LPIC-2 Objectives V5.0: Difference between revisions

From LPI Wiki
Jump to navigationJump to search
Copy of version 4.5
 
 
(82 intermediate revisions by 4 users not shown)
Line 10: Line 10:
*    Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
*    Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
**        LAN server (Samba, NFS, DNS, DHCP, client management).
**        LAN server (Samba, NFS, DNS, DHCP, client management).
**        Internet Gateway (firewall, VPN, SSH, web cache/proxy, mail).
**        Internet Gateway (firewall, VPN, SSH, mail).
**        Internet Server (web server and reverse proxy, FTP server).
**        Internet Server (web server and reverse proxy).
*    Supervise assistants.
*    Supervise assistants.
*    Advise management on automation and purchases.
*    Advise management on automation and purchases.
Line 28: Line 28:
==Version Information==
==Version Information==


These objectives are version 4.5.0.  This version is to go live on February 13th, 2017.
These objectives are A DRAFT version 5.0.0.
 
This is also a [[LPIC-2_Summary_Version_4.0_To_4.5|summary and detailed information]] on the changes from version 4.0.x to 4.5.0 of the objectives.
 
The [[LPIC-2_Objectives_V4|version 4.0 of the LPIC-2 Objectives]] are still online.


The [[LPIC-2_Objectives_V4|version 4.5 of the LPIC-2 Objectives]] are still online.
<br />
<br />


==Addenda==
==Addenda==


===''Version Update (February 13th, 2017)''===
<br />
<br />


* updated to version 4.5.0
==Translations of Objectives==  
 
<br /><br />
 
==Translations of Objectives==


The following translations of the objectives are available on this wiki:
The following translations of the objectives are available on this wiki:


* [[LPIC-2_Objectives_V4.5|English]]
* [[LPIC-2_Objectives_V5.0|English]]
 
* [[LPIC-2_Objectives_V4.5(ES)|Spanish]]
 
* [[LPIC-2_Objectives_V4.5(FR)|French]]
 
* [[LPIC-2_Objectives_V4.5(DE)|German]]
 
* [[LPIC-2_Objectives_V4.5(PT-BR)|Portuguese]]


If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]
If you would like to help translating the objectives, please contact [mailto:fthorns@lpi.org Fabian]


<br /><br />
<br />
<br />


==Objectives: Exam 201==
==Objectives: Exam 201==


===''Topic 200: Capacity Planning''===
===''Topic 201: System Startup''===


====<span style="color:navy">200.1 Measure and Troubleshoot Resource Usage (weight: 6)</span>====
====<span style="color:navy">201.1 Linux Kernel (weight: 3)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 6
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" |  
| style="background:#dadada; padding-right:1em" | '''Description'''
 
'''Description'''
 
| style="background:#eaeaea" |
 
Candidates should be able to measure hardware resource and network bandwidth, identify and troubleshoot resource problems.


| style="background:#eaeaea" | Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Measure CPU usage.
* Understanding the Linux startup process


* Measure memory usage.
* Understanding the Linux kernel architecture, including kernel modules


* Measure disk I/O.
* Linux kernel release and versioning scheme


* Measure network I/O.
* Linux kernel modules


* Measure firewalling and routing throughput.
* DKMS


* Map client bandwidth usage.
* udev


* Match / correlate system symptoms with likely problems.
'''Partial list of the used files, terms and utilities:'''


* Estimate throughput and identify bottlenecks in a system including networking.
* Bootloader


'''The following is a partial list of the used files, terms and utilities:'''
* Kernel


* iostat
* Initramfs


* iotop
* Init


* vmstat
* Udev


* netstat
* mkinitramfs


* ss
* uname
 
* Module configuration files in /etc/
 
* modules.dep
 
* depmod
 
* modinfo
 
* modprobe
 
* insmod
 
* lsmod


* iptraf
* rmmod


* pstree, ps
* kmod


* w
* dmesg


* lsof
* lshw


* top
* lspci


* htop
* lsusb


* uptime
* udevadm monitor


* sar
* /etc/udev


* swap
* /proc


* processes blocked on I/O
* /proc/sys


* blocks in
* /etc/sysctl.conf, /etc/sysctl.conf.d/


* blocks out
* sysctl


<br />
<br />


====<span style="color:navy">200.2 Predict Future Resource Needs (weight: 2)</span>====
====<span style="color:navy">201.2 Sytemd Startup Configuration (weight: 4)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" |  
| style="background:#dadada; padding-right:1em" | '''Description'''


'''Description'''
| style="background:#eaeaea" | Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.
|}


| style="background:#eaeaea" |
'''Key Knowledge Areas:'''


