetes resources

* Use kubectl to create, modify and delete resources

* Awareness of Kubernetes Operators

'''Partial list of the used files, terms and utilities:'''

* API-Server, etcd, Controller Manager, Scheduler

* ~/.kube/config

* kubectl get

* kubectl describe

* kubectl apply

* kubectl create

* kubectl run

* kubectl expose

* kubectl scale

* kubectl set

* kubectl edit

* kubectl explain

* kubectl config

* kubectl logs

* kubectl exec

 

====703.2 Basic Kubernetes Operations (weight: 7)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 7
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up applications running on Kubernetes. This includes understanding the most important kinds of Kubernetes resources, including their most important properties.

|}

'''Key Knowledge Areas:'''

* Understanding the use of YAML files to declare Kubernetes resources

* Understanding the principle of a Pod

* Understanding how to use Deployments, including scaling and rolling updates

* Understanding how to make services accessible using Services and Ingress

* Understanding how to use storage using PersistentVolumeClaims

* Awareness of other Kubernetes orchestration resources, i.e. DaemonSets, StatefulSets, Jobs and CronJobs

'''Partial list of the used files, terms and utilities:'''

* Pods

* ReplicaSets

* Deployments

* Services

* Ingress

* PersistentVolumeClaims

* ConfigMaps

* Secrets

 

====703.3 Kubernetes Package Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Helm to install software on Kubernetes.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of Charts, Releases and Values

* Installation, upgrading and uninstalling software using Helm

* Specify custom values to configure software installed using Helm

* Awareness of Kustomize

* Awareness of Flux CD and Argo CD

'''The following is a partial list of the used files, terms and utilities:'''

* helm install

* helm upgrade

* helm list

* helm uninstall

* values.yaml

 

===''705 Security and Observability''===

====705.1 Cloud Native Security (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major kinds of IT threats against cloud native infrastructure, as well as common approaches to prevent such attacks and mitigate their risk. This includes handling security aspects of foreign software as well as common standards for authentication and authorization.

|}

'''Key Knowledge Areas:'''

* Understand core IT infrastructure components and their role in deployment

* Understand common IT infrastructure security risks and ways to mitigate them

* Understand supply chain security and dependencies on foreign code

* Understand common application security risks and ways to mitigate them

* Understand the concepts of asymmetric cryptography and digital certificates

* Understand the principles of common standard for authentication and authorization

* Understand how to manage user credentials and how to use advanced authentication technologies

'''The following is a partial list of the used files, terms and utilities:'''

* Service exploits, brute force attacks, and denial of service attacks

* Security updates, packet filtering and application gateways

* Buffer overflows, SQL injections

* API access, permissions, verbosity and rate limits

* Common Vulnerabilities and Exposures (CVE)

* CVE IDs and CVE scores

* Public key, private key, X.509 certificate, certificate authority

* Single sign-on (SSO)

* OAuth2, OpenID Connect and SAML

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

 

====705.2 Prometheus Monitoring (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of monitoring for application and IT infrastructure. They should be familiar with the architecture and components of Prometheus. The candidate should be able to set up Prometheus and use PromQL to query monitoring data.

|}

'''Key Knowledge Areas:'''

* Understand goals of IT operations and service provisioning, including nonfunctional properties such as availability, latency, responsiveness

* Understand and identify metrics and indicators to monitor and measure the technical functionality of a service

* Understand and identify metrics and indicators to monitor and measure the logical functionality of a service

* Understand the concepts of Prometheus, including Exporters, Pushgateway, Alertmanager and Grafana

* Understand the architecture of Prometheus

* Set up Prometheus and configure file based service discovery

* Monitor containers and microservices using Prometheus

* Use PromQL to retrieve log data

* Aggregate metrics for specific labels

* Aggregate metrics over time

* Awareness of common exporters

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* Prometheus, Exporters, AlertManager, Grafana

* Label selectors

* Instant vectors and aggregate functions

* Range vectors and aggregate functions

* Node Exporter and Blackbox Exporter

 

====705.3 Log Management and Analysis (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of log files in operations and troubleshooting. They should be understand the major properties and features of commonly used Open Source logging stacks.

|}

'''Key Knowledge Areas:'''

* Understand how application and system logging works

* Understand the architecture and features of commonly used open source logging stacks

'''The following is a partial list of the used files, terms and utilities:'''

* Elasticsearch and OpenSearch

* Logstash and filebeat

* Fluentd and FluentBit

* Kibana

* Loki and promtail

* Grafana

* Greylog2

 

====705.4 Tracing (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the concepts and importance of tracing and be familiar with the architecture of OpenTelemetry.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of tracing

* Understanding the concepts of OpenTelemetry

* Awareness of commonly used open source telemetry analysis tools

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* OpenTelemetry

* Spans and Distributed Traces

* Contexts, Span and Trace IDs

* Span attributes, events, links, status and kind

* Grafana Tempo

* Jaeger

DevOps Tools Engineer Objectives V2.0

2023-06-22T11:57:21Z

GMatthewRice:

__FORCETOC__
==Introduction==

This is a required exam for the Linux Professional Institute DevOps Tools Engineer certification. It covers basic skills in using tools commonly used to implement DevOps.

This page covers the currently released objective for the Linux Professional Institute DevOps Tools Engineer certification.

 

==Candidate Description==

The certification holder is either a professional software developer or a professional system administrator who is involved in the production of IT solutions which require a robust and efficient process to get from original source materials to a final deployed or distributable product or service with a particular focus on using Open Source technology. The certification holder has the ability to create, deliver and operate software using collaborative methods which address aspects of software development as well as system administration. In particular, the certification holder is adept at bridging the gap between the development and operations of a solution or product. The certification holder understands how these tools facilitate development and operational tasks in the delivery of stable, scalable and up to date services to users and customers.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 2.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[DevOps_Tools_Engineer_Objectives_V2.0|English]]

 

==Exams and Requirements==

The Linux Professional Institute DevOps Tools Engineer certification is awarded after passing this exam. There is no requirement to possess another certifications. LPI recommends all Linux Professional Institute DevOps Tools Engineers to maintain at least one active certification in either system administration or software development. This certification should be on a level equivalent to LPIC-1.

 

==Objectives==

===''701 Software Engineering''===

====701.1 Modern Software Development (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to design software solutions suitable for modern runtime environments. Candidates should understand how services handle data persistence, sessions, status information, transactions, concurrency, security, performance, availability, scaling, load balancing, messaging, monitoring and APIs. Furthermore, candidates should understand the implications of agile and DevOps on software development.

|}

'''Key Knowledge Areas:'''

* Understand and design service based applications

* Understand common API concepts and standards

* Understand aspects of data storage, service status and session handling

* Design software to be run in containers

* Design software to be deployed to cloud services

* Awareness of risks in the migration and integration of monolithic legacy software

* Understand the concept of agile software development

* Understand the concept of DevOps and its implications to software developers and operators

'''The following is a partial list of the used files, terms and utilities:'''

* REST, JSON

* Service Orientated Architectures (SOA)

* Microservices

* Immutable servers

* Loose coupling

* Cross site scripting, SQL injections, verbose error reports, API authentication, consistent enforcement of transport encryption

* CORS headers and CSRF tokens

 

====701.2 Standard Components and Platforms for Software (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand services offered by common cloud platforms. They should be able to include these services in their application architectures and deployment toolchains and understand the required service configurations. Futhermore, the candidate should be aware of the commonly used open source implementations of the various services.

|}

'''Key Knowledge Areas:'''

* Features and concepts of object storage

* Features and concepts of relational and NoSQL databases

* Features and concepts of message brokers and message queues

* Features and concepts of big data services

* Features and concepts of application runtimes / PaaS

* Features and concepts of hosted applications / SaaS

* Features and concepts of function applications / FaaS

* Features and concepts of content delivery networks

* Awareness of identity and access management in cloud services

'''The following is a partial list of the used files, terms and utilities:'''

* Objects, Buckets, ACLs, S3

* MariaDB, MySQL, PostgreSQL,

* Redis, MongoDB, InfluxDB

* ElasticSearch and OpenSearch

* Kafka, MQTT

* IAM

 

====701.3 Source Code Management (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Git to manage and share source code. This includes creating and contributing to a repository as well as the usage of tags, branches and remote repositories. Furthermore, the candidate should be able to merge files and resolve merging conflicts.

|}

'''Key Knowledge Areas:'''

* Understand Git concepts and repository structure

* Manage files within a Git repository

* Manage branches and tags

* Work with remote repositories and branches as well as submodules

* Merge files and branches

* Awareness of SVN and CVS, including concepts of centralized and distributed SCM solutions

'''The following is a partial list of the used files, terms and utilities:'''

* git

* .gitignore

 

====701.4 Continuous Integration and Continuous Delivery (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles and components of a continuous integration and continuous delivery pipeline. Candidates should understand how CI/CD pipelines support the development and release of software and how they integrate with source code repositories and the target runtime environment. Furthermore, candidates should be aware of commonly used CI/CD platforms.

|}

'''Key Knowledge Areas:'''

* Understand the concepts of Continuous Integration and Continuous Delivery

* Understand the components of a CI/CD pipeline, including builds, unit, integration and acceptance tests, artifact management, delivery and deployment

* Understand the concepts of GitOps

* Understand the role of build artifacts and caches

* Understand deployment best practices

* Awareness of Jenkins and Gitlab CI

* Awareness of Artifactory and Nexus

'''The following is a partial list of the used files, terms and utilities:'''

* Declarative Pipeline

* Production, Staging and Development Environments

* Feature toggles

* Preview releases

* Reconciliation loops

* A/B testing

* Blue-green and canary deployment

 

====701.5 Software Composition, Licensing and Open Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles of software licenses. This includes how software from multiple authors and sources are combined to implement a specific service and how licensing affects such compositions. Futhermore, the candidate should understand the concepts of open source software, including the most important aspects of common open source licenses.

|}

'''Key Knowledge Areas:'''

* Understand how an application is build out of multiple software components

* Awareness of dependency managers like NPM, gradle or composer

* Understand the concepts proprietary and open source software

* Understand the concepts of open source software licenses

* Awareness of commonly used open source licenses (GPL, LGPL, AGPL, BSD, MIT and Apache License)

* Awareness of license compatibility and multi licensing

'''The following is a partial list of the used files, terms and utilities:'''

* Software libraries

* Software Bill Of Materials

* Proprietary software

* Open Source Software and Free Software

* Copyleft open source sofware licenses

* Permissive open source software licenses

===''702 Application Container''===

====702.1 Application Container Management (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to operate Docker and Podman containers. This includes creating and interacting with containers as well as connecting containers to networks and storage volumes.

|}

'''Key Knowledge Areas:'''

* Understand the Docker and Podman architecture

* Use existing images from an OCI registry

* Operate and access containers

* Understand Docker networking concepts, including overlay networks

* Understand the concepts of DNS service discovery

* Connect container to container networks and use DNS for service discovery

* Understand Docker storage concepts

* Use Docker volumes for shared and persistent container storage

* Awareness of rootless containers

'''The following is a partial list of the used files, terms and utilities:'''

* docker container *

* docker network *

* docker image *

* docker volume *

* podman container *

* podman network *

* podman image *

* podman volume *

 

====702.2 Container Orchestration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to run and manage multiple containers that work together to provide a service. This includes the orchestration of Docker containers using Docker Compose.

|}

'''Key Knowledge Areas:'''

* Understand the application model of Docker Compose and Podman Compose

* Create and run Docker Compose Files (version 3 or later)

* Define services, networks and volumes, along with their commonly used properties, in Docker Compose files

* Use Docker Compose to update running containers to newer images

'''The following is a partial list of the used files, terms and utilities:'''

* docker compose

* podman-compose

* docker-compose.yml

 

====702.3 Container Image Building (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up a runtime environment for containers. This includes running containers on a local workstation as well as setting up a dedicated container host. Furthermore, candidates should be aware of other container infrastructures, storage, networking and container specific security aspects. This objective covers the feature set of Docker version 17.06 or later and Docker Machine 0.12 or later.

Candidates should be able to build OCI container images. This includes creating Dockerfiles or Containerfiles, building containers and publishing containter images on an existing OCI registry.

|}

'''Key Knowledge Areas:'''

* Create Dockerfiles and build images from Dockerfiles

* Understand OCI image names

* Upload images to a Docker registry

* Understand the principles of image scanners

* Understand security risks of container virtualization and container images and how to mitigate them

* Awareness Docker buildx, Docker Buildkit, Podman build and Buildah

'''The following is a partial list of the used files, terms and utilities:'''

* docker image *

* docker login

* Dockerfile

* Containerfile

* .dockerignore

* FROM

* COPY

* ADD

* RUN

* VOLUME

* EXPOSE

* USER

* WORKDIR

* ENV

* ARG

* CMD

* ENTRYPOINT

 

===''703 Kubernetes''===

====703.1 Kubernetes Architecture and Usage (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major components of Kubernetes. Futhermore, candidates should be able to interact with an existing Kubernetes platform to retrieve information about the current Kubernets state, and create, modify and delete resources.

|}

'''Key Knowledge Areas:'''

* Understand the major components and services in a Kubernetes cluster

* Configure kubectl to use an existing Kubernetes cluster

* Use kubectl to get information about Kubernetes resources

* Use kubectl to create, modify and delete resources

* Awareness of Kubernetes Operators

'''Partial list of the used files, terms and utilities:'''

* API-Server, etcd, Controller Manager, Scheduler

* ~/.kube/config

* kubectl get

* kubectl describe

* kubectl apply

* kubectl create

* kubectl run

* kubectl expose

* kubectl scale

* kubectl set

* kubectl edit

* kubectl explain

* kubectl config

* kubectl logs

* kubectl exec

 

====703.2 Basic Kubernetes Operations (weight: 7)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 7
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Cadidates should be able to set up applications running on Kubernetes. This includes understanding the most important kinds of Kubernetes resources, including their most important properties.

|}

'''Key Knowledge Areas:'''

* Understanding the use of Yaml files to declare Kubernetes resources

* Understanding the principle of a Pod

* Understanding how to use Deployments, including scaling and rolling updates

* Understanding how to make services accessible using Services and Ingress

* Understanding how to use storage using PersistentVolumeClaims

* Awareness of other Kubernetes orchestation resources, i.e. DaemonSets, StatefulSets, Jobs and CronJobs

'''Partial list of the used files, terms and utilities:'''

* Pods

* ReplicaSets

* Deployments

* Services

* Ingress

* PersistentVolumeClaims

* ConfigMaps

* Secrets

 

====703.3 Kubernetes Package Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Helm to install software on Kubernetes.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of Charts, Releases and Values

* Installation, upgrading and uninstalling software using Helm

* Specify custom values to configure software installed using Helm

* Awareness of Kustomize

* Awareness of Flux CD and Argo CD

'''The following is a partial list of the used files, terms and utilities:'''

* helm install

* helm upgrade

* helm list

* helm uninstall

* values.yaml

 

===''705 Security and Observability''===

====705.1 Cloud Native Security (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major kinds of IT threats against cloud native infrastructure, as well as common approaches to prevent such attacks and mitigate their risk. This includes handling security aspects of foreign software as well as common standards for authentication and authorization.

|}

'''Key Knowledge Areas:'''

* Understand core IT infrastructure components and their role in deployment

* Understand common IT infrastructure security risks and ways to mitigate them

* Understand supply chain security and dependencies on foreign code

* Understand common application security risks and ways to mitigate them

* Understand the concepts of asymmetric cryptography and digital certificates

* Understand the principles of common standard for authentication and authorization

* Understand how to manage user credentials and how to use advanced authentication technologies

'''The following is a partial list of the used files, terms and utilities:'''

* Service exploits, brute force attacks, and denial of service attacks

* Security updates, packet filtering and application gateways

* Buffer overflows, SQL injections

* API access, permissions, verbosity and rate limits

* Common Vulnerabilities and Exposures (CVE)

* CVE IDs and CVE scores

* Public key, private key, X.509 certificate, certificate authority

* Single sign-on (SSO)

* OAuth2, OpenID Connect and SAML

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

 

====705.2 Prometheus Monitoring (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of monitoring for application and IT infrastructure. They should be familiar with the architecture and components of Prometheus. The candidate should be able to set up Prometheus and use PromQL to query monitoring data.

|}

'''Key Knowledge Areas:'''

* Understand goals of IT operations and service provisioning, including nonfunctional properties such as availability, latency, responsiveness

* Understand and identify metrics and indicators to monitor and measure the technical functionality of a service

* Understand and identify metrics and indicators to monitor and measure the logical functionality of a service

* Understand the concepts of Prometheus, including Exporters, Pushgateway, Alertmanager and Grafana

* Understand the architecture of Prometheus

* Set up prometheus and configure file based service discovery

* Monitor containers and microservices using Prometheus

* Use PromQL to retrieve log data

* Aggregate metrics for specific labels

* Aggregate metrics over time

* Awareness of common exporters

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* Prometheus, Exporters, AlertManager, Grafana

* Label selectors

* Instant vectors and aggregate functions

* Range vectors and aggregate functions

* Node Exporter and Blackbox Exporter

 

====705.3 Log Management and Analysis (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of log files in operations and troubleshooting. They should be understand the major properties and features of commonly used Open Source logging stacks.

|}

'''Key Knowledge Areas:'''

* Understand how application and system logging works

* Understand the architecture and features of commonly used open source logging stacks

'''The following is a partial list of the used files, terms and utilities:'''

* ElasticSearch and OpenSearch

* Logstash and filebeat

* Fluentd and FluentBit

* Kibana

* Loki and promtail

* Grafana

* Greylog2

 

====705.4 Tracing (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the concepts and importance of tracing and be familiar with the architecture of OpenTelemetry.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of tracing

* Understanding the concepts of OpenTelemetry

* Awareness of commonly used open source telemetry analysis tools

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* OpenTelemetry

* Spans and Distributed Traces

* Contexts, Span and Trace IDs

* Span attributes, events, links, status and kind

* Grafana Tempo

* Jaeger

DevOps Tools Engineer Objectives V2.0

2023-06-19T16:06:06Z

GMatthewRice:

__FORCETOC__
==Introduction==

This is a required exam for the Linux Professional Institute DevOps Tools Engineer certification. It covers basic skills in using tools commonly used to implement DevOps.

This page covers the currently released objective for the Linux Professional Institute DevOps Tools Engineer certification.

 

==Candidate Description==

The certification holder is either a professional software developer or a professional system administrator who is involved in the production of IT solutions which require a robust and efficient process to get from original source materials to a final deployed or distributable product or service with a particular focus on using Open Source technology. The certification holder has the ability to create, deliver and operate software using collaborative methods which address aspects of software development as well as system administration. In particular, the certification holder is adept at bridging the gap between the development and operations of a solution or product. The certification holder understands how these tools facilitate development and operational tasks in the delivery of stable, scalable and up to date services to users and customers.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 2.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[DevOps_Tools_Engineer_Objectives_V2.0|English]]

 

==Exams and Requirements==

The Linux Professional Institute DevOps Tools Engineer certification is awarded after passing this exam. There is no requirement to posses another certifications. LPI recommends all Linux Professional Institute DevOps Tools Engineers to maintain at least one active certification in either system administration or software development. This certification should be on a level equivalent to LPIC-1.

 

==Objectives==

===''701 Software Engineering''===

====701.1 Modern Software Development (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to design software solutions suitable for modern runtime environments. Candidates should understand how services handle data persistence, sessions, status information, transactions, concurrency, security, performance, availability, scaling, load balancing, messaging, monitoring and APIs. Furthermore, candidates should understand the implications of agile and DevOps on software development.

|}

'''Key Knowledge Areas:'''

* Understand and design service based applications

* Understand common API concepts and standards

* Understand aspects of data storage, service status and session handling

* Design software to be run in containers

* Design software to be deployed to cloud services

* Awareness of risks in the migration and integration of monolithic legacy software

* Understand the concept of agile software development

* Understand the concept of DevOps and its implications to software developers and operators

'''The following is a partial list of the used files, terms and utilities:'''

* REST, JSON

* Service Orientated Architectures (SOA)

* Microservices

* Immutable servers

* Loose coupling

* Cross site scripting, SQL injections, verbose error reports, API authentication, consistent enforcement of transport encryption

* CORS headers and CSRF tokens

 

====701.2 Standard Components and Platforms for Software (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand services offered by common cloud platforms. They should be able to include these services in their application architectures and deployment toolchains and understand the required service configurations. Futhermore, the candidate should be aware of the commonly used open source implementations of the various services.

|}

'''Key Knowledge Areas:'''

* Features and concepts of object storage

* Features and concepts of relational and NoSQL databases

* Features and concepts of message brokers and message queues

* Features and concepts of big data services

* Features and concepts of application runtimes / PaaS

* Features and concepts of hosted applications / SaaS

* Features and concepts of function applications / FaaS

* Features and concepts of content delivery networks

* Awareness of identity and access management in cloud services

'''The following is a partial list of the used files, terms and utilities:'''

* Objects, Buckets, ACLs, S3

* MariaDB, MySQL, PostgreSQL,

* Redis, MongoDB, InfluxDB

* ElasticSearch and OpenSearch

* Kafka, MQTT

* IAM

 

====701.3 Source Code Management (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Git to manage and share source code. This includes creating and contributing to a repository as well as the usage of tags, branches and remote repositories. Furthermore, the candidate should be able to merge files and resolve merging conflicts.

|}

'''Key Knowledge Areas:'''

* Understand Git concepts and repository structure

* Manage files within a Git repository

* Manage branches and tags

* Work with remote repositories and branches as well as submodules

* Merge files and branches

* Awareness of SVN and CVS, including concepts of centralized and distributed SCM solutions

'''The following is a partial list of the used files, terms and utilities:'''

* git

* .gitignore

 

====701.4 Continuous Integration and Continuous Delivery (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles and components of a continuous integration and continuous delivery pipeline. Candidates should understand how CI/CD pipelines support the development and release of software and how they integrate with source code repositories and the target runtime environment. Furthermore, candidates should be aware of commonly used CI/CD platforms.

|}

'''Key Knowledge Areas:'''

* Understand the concepts of Continuous Integration and Continuous Delivery

* Understand the components of a CI/CD pipeline, including builds, unit, integration and acceptance tests, artifact management, delivery and deployment

* Understand the concepts of GitOps

* Understand the role of build artifacts and caches

* Understand deployment best practices

* Awareness of Jenkins and Gitlab CI

* Awareness of Artifactory and Nexus

'''The following is a partial list of the used files, terms and utilities:'''

* Declarative Pipeline

* Production, Staging and Development Environments

* Feature toggles

* Preview releases

* Reconciliation loops

* A/B testing

* Blue-green and canary deployment

 

====701.5 Software Composition, Licensing and Open Source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the principles of software licenses. This includes how software from multiple authors and sources are combined to implement a specific service and how licensing affects such compositions. Futhermore, the candidate should understand the concepts of open source software, including the most important aspects of common open source licenses.

|}

'''Key Knowledge Areas:'''

* Understand how an application is build out of multiple software components

* Awareness of dependency managers like NPM, gradle or composer

* Understand the concepts proprietary and open source software

* Understand the concepts of open source software licenses

* Awareness of commonly used open source licenses (GPL, LGPL, AGPL, BSD, MIT and Apache License)

* Awareness of license compatibility and multi licensing

'''The following is a partial list of the used files, terms and utilities:'''

* Software libraries

* Software Bill Of Materials

* Proprietary software

* Open Source Software and Free Software

* Copyleft open source sofware licenses

* Permissive open source software licenses

===''702 Application Container''===

====702.1 Application Container Management (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to operate Docker and Podman containers. This includes creating and interacting with containers as well as connecting containers to networks and storage volumes.

|}

'''Key Knowledge Areas:'''

* Understand the Docker and Podman architecture

* Use existing images from an OCI registry

* Operate and access containers

* Understand Docker networking concepts, including overlay networks

* Understand the concepts of DNS service discovery

* Connect container to container networks and use DNS for service discovery

* Understand Docker storage concepts

* Use Docker volumes for shared and persistent container storage

* Awareness of rootless containers

'''The following is a partial list of the used files, terms and utilities:'''

* docker container *

* docker network *

* docker image *

* docker volume *

* podman container *

* podman network *

* podman image *

* podman volume *

 

====702.2 Container Orchestration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to run and manage multiple containers that work together to provide a service. This includes the orchestration of Docker containers using Docker Compose.

|}

'''Key Knowledge Areas:'''

* Understand the application model of Docker Compose and Podman Compose

* Create and run Docker Compose Files (version 3 or later)

* Define services, networks and volumes, along with their commonly used properties, in Docker Compose files

* Use Docker Compose to update running containers to newer images

'''The following is a partial list of the used files, terms and utilities:'''

* docker compose

* podman-compose

* docker-compose.yml

 

====702.3 Container Image Building (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to set up a runtime environment for containers. This includes running containers on a local workstation as well as setting up a dedicated container host. Furthermore, candidates should be aware of other container infrastructures, storage, networking and container specific security aspects. This objective covers the feature set of Docker version 17.06 or later and Docker Machine 0.12 or later.

Candidates should be able to build OCI container images. This includes creating Dockerfiles or Containerfiles, building containers and publishing containter images on an existing OCI registry.

|}

'''Key Knowledge Areas:'''

* Create Dockerfiles and build images from Dockerfiles

* Understand OCI image names

* Upload images to a Docker registry

* Understand the principles of image scanners

* Understand security risks of container virtualization and container images and how to mitigate them

* Awareness Docker buildx, Docker Buildkit, Podman build and Buildah

'''The following is a partial list of the used files, terms and utilities:'''

* docker image *

* docker login

* Dockerfile

* Containerfile

* .dockerignore

* FROM

* COPY

* ADD

* RUN

* VOLUME

* EXPOSE

* USER

* WORKDIR

* ENV

* ARG

* CMD

* ENTRYPOINT

 

===''703 Kubernetes''===

====703.1 Kubernetes Architecture and Usage (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major components of Kubernetes. Futhermore, candidates should be able to interact with an existing Kubernetes platform to retrieve information about the current Kubernets state, and create, modify and delete resources.

|}

'''Key Knowledge Areas:'''

* Understand the major components and services in a Kubernetes cluster

* Configure kubectl to use an existing Kubernetes cluster

* Use kubectl to get information about Kubernetes resources

* Use kubectl to create, modify and delete resources

* Awareness of Kubernetes Operators

'''Partial list of the used files, terms and utilities:'''

* API-Server, etcd, Controller Manager, Scheduler

* ~/.kube/config

* kubectl get

* kubectl describe

* kubectl apply

* kubectl create

* kubectl run

* kubectl expose

* kubectl scale

* kubectl set

* kubectl edit

* kubectl explain

* kubectl config

* kubectl logs

* kubectl exec

 

====703.2 Basic Kubernetes Operations (weight: 7)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 7
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Cadidates should be able to set up applications running on Kubernetes. This includes understanding the most important kinds of Kubernetes resources, including their most important properties.

|}

'''Key Knowledge Areas:'''

* Understanding the use of Yaml files to declare Kubernetes resources

* Understanding the principle of a Pod

* Understanding how to use Deployments, including scaling and rolling updates

* Understanding how to make services accessible using Services and Ingress

* Understanding how to use storage using PersistentVolumeClaims

* Awareness of other Kubernetes orchestation resources, i.e. DaemonSets, StatefulSets, Jobs and CronJobs

'''Partial list of the used files, terms and utilities:'''

* Pods

* ReplicaSets

* Deployments

* Services

* Ingress

* PersistentVolumeClaims

* ConfigMaps

* Secrets

 

====703.3 Kubernetes Package Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to use Helm to install software on Kubernetes.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of Charts, Releases and Values

* Installation, upgrading and uninstalling software using Helm

* Specify custom values to configure software installed using Helm

* Awareness of Kustomize

* Awareness of Flux CD and Argo CD

'''The following is a partial list of the used files, terms and utilities:'''

* helm install

* helm upgrade

* helm list

* helm uninstall

* values.yaml

 

===''705 Security and Observability''===

====705.1 Cloud Native Security (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the major kinds of IT threats against cloud native infrastructure, as well as common approaches to prevent such attacks and mitigate their risk. This includes handling security aspects of foreign software as well as common standards for authentication and authorization.

|}

'''Key Knowledge Areas:'''

* Understand core IT infrastructure components and their role in deployment

* Understand common IT infrastructure security risks and ways to mitigate them

* Understand supply chain security and dependencies on foreign code

* Understand common application security risks and ways to mitigate them

* Understand the concepts of asymmetric cryptography and digital certificates

* Understand the principles of common standard for authentication and authorization