Candidates should be able to monitor resource usage to predict future resource needs.
* Systemd concepts


|}
* Systemd unit types (Service, Socket, Target, Slice)


'''Key Knowledge Areas:'''
* Systemd System and User Slices


* Use monitoring and measurement tools to monitor IT infrastructure usage.
* Systemd Override and Drop-In Units


* Predict capacity break point of a configuration.
* Awareness of SystemV init and OpenRC


* Observe growth rate of capacity usage.
'''Partial list of the used files, terms and utilities:'''


* Graph the trend of capacity usage.
* /usr/lib/systemd/


* Awareness of monitoring solutions such as Icinga2, Nagios, collectd, MRTG and Cacti
* /etc/systemd/


'''The following is a partial list of the used files, terms and utilities:'''
* /run/systemd/


* diagnose
* systemctl


* predict growth
* systemd-delta


* resource exhaustion
<br />
<br />
<br />


===''Topic 201: Linux Kernel''===
====<span style="color:navy">201.3 systemd Security (weight: 2)</span>====
 
====<span style="color:navy">201.1 Kernel components (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 196: Line 188:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to utilise kernel components that are necessary to specific hardware, hardware drivers, system resources and requirements. This objective includes implementing different types of kernel images, understanding stable and longterm kernels and patches, as well as using kernel modules.
| style="background:#eaeaea" | Candidates should be able to use systemd to protect and restrict processes started by systemd units.
 
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Kernel 2.6.x, 3.x and 4.x documentation
* Configure systemd units to run with specific privileges
 
* Configure systemd units with a private /tmp directory
 
* Use systemd to restrict device access of services
 
* Use systemd to manage network accessiability of services
 
* Awareness of capabilities and Cgroups


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /usr/src/linux/
* User


* /usr/src/linux/Documentation/
* Group


* zImage
* SupplementaryGroups


* bzImage
* PrivateTmp


* xz compression
* DeviceAllow
 
* IPAddressAllow
 
* IPAddressDeny
 
* RestrictNetworkInterfaces


<br />
<br />


====<span style="color:navy">201.2 Compiling a Linux kernel (weight: 3)</span>====
====<span style="color:navy">201.4 Bootloaders and System Recovery (weight: 4)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly configure a kernel to include or disable specific features of the Linux kernel as necessary. This objective includes compiling and recompiling the Linux kernel as needed, updating and noting changes in a new kernel, creating an initrd image and installing new kernels.
| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options.  Candidates should be able to determine the cause of errors in loading and usage of bootloaders.  GRUB version 2 and system-boot are the bootloader of interest.  Both BIOS and UEFI systems are covered. Furthermore, configuring PXE and iPXE boot is covered.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* /usr/src/linux/
* BIOS and UEFI


* Kernel Makefiles
* GRUB version 2


* Kernel 2.6.x, 3.x and 4.x make targets
* GRUB shell


* Customize the current kernel configuration.
* GRUB configuration


* Build a new kernel and appropriate kernel modules.
* GRUB password security


* Install a new kernel and any modules.
* systemd-boot installation


* Ensure that the boot manager can locate the new kernel and associated files.
* systemd-boot configuration


* Module configuration files
* boot loader start and hand off to kernel


* Use DKMS to compile kernel modules.
* kernel loading


* Awareness of dracut
* hardware initialization and setup


'''The following is a partial list of the used files, terms and utilities:'''
* daemon/service initialization and setup


* mkinitrd
* Know the different boot loader install locations on a hard disk or removable device.


* mkinitramfs
* Overwrite standard boot loader options and using boot loader shells.


* make
* Use systemd rescue and emergency modes.


* make targets (all, config, xconfig, menuconfig, gconfig, oldconfig, mrproper, zImage, bzImage, modules, modules_install, rpm-pkg, binrpm-pkg, deb-pkg)
* Understanding of PXE and iPXE for both BIOS and UEFI


* gzip
'''Partial list of the used files, terms and utilities:'''


* bzip2
* mount


* module tools
* fsck


* /usr/src/linux/.config
* The contents of /boot/, /boot/grub/ and /boot/efi/


* /lib/modules/kernel-version/
* EFI System Partition (ESP)


* depmod
* GRUB


* dkms
* grub-install


<br />
* bootctl


====<span style="color:navy">201.3 Kernel runtime management and troubleshooting (weight: 4)</span>====
* loader.conf


{|
* efibootmgr
| style="background:#dadada" |


'''Weight'''
* efivar


| style="background:#eaeaea" | 4
* UEFI shell
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to manage and/or query a 2.6.x, 3.x or 4.x kernel and its loadable modules.  Candidates should be able to identify and correct common boot and run time issues. Candidates should understand device detection and management using udev. This objective includes troubleshooting udev rules.
* initrd, initramfs
|}