* Understand how to manage user credentials and how to use advanced authentication technologies

'''The following is a partial list of the used files, terms and utilities:'''

* Service exploits, brute force attacks, and denial of service attacks

* Security updates, packet filtering and application gateways

* Buffer overflows, SQL injections

* API access, permissions, verbosity and rate limits

* Common Vulnerabilities and Exposures (CVE)

* CVE IDs and CVE scores

* Public key, private key, X.509 certificate, certificate authority

* Single sign-on (SSO)

* OAuth2, OpenID Connect and SAML

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

 

====705.2 Prometheus Monitoring (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of monitoring for application and IT infrastructure. They should be familiar with the architecture and components of Prometheus. The candidate should be able to set up Prometheus and use PromQL to query monitoring data.

|}

'''Key Knowledge Areas:'''

* Understand goals of IT operations and service provisioning, including nonfunctional properties such as availability, latency, responsiveness

* Understand and identify metrics and indicators to monitor and measure the technical functionality of a service

* Understand and identify metrics and indicators to monitor and measure the logical functionality of a service

* Understand the concepts of Prometheus, including Exporters, Pushgateway, Alertmanager and Grafana

* Understand the architecture of Prometheus

* Set up prometheus and configure file based service discovery

* Monitor containers and microservices using Prometheus

* Use PromQL to retrieve log data

* Aggregate metrics for specific labels

* Aggregate metrics over time

* Awareness of common exporters

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* Prometheus, Exporters, AlertManager, Grafana

* Label selectors

* Instant vectors and aggregate functions

* Range vectors and aggregate functions

* Node Exporter and Blackbox Exporter

 

====705.3 Log Management and Analysis (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the role of log files in operations and troubleshooting. They should be understand the major properties and features of commonly used Open Source logging stacks.

|}

'''Key Knowledge Areas:'''

* Understand how application and system logging works

* Understand the architecture and features of commonly used open source logging stacks

'''The following is a partial list of the used files, terms and utilities:'''

* ElasticSearch and OpenSearch

* Logstash and filebeat

* Fluentd and FluentBit

* Kibana

* Loki and promtail

* Grafana

* Greylog2

 

====705.4 Tracing (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should understand the concepts and importance of tracing and be familiar with the architecture of OpenTelemetry.

|}

'''Key Knowledge Areas:'''

* Understanding the concepts of tracing

* Understanding the concepts of OpenTelemetry

* Awareness of commonly used open source telemetry analysis tools

* Awareness of application instrumentation

'''The following is a partial list of the used files, terms and utilities:'''

* OpenTelemetry

* Spans and Distributed Traces

* Contexts, Span and Trace IDs

* Span attributes, events, links, status and kind

* Grafana Tempo

* Jaeger

LPIC-2 Objectives V4.5

2023-03-28T17:34:17Z

GMatthewRice: /* 208.1 Basic Apache configuration (weight: 4) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, web cache/proxy, mail).
** Internet Server (web server and reverse proxy, FTP server).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are version 4.5.0. This version is to go live on February 13th, 2017.

This is also a [[LPIC-2_Summary_Version_4.0_To_4.5|summary and detailed information]] on the changes from version 4.0.x to 4.5.0 of the objectives.

The [[LPIC-2_Objectives_V4|version 4.0 of the LPIC-2 Objectives]] are still online.

 

==Addenda==

===''Version Update (February 13th, 2017)''===

* updated to version 4.5.0

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V4.5|English]]

* [[LPIC-2_Objectives_V4.5(ES)|Spanish]]

* [[LPIC-2_Objectives_V4.5(FR)|French]]

* [[LPIC-2_Objectives_V4.5(DE)|German]]

* [[LPIC-2_Objectives_V4.5(PT-BR)|Portuguese]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 

==Objectives: Exam 201==

===''Topic 200: Capacity Planning''===

====200.1 Measure and Troubleshoot Resource Usage (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource and network bandwidth, identify and troubleshoot resource problems.

|}

'''Key Knowledge Areas:'''

* Measure CPU usage.

* Measure memory usage.

* Measure disk I/O.

* Measure network I/O.

* Measure firewalling and routing throughput.

* Map client bandwidth usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

'''The following is a partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* processes blocked on I/O

* blocks in

* blocks out

 

====200.2 Predict Future Resource Needs (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to monitor resource usage to predict future resource needs.

|}

'''Key Knowledge Areas:'''

* Use monitoring and measurement tools to monitor IT infrastructure usage.

* Predict capacity break point of a configuration.

* Observe growth rate of capacity usage.

* Graph the trend of capacity usage.

* Awareness of monitoring solutions such as Icinga2, Nagios, collectd, MRTG and Cacti

'''The following is a partial list of the used files, terms and utilities:'''

* diagnose

* predict growth

* resource exhaustion

 
 

===''Topic 201: Linux Kernel''===

====201.1 Kernel components (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to utilise kernel components that are necessary to specific hardware, hardware drivers, system resources and requirements. This objective includes implementing different types of kernel images, understanding stable and longterm kernels and patches, as well as using kernel modules.
|}

'''Key Knowledge Areas:'''

* Kernel 2.6.x, 3.x and 4.x documentation

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/src/linux/

* /usr/src/linux/Documentation/

* zImage

* bzImage

* xz compression

 

====201.2 Compiling a Linux kernel (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure a kernel to include or disable specific features of the Linux kernel as necessary. This objective includes compiling and recompiling the Linux kernel as needed, updating and noting changes in a new kernel, creating an initrd image and installing new kernels.
|}

'''Key Knowledge Areas:'''

* /usr/src/linux/

* Kernel Makefiles

* Kernel 2.6.x, 3.x and 4.x make targets

* Customize the current kernel configuration.

* Build a new kernel and appropriate kernel modules.

* Install a new kernel and any modules.

* Ensure that the boot manager can locate the new kernel and associated files.

* Module configuration files

* Use DKMS to compile kernel modules.

* Awareness of dracut

'''The following is a partial list of the used files, terms and utilities:'''

* mkinitrd

* mkinitramfs

* make

* make targets (all, config, xconfig, menuconfig, gconfig, oldconfig, mrproper, zImage, bzImage, modules, modules_install, rpm-pkg, binrpm-pkg, deb-pkg)

* gzip

* bzip2

* module tools

* /usr/src/linux/.config

* /lib/modules/kernel-version/

* depmod

* dkms

 

====201.3 Kernel runtime management and troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage and/or query a 2.6.x, 3.x or 4.x kernel and its loadable modules. Candidates should be able to identify and correct common boot and run time issues. Candidates should understand device detection and management using udev. This objective includes troubleshooting udev rules.
|}

'''Key Knowledge Areas:'''

* Use command-line utilities to get information about the currently running kernel and kernel modules.

* Manually load and unload kernel modules.

* Determine when modules can be unloaded.

* Determine what parameters a module accepts.

* Configure the system to load modules by names other than their file name.

* /proc filesystem

* Content of /, /boot/ , and /lib/modules/

* Tools and utilities to analyse information about the available hardware

* udev rules

'''The following is a partial list of the used files, terms and utilities:'''

* /lib/modules/kernel-version/modules.dep

* module configuration files in /etc/

* /proc/sys/kernel/

* /sbin/depmod

* /sbin/rmmod

* /sbin/modinfo

* /bin/dmesg

* /sbin/lspci

* /usr/bin/lsdev

* /sbin/lsmod

* /sbin/modprobe

* /sbin/insmod

* /bin/uname

* /usr/bin/lsusb

* /etc/sysctl.conf, /etc/sysctl.d/

* /sbin/sysctl

* udevmonitor

* udevadm monitor

* /etc/udev/

 
 

===''Topic 202: System Startup''===

====202.1 Customizing system startup (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to query and modify the behaviour of system services at various targets / run levels. A thorough understanding of the systemd, SysV Init and the Linux boot process is required. This objective includes interacting with systemd targets and SysV init run levels.
|}

'''Key Knowledge Areas:'''

* Systemd

* SysV init

* Linux Standard Base Specification (LSB)

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

* /etc/inittab

* /etc/init.d/

* /etc/rc.d/

* chkconfig

* update-rc.d

* init and telinit

 

====202.2 System recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* NVMe booting

* GRUB version 2 and Legacy

* grub shell

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialisation and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''The following is a partial list of the used files, terms and utilities:'''

* mount

* fsck

* inittab, telinit and init with SysV init

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* efibootmgr

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====202.3 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE for both BIOS and UEFI

* Awareness of systemd-boot and U-Boot

'''The following is a partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 203: Filesystem and Devices''===

====203.1 Operating the Linux filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

* Understanding of systemd mount units

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

 

====203.2 Maintaining a Linux filesystem (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly maintain a Linux filesystem using system utilities. This objective includes manipulating standard filesystems and monitoring SMART devices.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to manipulate and ext2, ext3 and ext4

* Tools and utilities to perform basic Btrfs operations, including subvolumes and snapshots

* Tools and utilities to manipulate XFS

* Awareness of ZFS

'''The following is a partial list of the used files, terms and utilities:'''

* mkfs (mkfs.*)

* mkswap

* fsck (fsck.*)

* tune2fs, dumpe2fs and debugfs

* btrfs, btrfs-convert

* xfs_info, xfs_check, xfs_repair, xfsdump and xfsrestore

* smartd, smartctl

 

====203.3 Creating and configuring filesystem options (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure automount filesystems using AutoFS. This objective includes configuring automount for network and device filesystems. Also included is creating filesystems for devices such as CD-ROMs and a basic feature knowledge of encrypted filesystems.
|}

'''Key Knowledge Areas:'''

* autofs configuration files

* Understanding of automount units

* UDF and ISO9660 tools and utilities

* Awareness of other CD-ROM filesystems (HFS)

* Awareness of CD-ROM filesystem extensions (Joliet, Rock Ridge, El Torito)

* Basic feature knowledge of data encryption (dm-crypt / LUKS)

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/auto.master

* /etc/auto.[dir]

* mkisofs

* cryptsetup

 
 

===''Topic 204: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

'''The following is a partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Adjusting Storage Device Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure kernel options to support various drives. This objective includes software tools to view & modify hard disk settings including iSCSI devices.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to configure DMA for IDE devices including ATAPI and SATA

* Tools and utilities to configure Solid State Drives including AHCI and NVMe

* Tools and utilities to manipulate or analyse system resources (e.g. interrupts)

* Awareness of sdparm command and its uses

* Tools and utilities for iSCSI

* Awareness of SAN, including relevant protocols (AoE, FCoE)

'''The following is a partial list of the used files, terms and utilities:'''

* hdparm, sdparm

* nvme

* tune2fs

* fstrim

* sysctl

* /dev/hd*, /dev/sd*, /dev/nvme*

* iscsiadm, scsi_id, iscsid and iscsid.conf

* WWID, WWN, LUN numbers
 

====204.3 Logical Volume Manager (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''The following is a partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 
 

===''Topic 205: Networking Configuration''===

====205.1 Basic networking configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a network device to be able to connect to a local, wired or wireless, and a wide-area network. This objective includes being able to communicate between various subnets within a single network including both IPv4 and IPv6 networks.
|}

'''Key Knowledge Areas:'''

* Utilities to configure and manipulate ethernet network interfaces

* Configuring basic access to wireless networks

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* arp

* iw

* iwconfig

* iwlist

 

====205.2 Advanced Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a network device to implement various network authentication schemes. This objective includes configuring a multi-homed network device and resolving communication problems.
|}

'''Key Knowledge Areas:'''

* Utilities to manipulate routing tables

* Utilities to configure and manipulate ethernet network interfaces

* Utilities to analyse the status of the network devices

* Utilities to monitor and analyse the TCP/IP traffic

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* arp

* ss

* netstat

* lsof

* ping, ping6

* nc

* tcpdump

* nmap

 

====205.3 Troubleshooting network issues (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues, to include knowledge of locations for basic configuration files and commands.
|}

'''Key Knowledge Areas:'''

* Location and content of access restriction files

* Utilities to configure and manipulate ethernet network interfaces

* Utilities to manage routing tables

* Utilities to list network states.

* Utilities to gain information about the network configuration

* Methods of information about the recognised and used hardware devices

* System initialisation files and their contents (Systemd and SysV init)

* Awareness of NetworkManager and its impact on network configuration

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* ss

* netstat

* /etc/network/, /etc/sysconfig/network-scripts/

* ping, ping6

* traceroute, traceroute6

* mtr

* hostname

* System log files such as /var/log/syslog, /var/log/messages and the systemd journal

* dmesg

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

* /etc/hosts.allow, /etc/hosts.deny

 
 

===''Topic 206: System Maintenance''===

====206.1 Make and install programs from source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====206.2 Backup operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Knowledge about directories that have to be included in backups

* Awareness of network backup solutions such as Amanda, Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, CDR, disk or other backup media

* Perform partial and manual backups.

* Verify the integrity of backup files.

* Partially or fully restore backups.

'''The following is a partial list of the used files, terms and utilities:'''

* /bin/sh

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====206.3 Notify users on system-related issues (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to notify the users about current issues related to the system.
|}

'''Key Knowledge Areas:'''

* Automate communication with users through logon messages.