'''Key Knowledge Areas:'''
* Master boot record


* Use command-line utilities to get information about the currently running kernel and kernel modules.
* GUID Partition Table


* Manually load and unload kernel modules.
* systemctl


* Determine when modules can be unloaded.
* pxelinux.0


* Determine what parameters a module accepts.
* pxelinux.cfg/


* Configure the system to load modules by names other than their file name.  
* uefi/shim.efi


* /proc filesystem
* uefi/grubx64.efi


* Content of /, /boot/ , and /lib/modules/
<br/>
<br/>


* Tools and utilities to analyse information about the available hardware
===''Topic 202: Advanced Storage Device Administration''===


* udev rules
====<span style="color:navy">202.1 Storage Device Integrity and Encryption (weight: 3)</span>====


'''The following is a partial list of the used files, terms and utilities:'''
{|
| style="background:#dadada" |


* /lib/modules/kernel-version/modules.dep
'''Weight'''


* module configuration files in /etc/
| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


* /proc/sys/kernel/
| style="background:#eaeaea" | Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.
|}


* /sbin/depmod
'''Key Knowledge Areas:'''


* /sbin/rmmod
* Query, understand and monitor SMART values


* /sbin/modinfo
* Understand the concepts of disk and file system encryption


* /bin/dmesg
* Understand the concepts of dm-crypt and LUKS


* /sbin/lspci
* Use LUKS to encrypt storage devices


* /usr/bin/lsdev
* Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)


* /sbin/lsmod
* Awareness of WWID, WWN, LUN numbers


* /sbin/modprobe
'''Partial list of the used files, terms and utilities:'''


* /sbin/insmod
* smartd


* /bin/uname
* smartctl


* /usr/bin/lsusb
* cryptsetup


* /etc/sysctl.conf, /etc/sysctl.d/
* /etc/crypttab


* /sbin/sysctl
* udevmonitor
* udevadm monitor
* /etc/udev/
<br />
<br />
<br />


===''Topic 202: System Startup''===
====<span style="color:navy">202.2 Configuring RAID (weight: 4)</span>====
 
====<span style="color:navy">202.1 Customizing system startup (weight: 3)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to query and modify the behaviour of system services at various targets / run levels. A thorough understanding of the systemd, SysV Init and the Linux boot process is required. This objective includes interacting with systemd targets and SysV init run levels.
| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Systemd
* Software RAID configuration files and utilities


* SysV init
* Understanding the RAID levels 0, 1, 5 and 10


* Linux Standard Base Specification (LSB)
* Awareness of the RAID levels 6, 7 and 50


* Recovery of a failed RAID device


'''The following is a partial list of the used files, terms and utilities:'''
* Replacement of a failed disk within a RAID device


* /usr/lib/systemd/
'''Partial list of the used files, terms and utilities:'''


* /etc/systemd/
* mdadm.conf


* /run/systemd/
* mdadm


* systemctl
* /proc/mdstat
 
* systemd-delta
 
* /etc/inittab
 
* /etc/init.d/
 
* /etc/rc.d/
 
* chkconfig
 
* update-rc.d
 
* init and telinit


<br />
<br />


====<span style="color:navy">202.2 System recovery (weight: 4)</span>====
====<span style="color:navy">202.3 Logical Volume Manager (weight: 4)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 418: Line 402:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options.  Candidates should be able to determine the cause of errors in loading and usage of bootloaders.  GRUB version 2 and GRUB Legacy are the bootloaders of interest.  Both BIOS and UEFI systems are covered.
| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIOS and UEFI
* Tools in the LVM suite


* NVMe booting
* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes


* GRUB version 2 and Legacy
* Creating and maintaining snapshots


* grub shell
* Activating volume groups


* boot loader start and hand off to kernel
'''Partial list of the used files, terms and utilities:'''


* kernel loading
* /sbin/pv*


* hardware initialisation and setup
* /sbin/lv*


* daemon/service initialisation and setup
* /sbin/vg*


* Know the different boot loader install locations on a hard disk or removable device.
* mount


* Overwrite standard boot loader options and using boot loader shells.
* /dev/mapper/


* Use systemd rescue and emergency modes.
* lvm.conf


'''The following is a partial list of the used files, terms and utilities:'''
<br />


* mount
====<span style="color:navy">202.4 Basic ZFS Operations (weight: 2)</span>====


* fsck
{|
| style="background:#dadada" |


* inittab, telinit and init with SysV init
'''Weight'''