* Inform active users of system maintenance

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/issue

* /etc/issue.net

* /etc/motd

* wall

* shutdown

* systemctl

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* /var/named/

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone and hints for root level servers. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* nslookup

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Configuring BIND to run in a chroot jail

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* /etc/passwd

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 Basic Apache configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache 2.4 configuration files, terms and utilities

* Apache log files configuration and content

* Access restriction methods and files

* mod_perl and PHP configuration

* Client user authentication files and utilities

* Configuration of maximum requests, minimum and maximum servers and clients

* Apache 2.4 virtual host implementation (with and without dedicated IP addresses)

* Using redirect statements in Apache's configuration files to customize file access

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* apachectl, apache2ctl

* httpd, apache2

 

====208.2 Apache configuration for HTTPS (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a web server to provide HTTPS.
|}

'''Key Knowledge Areas:'''

* SSL configuration files, tools and utilities

* Generate a server private key and CSR for a commercial CA

* Generate a self-signed Certificate

* Install the key and certificate, including intermediate CAs

* Configure Virtual Hosting using SNI

* Awareness of the issues with Virtual Hosting and use of SSL

* Security issues in SSL use, disable insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Apache2 configuration files

* /etc/ssl/, /etc/pki/

* openssl, CA.pl

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLCACertificateFile, SSLCACertificatePath

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

 

====208.3 Implementing Squid as a caching proxy (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.
|}

'''Key Knowledge Areas:'''

* Squid 3.x configuration files, terms and utilities

* Access restriction methods

* Client user authentication methods

* Layout and content of ACL in the Squid configuration files

'''The following is a partial list of the used files, terms and utilities:'''

* squid.conf

* acl

* http_access

 

====208.4 Implementing Nginx as a web server and a reverse proxy (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a reverse proxy server, Nginx. Basic configuration of Nginx as a HTTP server is included.
|}

'''Key Knowledge Areas:'''

* Nginx

* Reverse Proxy

* Basic Web Server

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/nginx/

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba Server Configuration (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 documentation

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-Level, Share-Level and AD security

'''The following is a partial list of the used files, terms and utilities:'''

* smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd, nmblookup

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

* /var/log/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 configuration files

* NFS tools and utilities

* Access restrictions to certain hosts and/or subnets

* Mount options on server and client

* TCP Wrappers

* Awareness of NFSv4

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* DHCP configuration files, terms and utilities

* Subnet and dynamically-allocated range setup

* Awareness of DHCPv6 and IPv6 Router Advertisements

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd.leases

* DHCP Log messages in syslog or systemd journal

* arp

* dhcpd

* radvd

* radvd.conf

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Configuring an OpenLDAP server (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
|}

'''Key Knowledge Areas:'''

* OpenLDAP

* Directory based configuration

* Access Control

* Distinguished Names

* Changetype Operations

* Schemas and Whitepages

* Directories

* Object IDs, Attributes and Classes

'''The following is a partial list of the used files, terms and utilities:'''

* slapd

* slapd-config

* LDIF

* slapadd

* slapcat

* slapindex

* /var/lib/ldap/

* loglevel

 
 

===''Topic 211: E-Mail Services''===

====211.1 Using e-mail servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an e-mail server, including the configuration of e-mail aliases, e-mail quotas and virtual e-mail domains. This objective includes configuring internal e-mail relays and monitoring e-mail servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Awareness of sendmail and exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* sendmail emulation layer commands

* /etc/aliases

* mail-related logs in /var/log/

 

====211.2 Managing E-Mail Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client e-mail management software to filter, sort and monitor incoming user e-mail.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

* Awareness of procmail

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure POP and IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP and POP3 configuration and administration

* Basic TLS configuration for Dovecot

* Awareness of Courier

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

 

====212.2 Managing FTP servers (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
|}

'''Key Knowledge Areas:'''

* Configuration files, tools and utilities for Pure-FTPd and vsftpd

* Awareness of ProFTPd

* Understanding of passive vs. active FTP connections

'''The following is a partial list of the used files, terms and utilities:'''

* vsftpd.conf

* important Pure-FTPd command line options

 

====212.3 Secure shell (SSH) (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Managing and using server and client keys to login with and without password

* Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* Private and public key files

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol

 

====212.4 Security tasks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Locations and organisations that report security alerts as Bugtraq, CERT or other sources

* Tools and utilities to implement an intrusion detection system (IDS)

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* iptables

 

====212.5 OpenVPN (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* OpenVPN

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/openvpn/

* openvpn

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Extend the amount of NetworkManager covered, i.e. including the CLI

* lighttpd would have been too much coverage of web services. Perhaps reduce Apache next revision to make room.

* host level IDS (tripwire, AIDE, etc) to be covered in future LPIC-1.

* introduction (or more) to FreeIPA

* add coverage of mod_security and mod_evasive to Apache HTTP (maybe as a separate topic: Web Application Firewall)

* add coverage of a higher-level firewall package like firewalld or ufw

* Reconsider mod_perl

* Add firewall-cmd and /etc/firewalld/firewalld.conf related to firewalld to LPIC-2

* Awareness of firewalld

* Add nmcli and nmtui to LPIC-2

* Full coverage of IPv6 auto configuration

* Remove djbdns

* Advanced shell scripting (sed -e, set -x, set -o, pipefail, PIPESTATUS, declare)

* Filesystem quota (similar to the topic removed from LPIC-1)

* Understanding of consistency in backups, e.g. for databases

* Let's Encrypt for certification procurement

* 202.2: Reconsider NVMe booting

* 207.1: Consider dropping djbdns and consider unbound

* 207.1: /var/named/ is distro-specific

* 207.2: Remove creation of root.hints

* 207.2: Reconsider nslookup

* 207.3: Reconsider chroot

* 208.2: Remove CA.pl

* 208.2: Remove SNI specialties

* 208.2: Remove client certificate options

* 208.3: Reconsider the relevance of Squid

* 209.1: Remove Samba Share-Level security

* 209.1: Remove nmblookup

* 210.1: Remove arp

* 210.4: Aggregate Whitepages, schemas, classes etc.

* 212.2: Remove FTP

* 212.3: Remove Protocol

* 212.4: Remove bugtraq etc.

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V4.5

2023-03-28T17:33:58Z

GMatthewRice: /* 208.1 Basic Apache configuration (weight: 4) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, web cache/proxy, mail).
** Internet Server (web server and reverse proxy, FTP server).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are version 4.5.0. This version is to go live on February 13th, 2017.

This is also a [[LPIC-2_Summary_Version_4.0_To_4.5|summary and detailed information]] on the changes from version 4.0.x to 4.5.0 of the objectives.

The [[LPIC-2_Objectives_V4|version 4.0 of the LPIC-2 Objectives]] are still online.

 

==Addenda==

===''Version Update (February 13th, 2017)''===

* updated to version 4.5.0

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V4.5|English]]

* [[LPIC-2_Objectives_V4.5(ES)|Spanish]]

* [[LPIC-2_Objectives_V4.5(FR)|French]]

* [[LPIC-2_Objectives_V4.5(DE)|German]]

* [[LPIC-2_Objectives_V4.5(PT-BR)|Portuguese]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 

==Objectives: Exam 201==

===''Topic 200: Capacity Planning''===

====200.1 Measure and Troubleshoot Resource Usage (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource and network bandwidth, identify and troubleshoot resource problems.

|}

'''Key Knowledge Areas:'''

* Measure CPU usage.

* Measure memory usage.

* Measure disk I/O.

* Measure network I/O.

* Measure firewalling and routing throughput.

* Map client bandwidth usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

'''The following is a partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* processes blocked on I/O

* blocks in

* blocks out

 

====200.2 Predict Future Resource Needs (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to monitor resource usage to predict future resource needs.

|}

'''Key Knowledge Areas:'''

* Use monitoring and measurement tools to monitor IT infrastructure usage.

* Predict capacity break point of a configuration.

* Observe growth rate of capacity usage.

* Graph the trend of capacity usage.

* Awareness of monitoring solutions such as Icinga2, Nagios, collectd, MRTG and Cacti

'''The following is a partial list of the used files, terms and utilities:'''

* diagnose

* predict growth

* resource exhaustion

 
 

===''Topic 201: Linux Kernel''===

====201.1 Kernel components (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to utilise kernel components that are necessary to specific hardware, hardware drivers, system resources and requirements. This objective includes implementing different types of kernel images, understanding stable and longterm kernels and patches, as well as using kernel modules.
|}

'''Key Knowledge Areas:'''

* Kernel 2.6.x, 3.x and 4.x documentation

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/src/linux/

* /usr/src/linux/Documentation/

* zImage

* bzImage

* xz compression

 

====201.2 Compiling a Linux kernel (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure a kernel to include or disable specific features of the Linux kernel as necessary. This objective includes compiling and recompiling the Linux kernel as needed, updating and noting changes in a new kernel, creating an initrd image and installing new kernels.
|}

'''Key Knowledge Areas:'''

* /usr/src/linux/

* Kernel Makefiles

* Kernel 2.6.x, 3.x and 4.x make targets

* Customize the current kernel configuration.

* Build a new kernel and appropriate kernel modules.

* Install a new kernel and any modules.

* Ensure that the boot manager can locate the new kernel and associated files.

* Module configuration files

* Use DKMS to compile kernel modules.

* Awareness of dracut

'''The following is a partial list of the used files, terms and utilities:'''

* mkinitrd

* mkinitramfs

* make

* make targets (all, config, xconfig, menuconfig, gconfig, oldconfig, mrproper, zImage, bzImage, modules, modules_install, rpm-pkg, binrpm-pkg, deb-pkg)

* gzip

* bzip2

* module tools

* /usr/src/linux/.config

* /lib/modules/kernel-version/

* depmod

* dkms

 

====201.3 Kernel runtime management and troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage and/or query a 2.6.x, 3.x or 4.x kernel and its loadable modules. Candidates should be able to identify and correct common boot and run time issues. Candidates should understand device detection and management using udev. This objective includes troubleshooting udev rules.
|}

'''Key Knowledge Areas:'''

* Use command-line utilities to get information about the currently running kernel and kernel modules.

* Manually load and unload kernel modules.

* Determine when modules can be unloaded.

* Determine what parameters a module accepts.

* Configure the system to load modules by names other than their file name.

* /proc filesystem

* Content of /, /boot/ , and /lib/modules/

* Tools and utilities to analyse information about the available hardware

* udev rules

'''The following is a partial list of the used files, terms and utilities:'''

* /lib/modules/kernel-version/modules.dep

* module configuration files in /etc/

* /proc/sys/kernel/

* /sbin/depmod

* /sbin/rmmod

* /sbin/modinfo

* /bin/dmesg

* /sbin/lspci

* /usr/bin/lsdev

* /sbin/lsmod

* /sbin/modprobe

* /sbin/insmod

* /bin/uname

* /usr/bin/lsusb

* /etc/sysctl.conf, /etc/sysctl.d/

* /sbin/sysctl

* udevmonitor

* udevadm monitor

* /etc/udev/

 
 

===''Topic 202: System Startup''===

====202.1 Customizing system startup (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to query and modify the behaviour of system services at various targets / run levels. A thorough understanding of the systemd, SysV Init and the Linux boot process is required. This objective includes interacting with systemd targets and SysV init run levels.
|}

'''Key Knowledge Areas:'''

* Systemd

* SysV init

* Linux Standard Base Specification (LSB)

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

* /etc/inittab

* /etc/init.d/

* /etc/rc.d/

* chkconfig

* update-rc.d

* init and telinit

 

====202.2 System recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* NVMe booting

* GRUB version 2 and Legacy

* grub shell

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialisation and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''The following is a partial list of the used files, terms and utilities:'''

* mount

* fsck

* inittab, telinit and init with SysV init

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* efibootmgr

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====202.3 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE for both BIOS and UEFI

* Awareness of systemd-boot and U-Boot

'''The following is a partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 203: Filesystem and Devices''===

====203.1 Operating the Linux filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

* Understanding of systemd mount units

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

 

====203.2 Maintaining a Linux filesystem (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly maintain a Linux filesystem using system utilities. This objective includes manipulating standard filesystems and monitoring SMART devices.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to manipulate and ext2, ext3 and ext4

* Tools and utilities to perform basic Btrfs operations, including subvolumes and snapshots

* Tools and utilities to manipulate XFS

* Awareness of ZFS

'''The following is a partial list of the used files, terms and utilities:'''

* mkfs (mkfs.*)

* mkswap

* fsck (fsck.*)

* tune2fs, dumpe2fs and debugfs

* btrfs, btrfs-convert

* xfs_info, xfs_check, xfs_repair, xfsdump and xfsrestore

* smartd, smartctl

 

====203.3 Creating and configuring filesystem options (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure automount filesystems using AutoFS. This objective includes configuring automount for network and device filesystems. Also included is creating filesystems for devices such as CD-ROMs and a basic feature knowledge of encrypted filesystems.
|}

'''Key Knowledge Areas:'''

* autofs configuration files

* Understanding of automount units

* UDF and ISO9660 tools and utilities

* Awareness of other CD-ROM filesystems (HFS)

* Awareness of CD-ROM filesystem extensions (Joliet, Rock Ridge, El Torito)

* Basic feature knowledge of data encryption (dm-crypt / LUKS)

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/auto.master

* /etc/auto.[dir]

* mkisofs

* cryptsetup

 
 

===''Topic 204: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

'''The following is a partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Adjusting Storage Device Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure kernel options to support various drives. This objective includes software tools to view & modify hard disk settings including iSCSI devices.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to configure DMA for IDE devices including ATAPI and SATA

* Tools and utilities to configure Solid State Drives including AHCI and NVMe

* Tools and utilities to manipulate or analyse system resources (e.g. interrupts)

* Awareness of sdparm command and its uses

* Tools and utilities for iSCSI

* Awareness of SAN, including relevant protocols (AoE, FCoE)

'''The following is a partial list of the used files, terms and utilities:'''

* hdparm, sdparm

* nvme

* tune2fs

* fstrim

* sysctl

* /dev/hd*, /dev/sd*, /dev/nvme*

* iscsiadm, scsi_id, iscsid and iscsid.conf

* WWID, WWN, LUN numbers
 

====204.3 Logical Volume Manager (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''The following is a partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 
 

===''Topic 205: Networking Configuration''===

====205.1 Basic networking configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a network device to be able to connect to a local, wired or wireless, and a wide-area network. This objective includes being able to communicate between various subnets within a single network including both IPv4 and IPv6 networks.
|}

'''Key Knowledge Areas:'''

* Utilities to configure and manipulate ethernet network interfaces

* Configuring basic access to wireless networks

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* arp

* iw

* iwconfig

* iwlist

 

====205.2 Advanced Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a network device to implement various network authentication schemes. This objective includes configuring a multi-homed network device and resolving communication problems.
|}

'''Key Knowledge Areas:'''

* Utilities to manipulate routing tables

* Utilities to configure and manipulate ethernet network interfaces

* Utilities to analyse the status of the network devices

* Utilities to monitor and analyse the TCP/IP traffic

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* arp

* ss

* netstat

* lsof

* ping, ping6

* nc

* tcpdump

* nmap

 

====205.3 Troubleshooting network issues (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues, to include knowledge of locations for basic configuration files and commands.
|}

'''Key Knowledge Areas:'''

* Location and content of access restriction files

* Utilities to configure and manipulate ethernet network interfaces

* Utilities to manage routing tables

* Utilities to list network states.

* Utilities to gain information about the network configuration

* Methods of information about the recognised and used hardware devices

* System initialisation files and their contents (Systemd and SysV init)

* Awareness of NetworkManager and its impact on network configuration

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* ss

* netstat

* /etc/network/, /etc/sysconfig/network-scripts/

* ping, ping6

* traceroute, traceroute6

* mtr

* hostname

* System log files such as /var/log/syslog, /var/log/messages and the systemd journal

* dmesg

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

* /etc/hosts.allow, /etc/hosts.deny

 
 

===''Topic 206: System Maintenance''===

====206.1 Make and install programs from source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====206.2 Backup operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Knowledge about directories that have to be included in backups

* Awareness of network backup solutions such as Amanda, Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, CDR, disk or other backup media

* Perform partial and manual backups.

* Verify the integrity of backup files.

* Partially or fully restore backups.

'''The following is a partial list of the used files, terms and utilities:'''

* /bin/sh

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====206.3 Notify users on system-related issues (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to notify the users about current issues related to the system.
|}

'''Key Knowledge Areas:'''

* Automate communication with users through logon messages.

* Inform active users of system maintenance

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/issue

* /etc/issue.net

* /etc/motd

* wall

* shutdown

* systemctl

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* /var/named/

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone and hints for root level servers. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* nslookup

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Configuring BIND to run in a chroot jail

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* /etc/passwd

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 Basic Apache configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.
|}

'''Key Knowledge Areas:'''

* Apache 2.4 configuration files, terms and utilities

* Apache log files configuration and content

* Access restriction methods and files

* mod_perl and PHP configuration

* Client user authentication files and utilities

* Configuration of maximum requests, minimum and maximum servers and clients

* Apache 2.4 virtual host implementation (with and without dedicated IP addresses)

* Using redirect statements in Apache's configuration files to customise file access

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* apachectl, apache2ctl

* httpd, apache2

 

====208.2 Apache configuration for HTTPS (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a web server to provide HTTPS.
|}

'''Key Knowledge Areas:'''

* SSL configuration files, tools and utilities

* Generate a server private key and CSR for a commercial CA

* Generate a self-signed Certificate

* Install the key and certificate, including intermediate CAs

* Configure Virtual Hosting using SNI

* Awareness of the issues with Virtual Hosting and use of SSL

* Security issues in SSL use, disable insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Apache2 configuration files

* /etc/ssl/, /etc/pki/

* openssl, CA.pl

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLCACertificateFile, SSLCACertificatePath

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

 

====208.3 Implementing Squid as a caching proxy (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.
|}

'''Key Knowledge Areas:'''

* Squid 3.x configuration files, terms and utilities

* Access restriction methods

* Client user authentication methods

* Layout and content of ACL in the Squid configuration files

'''The following is a partial list of the used files, terms and utilities:'''

* squid.conf

* acl

* http_access

 

====208.4 Implementing Nginx as a web server and a reverse proxy (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a reverse proxy server, Nginx. Basic configuration of Nginx as a HTTP server is included.
|}

'''Key Knowledge Areas:'''

* Nginx

* Reverse Proxy

* Basic Web Server

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/nginx/

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba Server Configuration (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 documentation

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-Level, Share-Level and AD security

'''The following is a partial list of the used files, terms and utilities:'''

* smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd, nmblookup

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

* /var/log/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 configuration files

* NFS tools and utilities

* Access restrictions to certain hosts and/or subnets

* Mount options on server and client

* TCP Wrappers

* Awareness of NFSv4

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* DHCP configuration files, terms and utilities

* Subnet and dynamically-allocated range setup

* Awareness of DHCPv6 and IPv6 Router Advertisements

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd.leases

* DHCP Log messages in syslog or systemd journal

* arp

* dhcpd

* radvd

* radvd.conf

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Configuring an OpenLDAP server (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
|}

'''Key Knowledge Areas:'''

* OpenLDAP

* Directory based configuration

* Access Control

* Distinguished Names

* Changetype Operations

* Schemas and Whitepages

* Directories

* Object IDs, Attributes and Classes

'''The following is a partial list of the used files, terms and utilities:'''

* slapd

* slapd-config

* LDIF

* slapadd

* slapcat

* slapindex

* /var/lib/ldap/

* loglevel

 
 

===''Topic 211: E-Mail Services''===

====211.1 Using e-mail servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an e-mail server, including the configuration of e-mail aliases, e-mail quotas and virtual e-mail domains. This objective includes configuring internal e-mail relays and monitoring e-mail servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Awareness of sendmail and exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* sendmail emulation layer commands

* /etc/aliases

* mail-related logs in /var/log/

 

====211.2 Managing E-Mail Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client e-mail management software to filter, sort and monitor incoming user e-mail.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

* Awareness of procmail

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure POP and IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP and POP3 configuration and administration

* Basic TLS configuration for Dovecot

* Awareness of Courier

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

 

====212.2 Managing FTP servers (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
|}

'''Key Knowledge Areas:'''

* Configuration files, tools and utilities for Pure-FTPd and vsftpd

* Awareness of ProFTPd

* Understanding of passive vs. active FTP connections

'''The following is a partial list of the used files, terms and utilities:'''

* vsftpd.conf

* important Pure-FTPd command line options

 

====212.3 Secure shell (SSH) (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Managing and using server and client keys to login with and without password

* Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* Private and public key files

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol

 

====212.4 Security tasks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Locations and organisations that report security alerts as Bugtraq, CERT or other sources

* Tools and utilities to implement an intrusion detection system (IDS)

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* iptables

 

====212.5 OpenVPN (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* OpenVPN

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/openvpn/

* openvpn

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Extend the amount of NetworkManager covered, i.e. including the CLI

* lighttpd would have been too much coverage of web services. Perhaps reduce Apache next revision to make room.

* host level IDS (tripwire, AIDE, etc) to be covered in future LPIC-1.

* introduction (or more) to FreeIPA

* add coverage of mod_security and mod_evasive to Apache HTTP (maybe as a separate topic: Web Application Firewall)

* add coverage of a higher-level firewall package like firewalld or ufw

* Reconsider mod_perl

* Add firewall-cmd and /etc/firewalld/firewalld.conf related to firewalld to LPIC-2

* Awareness of firewalld

* Add nmcli and nmtui to LPIC-2

* Full coverage of IPv6 auto configuration

* Remove djbdns

* Advanced shell scripting (sed -e, set -x, set -o, pipefail, PIPESTATUS, declare)

* Filesystem quota (similar to the topic removed from LPIC-1)

* Understanding of consistency in backups, e.g. for databases

* Let's Encrypt for certification procurement

* 202.2: Reconsider NVMe booting

* 207.1: Consider dropping djbdns and consider unbound

* 207.1: /var/named/ is distro-specific

* 207.2: Remove creation of root.hints

* 207.2: Reconsider nslookup

* 207.3: Reconsider chroot

* 208.2: Remove CA.pl

* 208.2: Remove SNI specialties

* 208.2: Remove client certificate options

* 208.3: Reconsider the relevance of Squid

* 209.1: Remove Samba Share-Level security

* 209.1: Remove nmblookup

* 210.1: Remove arp

* 210.4: Aggregate Whitepages, schemas, classes etc.

* 212.2: Remove FTP

* 212.3: Remove Protocol

* 212.4: Remove bugtraq etc.

* Remove paths to commands and configuration files wherever possible

LPIC-2 Objectives V4.5

2023-03-28T17:33:32Z

GMatthewRice: /* 202.1 Customising system startup (weight: 3) */

__FORCETOC__
==Overview of Tasks==

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, [[LPIC-1_Objectives|LPIC-1]] must be obtained in order to receive the certification. Exams may be taken in any order but all
of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

* Administer a small to medium-sized site.
* Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
** LAN server (Samba, NFS, DNS, DHCP, client management).
** Internet Gateway (firewall, VPN, SSH, web cache/proxy, mail).
** Internet Server (web server and reverse proxy, FTP server).
* Supervise assistants.
* Advise management on automation and purchases.

 

==Exams==

In order to be certified [[LPIC-2]], the candidate must pass both the [[#Objectives: Exam 201|201]] and [[#Objectives: Exam 202|202]] exams and be a holder of an active [[LPIC-1]] certification.

* [[#Objectives: Exam 201|201]]
* [[#Objectives: Exam 202|202]]

 

==Version Information==

These objectives are version 4.5.0. This version is to go live on February 13th, 2017.

This is also a [[LPIC-2_Summary_Version_4.0_To_4.5|summary and detailed information]] on the changes from version 4.0.x to 4.5.0 of the objectives.

The [[LPIC-2_Objectives_V4|version 4.0 of the LPIC-2 Objectives]] are still online.

 

==Addenda==

===''Version Update (February 13th, 2017)''===

* updated to version 4.5.0

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[LPIC-2_Objectives_V4.5|English]]

* [[LPIC-2_Objectives_V4.5(ES)|Spanish]]

* [[LPIC-2_Objectives_V4.5(FR)|French]]

* [[LPIC-2_Objectives_V4.5(DE)|German]]

* [[LPIC-2_Objectives_V4.5(PT-BR)|Portuguese]]

If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]

 

==Objectives: Exam 201==

===''Topic 200: Capacity Planning''===

====200.1 Measure and Troubleshoot Resource Usage (weight: 6)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 6
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to measure hardware resource and network bandwidth, identify and troubleshoot resource problems.

|}

'''Key Knowledge Areas:'''

* Measure CPU usage.

* Measure memory usage.

* Measure disk I/O.

* Measure network I/O.

* Measure firewalling and routing throughput.

* Map client bandwidth usage.

* Match / correlate system symptoms with likely problems.

* Estimate throughput and identify bottlenecks in a system including networking.

'''The following is a partial list of the used files, terms and utilities:'''

* iostat

* iotop

* vmstat

* netstat

* ss

* iptraf

* pstree, ps

* w

* lsof

* top

* htop

* uptime

* sar

* swap

* processes blocked on I/O

* blocks in

* blocks out

 

====200.2 Predict Future Resource Needs (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

Candidates should be able to monitor resource usage to predict future resource needs.

|}

'''Key Knowledge Areas:'''

* Use monitoring and measurement tools to monitor IT infrastructure usage.

* Predict capacity break point of a configuration.

* Observe growth rate of capacity usage.

* Graph the trend of capacity usage.

* Awareness of monitoring solutions such as Icinga2, Nagios, collectd, MRTG and Cacti

'''The following is a partial list of the used files, terms and utilities:'''

* diagnose

* predict growth

* resource exhaustion

 
 

===''Topic 201: Linux Kernel''===

====201.1 Kernel components (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to utilise kernel components that are necessary to specific hardware, hardware drivers, system resources and requirements. This objective includes implementing different types of kernel images, understanding stable and longterm kernels and patches, as well as using kernel modules.
|}

'''Key Knowledge Areas:'''

* Kernel 2.6.x, 3.x and 4.x documentation

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/src/linux/

* /usr/src/linux/Documentation/

* zImage

* bzImage

* xz compression

 

====201.2 Compiling a Linux kernel (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure a kernel to include or disable specific features of the Linux kernel as necessary. This objective includes compiling and recompiling the Linux kernel as needed, updating and noting changes in a new kernel, creating an initrd image and installing new kernels.
|}

'''Key Knowledge Areas:'''

* /usr/src/linux/

* Kernel Makefiles

* Kernel 2.6.x, 3.x and 4.x make targets

* Customize the current kernel configuration.

* Build a new kernel and appropriate kernel modules.

* Install a new kernel and any modules.

* Ensure that the boot manager can locate the new kernel and associated files.

* Module configuration files

* Use DKMS to compile kernel modules.

* Awareness of dracut

'''The following is a partial list of the used files, terms and utilities:'''

* mkinitrd

* mkinitramfs

* make

* make targets (all, config, xconfig, menuconfig, gconfig, oldconfig, mrproper, zImage, bzImage, modules, modules_install, rpm-pkg, binrpm-pkg, deb-pkg)

* gzip

* bzip2

* module tools

* /usr/src/linux/.config

* /lib/modules/kernel-version/

* depmod

* dkms

 

====201.3 Kernel runtime management and troubleshooting (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage and/or query a 2.6.x, 3.x or 4.x kernel and its loadable modules. Candidates should be able to identify and correct common boot and run time issues. Candidates should understand device detection and management using udev. This objective includes troubleshooting udev rules.
|}

'''Key Knowledge Areas:'''

* Use command-line utilities to get information about the currently running kernel and kernel modules.

* Manually load and unload kernel modules.

* Determine when modules can be unloaded.

* Determine what parameters a module accepts.

* Configure the system to load modules by names other than their file name.

* /proc filesystem

* Content of /, /boot/ , and /lib/modules/

* Tools and utilities to analyse information about the available hardware

* udev rules

'''The following is a partial list of the used files, terms and utilities:'''

* /lib/modules/kernel-version/modules.dep

* module configuration files in /etc/

* /proc/sys/kernel/

* /sbin/depmod

* /sbin/rmmod

* /sbin/modinfo

* /bin/dmesg

* /sbin/lspci

* /usr/bin/lsdev

* /sbin/lsmod

* /sbin/modprobe

* /sbin/insmod

* /bin/uname

* /usr/bin/lsusb

* /etc/sysctl.conf, /etc/sysctl.d/

* /sbin/sysctl

* udevmonitor

* udevadm monitor

* /etc/udev/

 
 

===''Topic 202: System Startup''===

====202.1 Customizing system startup (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to query and modify the behaviour of system services at various targets / run levels. A thorough understanding of the systemd, SysV Init and the Linux boot process is required. This objective includes interacting with systemd targets and SysV init run levels.
|}

'''Key Knowledge Areas:'''

* Systemd

* SysV init

* Linux Standard Base Specification (LSB)

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/lib/systemd/

* /etc/systemd/

* /run/systemd/

* systemctl

* systemd-delta

* /etc/inittab

* /etc/init.d/

* /etc/rc.d/

* chkconfig

* update-rc.d

* init and telinit

 

====202.2 System recovery (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and GRUB Legacy are the bootloaders of interest. Both BIOS and UEFI systems are covered.
|}

'''Key Knowledge Areas:'''

* BIOS and UEFI

* NVMe booting

* GRUB version 2 and Legacy

* grub shell

* boot loader start and hand off to kernel

* kernel loading

* hardware initialisation and setup

* daemon/service initialisation and setup

* Know the different boot loader install locations on a hard disk or removable device.

* Overwrite standard boot loader options and using boot loader shells.

* Use systemd rescue and emergency modes.

'''The following is a partial list of the used files, terms and utilities:'''

* mount

* fsck

* inittab, telinit and init with SysV init

* The contents of /boot/, /boot/grub/ and /boot/efi/

* EFI System Partition (ESP)

* GRUB

* grub-install

* efibootmgr

* UEFI shell

* initrd, initramfs

* Master boot record

* systemctl

 

====202.3 Alternate Bootloaders (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
|}

'''Key Knowledge Areas:'''

* SYSLINUX, ISOLINUX, PXELINUX

* Understanding of PXE for both BIOS and UEFI

* Awareness of systemd-boot and U-Boot

'''The following is a partial list of the used files, terms and utilities:'''

* syslinux

* extlinux

* isolinux.bin

* isolinux.cfg

* isohdpfx.bin

* efiboot.img

* pxelinux.0

* pxelinux.cfg/

* uefi/shim.efi

* uefi/grubx64.efi

 
 

===''Topic 203: Filesystem and Devices''===

====203.1 Operating the Linux filesystem (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types.
|}

'''Key Knowledge Areas:'''

* The concept of the fstab configuration

* Tools and utilities for handling swap partitions and files

* Use of UUIDs for identifying and mounting file systems

* Understanding of systemd mount units

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/fstab

* /etc/mtab

* /proc/mounts

* mount and umount

* blkid

* sync

* swapon

* swapoff

 

====203.2 Maintaining a Linux filesystem (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to properly maintain a Linux filesystem using system utilities. This objective includes manipulating standard filesystems and monitoring SMART devices.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to manipulate and ext2, ext3 and ext4

* Tools and utilities to perform basic Btrfs operations, including subvolumes and snapshots

* Tools and utilities to manipulate XFS

* Awareness of ZFS

'''The following is a partial list of the used files, terms and utilities:'''

* mkfs (mkfs.*)

* mkswap

* fsck (fsck.*)

* tune2fs, dumpe2fs and debugfs

* btrfs, btrfs-convert

* xfs_info, xfs_check, xfs_repair, xfsdump and xfsrestore

* smartd, smartctl

 

====203.3 Creating and configuring filesystem options (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure automount filesystems using AutoFS. This objective includes configuring automount for network and device filesystems. Also included is creating filesystems for devices such as CD-ROMs and a basic feature knowledge of encrypted filesystems.
|}

'''Key Knowledge Areas:'''

* autofs configuration files

* Understanding of automount units

* UDF and ISO9660 tools and utilities

* Awareness of other CD-ROM filesystems (HFS)

* Awareness of CD-ROM filesystem extensions (Joliet, Rock Ridge, El Torito)

* Basic feature knowledge of data encryption (dm-crypt / LUKS)

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/auto.master

* /etc/auto.[dir]

* mkisofs

* cryptsetup

 
 

===''Topic 204: Advanced Storage Device Administration''===

====204.1 Configuring RAID (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}

'''Key Knowledge Areas:'''

* Software RAID configuration files and utilities

'''The following is a partial list of the used files, terms and utilities:'''

* mdadm.conf

* mdadm

* /proc/mdstat

* partition type 0xFD

 

====204.2 Adjusting Storage Device Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure kernel options to support various drives. This objective includes software tools to view & modify hard disk settings including iSCSI devices.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to configure DMA for IDE devices including ATAPI and SATA

* Tools and utilities to configure Solid State Drives including AHCI and NVMe

* Tools and utilities to manipulate or analyse system resources (e.g. interrupts)

* Awareness of sdparm command and its uses

* Tools and utilities for iSCSI

* Awareness of SAN, including relevant protocols (AoE, FCoE)

'''The following is a partial list of the used files, terms and utilities:'''

* hdparm, sdparm

* nvme

* tune2fs

* fstrim

* sysctl

* /dev/hd*, /dev/sd*, /dev/nvme*

* iscsiadm, scsi_id, iscsid and iscsid.conf

* WWID, WWN, LUN numbers
 

====204.3 Logical Volume Manager (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}

'''Key Knowledge Areas:'''

* Tools in the LVM suite

* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes

* Creating and maintaining snapshots

* Activating volume groups

'''The following is a partial list of the used files, terms and utilities:'''

* /sbin/pv*

* /sbin/lv*

* /sbin/vg*

* mount

* /dev/mapper/

* lvm.conf

 
 

===''Topic 205: Networking Configuration''===

====205.1 Basic networking configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a network device to be able to connect to a local, wired or wireless, and a wide-area network. This objective includes being able to communicate between various subnets within a single network including both IPv4 and IPv6 networks.
|}

'''Key Knowledge Areas:'''

* Utilities to configure and manipulate ethernet network interfaces

* Configuring basic access to wireless networks

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* arp

* iw

* iwconfig

* iwlist

 

====205.2 Advanced Network Configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a network device to implement various network authentication schemes. This objective includes configuring a multi-homed network device and resolving communication problems.
|}

'''Key Knowledge Areas:'''

* Utilities to manipulate routing tables

* Utilities to configure and manipulate ethernet network interfaces

* Utilities to analyse the status of the network devices

* Utilities to monitor and analyse the TCP/IP traffic

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* arp

* ss

* netstat

* lsof

* ping, ping6

* nc

* tcpdump

* nmap

 

====205.3 Troubleshooting network issues (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues, to include knowledge of locations for basic configuration files and commands.
|}

'''Key Knowledge Areas:'''

* Location and content of access restriction files

* Utilities to configure and manipulate ethernet network interfaces

* Utilities to manage routing tables

* Utilities to list network states.

* Utilities to gain information about the network configuration

* Methods of information about the recognised and used hardware devices

* System initialisation files and their contents (Systemd and SysV init)

* Awareness of NetworkManager and its impact on network configuration

'''The following is a partial list of the used files, terms and utilities:'''

* ip

* ifconfig

* route

* ss

* netstat

* /etc/network/, /etc/sysconfig/network-scripts/

* ping, ping6

* traceroute, traceroute6

* mtr

* hostname

* System log files such as /var/log/syslog, /var/log/messages and the systemd journal

* dmesg

* /etc/resolv.conf

* /etc/hosts

* /etc/hostname, /etc/HOSTNAME

* /etc/hosts.allow, /etc/hosts.deny

 
 

===''Topic 206: System Maintenance''===

====206.1 Make and install programs from source (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}

'''Key Knowledge Areas:'''

* Unpack source code using common compression and archive utilities.

* Understand basics of invoking make to compile programs.

* Apply parameters to a configure script.

* Know where sources are stored by default.

'''The following is a partial list of the used files, terms and utilities:'''

* /usr/src/

* gunzip

* gzip

* bzip2

* xz

* tar

* configure

* make

* uname

* install

* patch

 

====206.2 Backup operations (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}

'''Key Knowledge Areas:'''

* Knowledge about directories that have to be included in backups

* Awareness of network backup solutions such as Amanda, Bacula, Bareos and BackupPC

* Knowledge of the benefits and drawbacks of tapes, CDR, disk or other backup media

* Perform partial and manual backups.

* Verify the integrity of backup files.

* Partially or fully restore backups.

'''The following is a partial list of the used files, terms and utilities:'''

* /bin/sh

* dd

* tar

* /dev/st* and /dev/nst*

* mt

* rsync

 

====206.3 Notify users on system-related issues (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to notify the users about current issues related to the system.
|}

'''Key Knowledge Areas:'''

* Automate communication with users through logon messages.

* Inform active users of system maintenance

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/issue

* /etc/issue.net

* /etc/motd

* wall

* shutdown

* systemctl

 
 

==Objectives: Exam 202==

===''Topic 207: Domain Name Server''===

====207.1 Basic DNS server configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}

'''Key Knowledge Areas:'''

* BIND 9.x configuration files, terms and utilities

* Defining the location of the BIND zone files in BIND configuration files

* Reloading modified configuration and zone files

* Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* /var/named/

* rndc

* named-checkconf

* kill

* host

* dig

 

====207.2 Create and maintain DNS zones (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone and hints for root level servers. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files, terms and utilities

* Utilities to request information from the DNS server

* Layout, content and file location of the BIND zone files

* Various methods to add a new host in the zone files, including reverse zones

'''The following is a partial list of the used files, terms and utilities:'''

* /var/named/

* zone file syntax

* resource record formats

* named-checkzone

* named-compilezone

* masterfile-format

* dig

* nslookup

* host

 

====207.3 Securing a DNS server (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.
|}

'''Key Knowledge Areas:'''

* BIND 9 configuration files

* Configuring BIND to run in a chroot jail

* Split configuration of BIND using the forwarders statement

* Configuring and using transaction signatures (TSIG)

* Awareness of DNSSEC and basic tools

* Awareness of DANE and related records

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/named.conf

* /etc/passwd

* DNSSEC

* dnssec-keygen

* dnssec-signzone

 
 

===''Topic 208: HTTP Services''===

====208.1 Basic Apache configuration (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customise file access.
|}

'''Key Knowledge Areas:'''

* Apache 2.4 configuration files, terms and utilities

* Apache log files configuration and content

* Access restriction methods and files

* mod_perl and PHP configuration

* Client user authentication files and utilities

* Configuration of maximum requests, minimum and maximum servers and clients

* Apache 2.4 virtual host implementation (with and without dedicated IP addresses)

* Using redirect statements in Apache's configuration files to customise file access

'''The following is a partial list of the used files, terms and utilities:'''

* access logs and error logs

* .htaccess

* httpd.conf

* mod_auth_basic, mod_authz_host and mod_access_compat

* htpasswd

* AuthUserFile, AuthGroupFile

* apachectl, apache2ctl

* httpd, apache2

 

====208.2 Apache configuration for HTTPS (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a web server to provide HTTPS.
|}

'''Key Knowledge Areas:'''

* SSL configuration files, tools and utilities

* Generate a server private key and CSR for a commercial CA

* Generate a self-signed Certificate

* Install the key and certificate, including intermediate CAs

* Configure Virtual Hosting using SNI

* Awareness of the issues with Virtual Hosting and use of SSL

* Security issues in SSL use, disable insecure protocols and ciphers

'''The following is a partial list of the used files, terms and utilities:'''

* Apache2 configuration files

* /etc/ssl/, /etc/pki/

* openssl, CA.pl

* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

* SSLCACertificateFile, SSLCACertificatePath

* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

 

====208.3 Implementing Squid as a caching proxy (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.
|}

'''Key Knowledge Areas:'''

* Squid 3.x configuration files, terms and utilities

* Access restriction methods

* Client user authentication methods

* Layout and content of ACL in the Squid configuration files

'''The following is a partial list of the used files, terms and utilities:'''

* squid.conf

* acl

* http_access

 

====208.4 Implementing Nginx as a web server and a reverse proxy (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure a reverse proxy server, Nginx. Basic configuration of Nginx as a HTTP server is included.
|}

'''Key Knowledge Areas:'''

* Nginx

* Reverse Proxy

* Basic Web Server

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/nginx/

* nginx

 
 

===''Topic 209: File Sharing''===

====209.1 Samba Server Configuration (weight: 5)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 5
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.
|}

'''Key Knowledge Areas:'''

* Samba 4 documentation

* Samba 4 configuration files

* Samba 4 tools and utilities and daemons

* Mounting CIFS shares on Linux

* Mapping Windows user names to Linux user names

* User-Level, Share-Level and AD security

'''The following is a partial list of the used files, terms and utilities:'''

* smbd, nmbd, winbindd

* smbcontrol, smbstatus, testparm, smbpasswd, nmblookup

* samba-tool

* net

* smbclient

* mount.cifs

* /etc/samba/

* /var/log/samba/

 

====209.2 NFS Server Configuration (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}

'''Key Knowledge Areas:'''

* NFS version 3 configuration files

* NFS tools and utilities

* Access restrictions to certain hosts and/or subnets

* Mount options on server and client

* TCP Wrappers

* Awareness of NFSv4

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/exports

* exportfs

* showmount

* nfsstat

* /proc/mounts

* /etc/fstab

* rpcinfo

* mountd

* portmapper

 
 

===''Topic 210: Network Client Management''===

====210.1 DHCP configuration (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}

'''Key Knowledge Areas:'''

* DHCP configuration files, terms and utilities

* Subnet and dynamically-allocated range setup

* Awareness of DHCPv6 and IPv6 Router Advertisements

'''The following is a partial list of the used files, terms and utilities:'''

* dhcpd.conf

* dhcpd.leases

* DHCP Log messages in syslog or systemd journal

* arp

* dhcpd

* radvd

* radvd.conf

 

====210.2 PAM authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
|}

'''Key Knowledge Areas:'''

* PAM configuration files, terms and utilities

* passwd and shadow passwords

* Use sssd for LDAP authentication

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/pam.d/

* pam.conf

* nsswitch.conf

* pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss

* sssd.conf

 

====210.3 LDAP client usage (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
|}

'''Key Knowledge Areas:'''

* LDAP utilities for data management and queries

* Change user passwords

* Querying the LDAP directory

'''The following is a partial list of the used files, terms and utilities:'''

* ldapsearch

* ldappasswd

* ldapadd

* ldapdelete

 

====210.4 Configuring an OpenLDAP server (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
|}

'''Key Knowledge Areas:'''

* OpenLDAP

* Directory based configuration

* Access Control

* Distinguished Names

* Changetype Operations

* Schemas and Whitepages

* Directories

* Object IDs, Attributes and Classes

'''The following is a partial list of the used files, terms and utilities:'''

* slapd

* slapd-config

* LDIF

* slapadd

* slapcat

* slapindex

* /var/lib/ldap/

* loglevel

 
 

===''Topic 211: E-Mail Services''===

====211.1 Using e-mail servers (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to manage an e-mail server, including the configuration of e-mail aliases, e-mail quotas and virtual e-mail domains. This objective includes configuring internal e-mail relays and monitoring e-mail servers.
|}

'''Key Knowledge Areas:'''

* Configuration files for postfix

* Basic TLS configuration for postfix

* Basic knowledge of the SMTP protocol

* Awareness of sendmail and exim

'''The following is a partial list of the used files, terms and utilities:'''

* Configuration files and commands for postfix

* /etc/postfix/

* /var/spool/postfix/

* sendmail emulation layer commands

* /etc/aliases

* mail-related logs in /var/log/

 

====211.2 Managing E-Mail Delivery (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to implement client e-mail management software to filter, sort and monitor incoming user e-mail.
|}

'''Key Knowledge Areas:'''

* Understanding of Sieve functionality, syntax and operators

* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

* Awareness of procmail

'''The following is a partial list of the used files, terms and utilities:'''

* Conditions and comparison operators

* keep, fileinto, redirect, reject, discard, stop

* Dovecot vacation extension

 

====211.3 Managing Mailbox Access (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to install and configure POP and IMAP daemons.
|}

'''Key Knowledge Areas:'''

* Dovecot IMAP and POP3 configuration and administration

* Basic TLS configuration for Dovecot

* Awareness of Courier

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/dovecot/

* dovecot.conf

* doveconf

* doveadm

 
 

===''Topic 212: System Security''===

====212.1 Configuring a router (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}

'''Key Knowledge Areas:'''

* iptables and ip6tables configuration files, tools and utilities

* Tools, commands and utilities to manage routing tables.

* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)

* Port redirection and IP forwarding

* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address

* Save and reload filtering configurations

'''The following is a partial list of the used files, terms and utilities:'''

* /proc/sys/net/ipv4/

* /proc/sys/net/ipv6/

* /etc/services

* iptables

* ip6tables

 

====212.2 Managing FTP servers (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
|}

'''Key Knowledge Areas:'''

* Configuration files, tools and utilities for Pure-FTPd and vsftpd

* Awareness of ProFTPd

* Understanding of passive vs. active FTP connections

'''The following is a partial list of the used files, terms and utilities:'''

* vsftpd.conf

* important Pure-FTPd command line options

 

====212.3 Secure shell (SSH) (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}

'''Key Knowledge Areas:'''

* OpenSSH configuration files, tools and utilities

* Login restrictions for the superuser and the normal users

* Managing and using server and client keys to login with and without password

* Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes

'''The following is a partial list of the used files, terms and utilities:'''

* ssh

* sshd

* /etc/ssh/sshd_config

* /etc/ssh/

* Private and public key files

* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol

 

====212.4 Security tasks (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
|}

'''Key Knowledge Areas:'''

* Tools and utilities to scan and test ports on a server

* Locations and organisations that report security alerts as Bugtraq, CERT or other sources

* Tools and utilities to implement an intrusion detection system (IDS)

* Awareness of OpenVAS and Snort

'''The following is a partial list of the used files, terms and utilities:'''

* telnet

* nmap

* fail2ban

* nc

* iptables

 

====212.5 OpenVPN (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''

| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}

'''Key Knowledge Areas:'''

* OpenVPN

'''The following is a partial list of the used files, terms and utilities:'''

* /etc/openvpn/

* openvpn

 
 

==Future Change Considerations==

Future changes to the objective will/may include:

* Extend the amount of NetworkManager covered, i.e. including the CLI

* lighttpd would have been too much coverage of web services. Perhaps reduce Apache next revision to make room.

* host level IDS (tripwire, AIDE, etc) to be covered in future LPIC-1.

* introduction (or more) to FreeIPA

* add coverage of mod_security and mod_evasive to Apache HTTP (maybe as a separate topic: Web Application Firewall)

* add coverage of a higher-level firewall package like firewalld or ufw

* Reconsider mod_perl

* Add firewall-cmd and /etc/firewalld/firewalld.conf related to firewalld to LPIC-2

* Awareness of firewalld

* Add nmcli and nmtui to LPIC-2

* Full coverage of IPv6 auto configuration

* Remove djbdns

* Advanced shell scripting (sed -e, set -x, set -o, pipefail, PIPESTATUS, declare)

* Filesystem quota (similar to the topic removed from LPIC-1)

* Understanding of consistency in backups, e.g. for databases

* Let's Encrypt for certification procurement

* 202.2: Reconsider NVMe booting

* 207.1: Consider dropping djbdns and consider unbound

* 207.1: /var/named/ is distro-specific

* 207.2: Remove creation of root.hints

* 207.2: Reconsider nslookup

* 207.3: Reconsider chroot

* 208.2: Remove CA.pl

* 208.2: Remove SNI specialties

* 208.2: Remove client certificate options

* 208.3: Reconsider the relevance of Squid

* 209.1: Remove Samba Share-Level security

* 209.1: Remove nmblookup

* 210.1: Remove arp

* 210.4: Aggregate Whitepages, schemas, classes etc.

* 212.2: Remove FTP

* 212.3: Remove Protocol

* 212.4: Remove bugtraq etc.

* Remove paths to commands and configuration files wherever possible

Security Essentials Objectives V1.0

2022-11-15T21:32:30Z

GMatthewRice:

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the common security threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of IT security

* Understanding of common security goals

* Understanding of common roles in security

* Understanding of common goals of attacks against IT systems and devices

* Understanding of the concept of attribution and related issues

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to find and interpret relevant security information. This includes understanding the risk of a security vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understanding of security incident classification schema and important types of security vulnerabilities

* Understanding of the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common security threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common security threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understanding of how passwords are stored in online services

* Understanding of common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common security threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling, and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding personal information (e.g. GDPR)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting, user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:26:18Z

GMatthewRice: /* 025.2 Information Confidentiality and Secure Communication (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of IT security

* Understanding of common security goals

* Understanding of common roles in security

* Understanding of common goals of security attacks

* Understanding of the concept of attribution and related issues

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understanding of security incident classification schema and important types of security vulnerabilities

* Understanding of the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understanding of how passwords are stored in online services

* Understanding of common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling, and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding personal information (e.g. GDPR)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting, user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:25:56Z

GMatthewRice: /* 023.4 Data Availability (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of IT security

* Understanding of common security goals

* Understanding of common roles in security

* Understanding of common goals of security attacks

* Understanding of the concept of attribution and related issues

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understanding of security incident classification schema and important types of security vulnerabilities

* Understanding of the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understanding of how passwords are stored in online services

* Understanding of common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling, and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding personal information (e.g. GDPR)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting, user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:25:26Z

GMatthewRice: /* 021.2 Risk Assessment and Management (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of IT security

* Understanding of common security goals

* Understanding of common roles in security

* Understanding of common goals of security attacks

* Understanding of the concept of attribution and related issues

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understanding of security incident classification schema and important types of security vulnerabilities

* Understanding of the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understanding of how passwords are stored in online services

* Understanding of common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling, and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding personal information (e.g. GDPR)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting, user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:24:09Z

GMatthewRice:

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of IT security

* Understanding of common security goals

* Understanding of common roles in security

* Understanding of common goals of security attacks

* Understanding of the concept of attribution and related issues

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understanding of security incident classification schema and important types of security vulnerabilities

* Understanding of the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understanding of how passwords are stored in online services

* Understanding of common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling, and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding personal information (e.g. GDPR)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting, user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:22:35Z

GMatthewRice: /* 021.1 Goals, Roles and Actors (weight: 1) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

* Understand the concept of attribution and related issues

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling, and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding personal information (e.g. GDPR)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting, user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:17:22Z

GMatthewRice: /* 025.3 Privacy Protection (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling, and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding personal information (e.g. GDPR)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting, user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:14:31Z

GMatthewRice: /* 025.2 Information Confidentiality and Secure Communication (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and ensure the confidentiality of digital communication. This includes recognizing attempts of phishing and social engineering, as well as using secure means of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam, email spam filtering

* Non-disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:10:47Z

GMatthewRice: /* 025.1 Identity and Authentication (weight: 3) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi-factor authentication, and single sign-on, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (e.g. length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multi-factor authentication (MFA), including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring personal accounts for password leaks (e.g. search engine alerts for usernames and password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two-factor authentication (2FA) and multi-factor authentication (MFA)

* One-time passwords (OTP), time-based one-time passwords (TOTP)

* Authenticator applications

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

* Non disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T21:03:13Z

GMatthewRice: /* 024.3 Network Encryption and Anonymity (weight: 3) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand recognition and anonymity concepts when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of cryptocurrencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPNs)

* End-to-end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

* Non disclosure agreements (NDA)

* Information classification

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:55:06Z

GMatthewRice: /* 024.2 Network and Internet Security (weight: 3) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:54:10Z

GMatthewRice: /* 024.1 Networks, Network Services and the Internet (weight: 4) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward DNS, reverse DNS

* Cloud computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:51:35Z

GMatthewRice: /* 023.4 Data Availability (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access, and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:47:57Z

GMatthewRice: /* 023.2 Application Security (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates, and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems, and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:44:52Z

GMatthewRice: /* 023.1 Hardware Security (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (e.g. light bulbs, thermostats, TVs)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:43:32Z

GMatthewRice: /* 023.1 Hardware Security (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections, and security aspects

* Understanding of Bluetooth devices types, connections, and security aspects

* Understanding of RFID devices types, connections, and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:38:47Z

GMatthewRice: /* 022.4 Data Storage Encryption (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud services

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:37:54Z

GMatthewRice: /* 022.3 Email Encryption (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys, key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud service

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:32:29Z

GMatthewRice: /* 022.1 Cryptography and Public Key Infrastructure (weight: 3) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys and key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud service

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:30:56Z

GMatthewRice:

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms, and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms, and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms, and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms, and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, and Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms, and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms, and utilities:'''

* GnuPGP, GPG keys and key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud service

'''Partial list of used files, terms, and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms, and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms, and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms, and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms, and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms, and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms, and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms, and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms, and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms, and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms, and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:28:23Z

GMatthewRice:

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the concepts of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common concepts in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of symmetric, asymmetric, and hybrid cryptography

* Understanding of the concept of Perfect Forward Secrecy

* Understanding of the concepts of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the concepts of Public Key Infrastructures (PKI), Certificate Authorities, and Trusted Root-CAs

* Understanding of the concepts X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, and Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms and utilities:'''

* GnuPGP, GPG keys and key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of data, file, and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the core features of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud service

'''Partial list of used files, terms and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the various types of malware. This includes understanding of how they are installed on a device, what effects they cause, and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the concepts of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration, and address books copies

'''Partial list of used files, terms and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera, microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing, and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the concepts of IP networks and the Internet

* Understanding of the concepts of routing and Internet Service Providers (ISPs)

* Understanding of the concepts of MAC and link-layer addresses, IP addresses, TCP and UDP ports, and DNS

* Understanding of the concepts of cloud computing

'''Partial list of used files, terms and utilities:'''

* Wired networks, WiFi networks, cellular networks

* Switches, Routers, Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the concepts of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the concepts of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the concepts of proxy servers

* Understanding of the concepts of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the concepts of digital identities.

* Understanding of the concepts of authentication, authorization, and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the concepts of security questions and account recovery tools

* Understanding of the concepts of multifactor factor authentication, including common factors

* Understanding of the concepts of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the concepts of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:18:02Z

GMatthewRice: /* 022.2 Web Encryption (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the principles of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common principles in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the principles of symmetric, asymmetric, and hybrid cryptography

* Understanding of the principle of Perfect Forward Secrecy

* Understanding of the principles of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the principles of Public Key Infrastructures (PKI), Certificate Authorities and Trusted Root-CAs

* Understanding of the principles X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, and Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms and utilities:'''

* HTTPS, TLS, SSL

* X.509 certificate fields: subject, Validity, subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms and utilities:'''

* GnuPGP, GPG keys and key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principles of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the principles of data, file and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the principle of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud service

'''Partial list of used files, terms and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of various types of malware. This includes understanding of how they are installed on a device, what effects they cause and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the principle of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration and address books copies

'''Partial list of used files, terms and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera and microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principles of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the principles of IP networks and the Internet

* Understanding of the principles of routing and Internet Service Providers (ISPs)

* Understanding of the principles of MAC and link-layer addresses, IP addresses, TCP and UDP ports and DNS

* Understanding of the principle of cloud computing

'''Partial list of used files, terms and utilities:'''

* Wired networks, WiFi networks and cellular networks

* Switches, Routers and Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the principle of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the principles of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the principle of proxy servers

* Understanding of the principles of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the principle digital identities.

* Understanding of the principles of authentication, authorization and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the principle of security questions and account recovery tools

* Understanding of the principle of multifactor factor authentication, including common factors

* Understanding of the principle of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the principles of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:17:28Z

GMatthewRice: /* 022.2 Web Encryption (weight: 2) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the principles of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common principles in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the principles of symmetric, asymmetric, and hybrid cryptography

* Understanding of the principle of Perfect Forward Secrecy

* Understanding of the principles of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the principles of Public Key Infrastructures (PKI), Certificate Authorities and Trusted Root-CAs

* Understanding of the principles X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, and Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the concepts of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the concepts of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms and utilities:'''

* HTTPS, TLS and SSL

* X.509 certificate fields: subject, Validity, and subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms and utilities:'''

* GnuPGP, GPG keys and key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principles of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the principles of data, file and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the principle of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud service

'''Partial list of used files, terms and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of various types of malware. This includes understanding of how they are installed on a device, what effects they cause and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the principle of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration and address books copies

'''Partial list of used files, terms and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera and microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principles of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the principles of IP networks and the Internet

* Understanding of the principles of routing and Internet Service Providers (ISPs)

* Understanding of the principles of MAC and link-layer addresses, IP addresses, TCP and UDP ports and DNS

* Understanding of the principle of cloud computing

'''Partial list of used files, terms and utilities:'''

* Wired networks, WiFi networks and cellular networks

* Switches, Routers and Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the principle of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the principles of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the principle of proxy servers

* Understanding of the principles of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the principle digital identities.

* Understanding of the principles of authentication, authorization and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the principle of security questions and account recovery tools

* Understanding of the principle of multifactor factor authentication, including common factors

* Understanding of the principle of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the principles of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media

Security Essentials Objectives V1.0

2022-11-15T20:16:12Z

GMatthewRice: /* 022.1 Cryptography and Public Key Infrastructure (weight: 3) */

__FORCETOC__
==Introduction==

This certificate covers a basic knowledge of IT security. The focus is the digital self-defense for an individual user. This includes a general understanding of the main threats against individual computing systems, networks, services and identity as well as approaches to prevent and mitigate them.

 

==Candidate Description==

===The Minimally Qualified Candidate===

The candidate has a basic understanding of common security threats of using computers, networks, connected devices, and IT services on premises and in the cloud. The candidate understands common ways to prevent and mitigate attacks against their personal devices and data. Furthermore, the candidate is able to use encryption to secure data transferred through a network and stored on storage devices and in the cloud. The candidate is able to apply common security best practices, protect private information, and secure their identity. The candidate is able to securely use IT services and to take responsibility for securing their personal computing devices, applications, accounts, and online profiles.

 

==Version Information==

These objectives are '''A DRAFT FOR''' version 1.0.0.

 

==Translations of Objectives==

The following translations of the objectives are available on this wiki:

* [[SecurityEssentials Objectives V1.0|English]]
* [[SecurityEssentials Objectives V1.0(PT-BR)|Brazilian Portuguese]]
* [[SecurityEssentials Objectives V1.0(ZH)|Chinese (Simplified)]]
* [[SecurityEssentials Objectives V1.0(ZH-TW)|Chinese (Traditional)]]
* [[SecurityEssentials Objectives V1.0(NL)|Dutch]]
* [[SecurityEssentials Objectives V1.0(FR)|French]]
* [[SecurityEssentials Objectives V1.0(DE)|German]]
* [[SecurityEssentials Objectives V1.0(IT)|Italian]]
* [[SecurityEssentials Objectives V1.0(JA)|Japanese]]
* [[SecurityEssentials Objectives V1.0(ES)|Spanish]]

 

==Objectives==

===''021 Security Concepts''===

====021.1 Goals, Roles and Actors (weight: 1)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 1
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of IT security. This includes understanding of essential security goals as well as understanding various actors and roles in the field of IT security.

|}

'''Key Knowledge Areas:'''

* Understand the importance of IT security

* Understand common security goals

* Understand common roles in security

* Understand common goals of security attacks

'''Partial list of the used files, terms and utilities:'''

* Confidentiality, integrity, availability, non-repudiation

* Hackers, crackers, script kiddies

* Black hat and white hat hackers

* Accessing, manipulating or deleting data

* Interrupting services, extorting ransom

* Industrial espionage

 

====021.2 Risk Assessment and Management (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should know how to find and interpret relevant security information. This includes understanding the risk of a vulnerability and determining the need and urgency for a reaction.

|}

'''Key Knowledge Areas:'''

* Know common sources for security information

* Understand security incident classification schema and important types of security vulnerabilities

* Understand the principles of security assessments and IT forensics

* Awareness of Information Security Management Systems (ISMS) and Information Security Incident Response Plans and Teams

'''Partial list of the used files, terms and utilities:'''

* Common Vulnerabilities and Exposures (CVE)

* CVE ID

* Computer Emergency Response Team (CERT)

* Penetration testing

* Untargeted security attacks and Advanced Persistent Threats (APT)

* Zero-day security vulnerabilities

* Remote execution and explication of security vulnerabilities

* Privilege escalation due to security vulnerabilities

 

====021.3 Ethical Behavior (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the technical, financial, and legal implications of their behavior when using digital infrastructure. This includes understanding the potential harm caused by using security tools. Furthermore, the candidate should understand common principles in copyright and privacy laws.

|}

'''Key Knowledge Areas:'''

* Understanding the implications for others of actions taken related to security

* Handling information about security vulnerabilities responsibly

* Handling confidential information responsibly

* Awareness of personal, financial, ecological, and social implication of errors and outages in information technology services

* Awareness of legal implications of security scans, assessments, and attacks

'''Partial list of the used files, terms and utilities:'''

* Responsible Disclosure and Full Disclosure

* Bug Bounty programs

* Public and private law

* Penal law, privacy law, copyright law

* Liability, financial compensation claims

 

===''022 Encryption''===

====022.1 Cryptography and Public Key Infrastructure (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of symmetric and asymmetric encryption as well as other types of commonly used cryptographic algorithms. Furthermore, the candidate should understand how digital certificates are used to associate cryptographic keys with individual persons and organizations.

|}

'''Key Knowledge Areas:'''

* Understanding of the principles of symmetric, asymmetric, and hybrid cryptography

* Understanding of the principle of Perfect Forward Secrecy

* Understanding of the principles of hash functions, ciphers, and key exchange algorithms

* Understanding of the differences between end-to-end encryption and transport encryption

* Understanding of the principles of Public Key Infrastructures (PKI), Certificate Authorities and Trusted Root-CAs

* Understanding of the principles X.509 certificates

* Understanding of how X.509 certificates are requested and issued

* Awareness of certificate revocation

* Awareness of Let’s Encrypt

* Awareness of important cryptographic algorithms

'''Partial list of the used files, terms and utilities:'''

* Public Key Infrastructures (PKI)

* Certificate Authorities

* Trusted Root-CAs

* Certificate Signing Requests (CSR) and certificates

* X.509 certificate fields: Subject, Issuer, Validity

* RSA, AES, MD5, SHA-256, Diffie–Hellman key exchange, and Elliptic Curve Cryptography

 

====022.2 Web Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of HTTPS. This includes verifying the identity of web servers and understanding common browser error messages related to security.

|}

'''Key Knowledge Areas:'''

* Understanding of the major differences between plain text protocols and transport encryption

* Understanding of the principle of HTTPS

* Understanding of important fields in X.509 certificates for the use with HTTPS

* Understanding of how X.509 certificates are associated with a specific web site

* Understanding of the validity checks web browsers perform on X.509 certificates

* Determining whether or not a website is encrypted, including common browser messages

'''Partial list of the used files, terms and utilities:'''

* HTTPS, TLS and SSL

* X.509 certificate fields: subject, Validity and subjectAltName

 

====022.3 Email Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of OpenPGP and S/MIME for email encryption. This includes handling OpenPGP keys and S/MIME certificates as well as sending and receiving encrypted emails.

|}

'''Key Knowledge Areas:'''

* Understanding of email encryption and email signatures

* Understanding of OpenPGP

* Understanding of S/MIME

* Understanding of the role of OpenPGP key servers

* Understanding of the role of certificates for S/MIME

* Understanding of how PGP keys and S/MIME certificates are associated with an email address

* Using Mozilla Thunderbird to send and receive encrypted email using OpenPGP and S/MIME

'''Partial list of the used files, terms and utilities:'''

* GnuPGP, GPG keys and key servers

* S/MIME and S/MIME certificates

 

====022.4 Data Storage Encryption (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principles of file encryption and storage device encryption. Furthermore, the candidate should be able to encrypt data stored on local storage devices and in the cloud.

|}

'''Key Knowledge Areas:'''

* Understanding of the principles of data, file and storage device encryption

* Using VeraCrypt to store data in an encrypted container or an encrypted storage devices

* Understanding the principle of BitLocker

* Using Cryptomator to encrypt files stored in file storage cloud service

'''Partial list of used files, terms and utilities:'''

* VeraCrypt

* BitLocker

* Cryptomator

 

===''023 Node, Device and Storage Security''===

====023.1 Hardware Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand security aspects of hardware. This includes understanding the various types of computer devices as well as their major components. Furthermore, the candidate should understand the security implications of various devices that interact with a computer as well as the security implications of physical access to a device.

|}

'''Key Knowledge Areas:'''

* Understanding of the major components of a computer

* Understanding of the smart devices and the Internet of Things (IoT)

* Understanding of the security implications of physical access to a computer

* Understanding of USB devices devices types, connections and security aspects

* Understanding of Bluetooth devices types, connections and security aspects

* Understanding of RFID devices types, connections and security aspects

* Awareness of Trusted Computing

'''Partial list of used files, terms and utilities:'''

* Processors, memory, storage, network adapters

* Tablets, smartphones, smart tvs, routers, printers smart home, alarm, and IoT devices (light bulbs, thermostats, TVs, …)

* USB

* Bluetooth

* RFID

 

====023.2 Application Security (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the security aspects of software. This includes securely installing software, managing software updates and protecting software from unintended network connections.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of software

* Understanding of various sources for applications and ways to securely procure and install software

* Understanding of updates for firmware, operating systems and applications

* Understanding of sources for mobile applications

* Understanding of common security vulnerabilities in software

* Understanding of the concepts of local protective software

'''Partial list of used files, terms and utilities:'''

* Firmware, operating systems, applications

* App stores

* Local packet filters, endpoint firewalls, application layer firewalls

* Buffer overflows, SQL injections

 

====023.3 Malware (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of various types of malware. This includes understanding of how they are installed on a device, what effects they cause and how to protect against malware.

|}

'''Key Knowledge Areas:'''

* Understanding of common types of malware

* Understanding of the principle of rootkit and remote access

* Understanding of virus and malware scanners

* Awareness of the risk of malware used for spying, data exfiltration and address books copies

'''Partial list of used files, terms and utilities:'''

* Viruses, ransomware, trojan malware, adware, cryptominers

* Backdoors and remote access

* File copying, keylogging, camera and microphone hijacking

 

====023.4 Data Availability (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to ensure the availability of their data. This includes storing data on appropriate devices and services as well as creating backups.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of backups

* Understanding of common backup types and strategies

* Understanding of the security implications of backups

* Creating and securely storing backups

* Understanding of data storage, access and sharing in cloud services

* Understanding of the security implications of cloud storage and shared access in the cloud

* Awareness of the dependence on Internet connection and the synchronization of data between cloud services and local storage

'''Partial list of used files, terms and utilities'''

* Full, differential and incremental backups

* Backup retention

* File sharing cloud services

 

===''024 Network and Service Security''===

====024.1 Networks, Network Services and the Internet (weight: 4)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principles of computer networks and the Internet. This includes basic knowledge of various network media types, addressing, routing and packet forwarding as well as understanding of the most important protocols used in the Internet.

|}

'''Key Knowledge Areas:'''

* Understanding of the various types of network media and network devices

* Understanding of the principles of IP networks and the Internet

* Understanding of the principles of routing and Internet Service Providers (ISPs)

* Understanding of the principles of MAC and link-layer addresses, IP addresses, TCP and UDP ports and DNS

* Understanding of the principle of cloud computing

'''Partial list of used files, terms and utilities:'''

* Wired networks, WiFi networks and cellular networks

* Switches, Routers and Access Points

* Default Router

* Internet Service Provider

* IPv4, IPv6

* TCP, UDP, ICMP, DHCP

* DNS, DNS host names, forward and reverse DNS

* Cloud Computing

* Infrastructure as a Service (IaaS)

* Platform as a Service (PaaS)

* Software as a Service (SaaS)

 

====024.2 Network and Internet Security (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common security aspects of using networks and the Internet. This includes understanding of common threats against networks and networked computers, approaches for mitigation, as well as the ability to securely connect to a wired or wireless network.

|}

'''Key Knowledge Areas:'''

* Understanding of the implications of media / link layer access

* Understanding of the risks and secure use of WiFi networks

* Understanding of the principle of traffic interception

* Understanding of common threats in the Internet along with approaches of mitigation

'''Partial list of the used files, terms and utilities:'''

* Link layer

* Unencrypted and public WiFi

* WiFi security and encryption

* WEP, WPA, WPA2

* Traffic interception

* Man in the Middle attacks

* DoS and DDoS attacks

* Botnets

* Packet filters

 

====024.3 Network Encryption and Anonymity (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the principle of virtual private networks (VPN). This includes using a VPN provider to encrypt transmitted data. Candidates should understand about recognition and anonymity when using the Internet as well as anonymization tools, such as TOR.

|}

'''Key Knowledge Areas:'''

* Understanding of virtual private networks (VPN)

* Understanding of the principles of end-to-end encryption

* Understanding anonymity and recognition in the Internet

* Identification due to link layer addresses and IP addresses

* Understanding of the principle of proxy servers

* Understanding of the principles of TOR

* Awareness of the Darknet

* Awareness of crypto currencies and their anonymity aspects

'''Partial list of used files, terms and utilities:'''

* Virtual Private Network (VPN)

* Public VPN providers

* Organization-specific VPN (e.g. company or university VPN)

* End to end encryption

* Transfer encryption

* Anonymity

* Proxy servers

* TOR

* Hidden service

* .onion

* Blockchain

 

===''025 Identity and Privacy''===

====025.1 Identity and Authentication (weight: 3)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand common concepts on how to prove their identity when using online services. This includes using a password manager, multi factor authentication and Single Sign-On, as well as being aware of common security threats regarding individual identities.

|}

'''Key Knowledge Areas:'''

* Understanding of the principle digital identities.

* Understanding of the principles of authentication, authorization and accounting

* Understanding of the characteristics of secure password (length, special characters, change frequencies, complexity)

* Using a password manager

* Understanding of the principle of security questions and account recovery tools

* Understanding of the principle of multifactor factor authentication, including common factors

* Understanding of the principle of single sign-on (SSO) and social media logins

* Understanding of the role of email accounts for IT security

* Understand how passwords are stored in online services

* Understand common attacks against passwords

* Monitoring own accounts for password leaks (Search engine alerts for own usernames, password leak checkers)

* Understanding of the security aspects of online banking and credit cards

'''Partial list of used files, terms and utilities:'''

* Online and offline password managers

* keepass2

* Single sign-on (SSO)

* Two factor authentication (2FA) and Multi factor authentication

* Password hashing and salting

* Brute force attacks, directory attacks, rainbow table attacks

 

====025.2 Information Confidentiality and Secure Communication (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should be able to keep confidential information secret and to ensure the confidentiality of digital communication. This includes recognizing attempts of Phishing and social engineering, as well as using secret and safe ways of communication.

|}

'''Key Knowledge Areas:'''

* Understanding the implications and risks of data leaks and intercepted communication

* Understanding of Phishing and social engineering and scamming

* Understanding the principles of email spam filters

* Securely handling of received email attachments

* Sharing information securely and responsibly using email cloud shares and messaging services

* Using encrypted instant messaging

'''Partial list of the used files, terms and utilities:'''

* Phishing and social engineering

* Identity theft

* Scamming and scareware

* Email spam and email spam filtering

 

====025.3 Privacy Protection (weight: 2)====

{|
| style="background:#dadada" |

'''Weight'''

| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" |

'''Description'''

| style="background:#eaeaea" |

The candidate should understand the importance of the confidentiality of personal information. This includes managing privacy settings in various online services and social media as well as being aware of common threats regarding personal information.

|}

'''Key Knowledge Areas:'''

* Understanding of the importance of personal information

* Understanding of how personal information can be used for a malicious purpose

* Understanding of the concepts of information gathering, profiling and user tracking

* Managing profile privacy settings on social media platforms and online services

* Understanding of the risk of publishing personal information

* Understanding of the rights regarding information about personal information (such as GDPR in Europe)

'''Partial list of the used files, terms and utilities:'''

* Stalking and cybermobbing

* HTTP cookies, browser fingerprinting and user tracking

* Script blockers and ad blockers in web browsers

* Profiles in online services and social media

* Contacts and privacy settings in social media