* The contents of /boot/, /boot/grub/ and /boot/efi/
| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


* EFI System Partition (ESP)
| style="background:#eaeaea" | Candidates should be able to create and manage a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.
|}


* GRUB
'''Key Knowledge Areas:'''


* grub-install
* Understand the concepts of ZFS
* Create and use a ZFS file system
* Create and manage ZFS subvolumes, including quota
* Awareness of ZFS RAID features


* efibootmgr
'''Partial list of the used files, terms and utilities:'''


* UEFI shell
* VDEV
* Zpool
* zfs


* initrd, initramfs
<br />
<br />


* Master boot record
===''Topic 203: Advanced Networking Configuration''===


* systemctl
====<span style="color:navy">203.1 Runtime Networking Configuration (weight: 3)</span>====
 
<br />
 
====<span style="color:navy">202.3 Alternate Bootloaders (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be aware of other bootloaders and their major features.
| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* SYSLINUX, ISOLINUX, PXELINUX
* Understand IPv4 and IPv6 addressing and routing


* Understanding of PXE for both BIOS and UEFI
* Manage wireless network interfaces


* Awareness of systemd-boot and U-Boot
* Manage links, addresses and routes using iproute2


'''The following is a partial list of the used files, terms and utilities:'''
* Awareness of VLANs, bridges and bonds


* syslinux
'''Partial list of the used files, terms and utilities:'''


* extlinux
* ip


* isolinux.bin
* iw


* isolinux.cfg
* wpa_supplicant


* isohdpfx.bin
* iwd


* efiboot.img
* iwctl


* pxelinux.0
<br />


* pxelinux.cfg/
====<span style="color:navy">203.2 Persistent Network Configuration (weight: 4)</span>====
 
* uefi/shim.efi
 
* uefi/grubx64.efi
 
<br/>
<br/>
 
===''Topic 203: Filesystem and Devices''===
 
====<span style="color:navy">203.1 Operating the Linux filesystem (weight: 4)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 533: Line 512:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly configure and navigate the standard Linux filesystem. This objective includes configuring and mounting various filesystem types.
| style="background:#eaeaea" | Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* The concept of the fstab configuration
* Understand the architecture and configuration of NetworkMananger


* Tools and utilities for handling swap partitions and files
* Understand the architecture and configuration of systemd-networkd and systemd-resolved


* Use of UUIDs for identifying and mounting file systems
* Configure manual IPv4 and IPv6 addresses and routes


* Understanding of systemd mount units
* Configure automatic IPv4 and IPv6 configuration


'''The following is a partial list of the used files, terms and utilities:'''
* Awareness of Netplan


* /etc/fstab
'''Partial list of the used files, terms and utilities:'''


* /etc/mtab
* nmcli


* /proc/mounts
* nmtui


* mount and umount
* systemctl


* blkid
* networkctl


* sync
* resolvectl


* swapon
* hostnamectl


* swapoff
* Systemd network units


<br />
<br />


====<span style="color:navy">203.2 Maintaining a Linux filesystem (weight: 3)</span>====
====<span style="color:navy">203.3 Network Troubleshooting (weight: 4)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to properly maintain a Linux filesystem using system utilities. This objective includes manipulating standard filesystems and monitoring SMART devices.
| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Tools and utilities to manipulate and ext2, ext3 and ext4
* Determine what network configuration framework a system uses


* Tools and utilities to perform basic Btrfs operations, including subvolumes and snapshots
* Utilities to gain information about the network configuration
 
* Identify common issues in network configuration and relate symptoms to configuration issues
 
* Awareness of ifupdown, Wicked and netplan
 
'''Partial list of the used files, terms and utilities:'''
 
* ip


* Tools and utilities to manipulate XFS
* ping


* Awareness of ZFS
* ss


'''The following is a partial list of the used files, terms and utilities:'''
* lsof


* mkfs (mkfs.*)
* nc


* mkswap
* /etc/network/interfaces, /etc/sysconfig/network-scripts


* fsck (fsck.*)
* mtr


* tune2fs, dumpe2fs and debugfs
* hostname


* btrfs, btrfs-convert
* /etc/resolv.conf


* xfs_info, xfs_check, xfs_repair, xfsdump and xfsrestore
* /etc/hosts


* smartd, smartctl
* /etc/hostname


<br />
<br />
<br />
===''Topic 204: System Maintenance''===


====<span style="color:navy">203.3 Creating and configuring filesystem options (weight: 2)</span>====
====<span style="color:navy">204.1 Make and Install Programs from Source (weight: 2)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 619: Line 609:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure automount filesystems using AutoFS. This objective includes configuring automount for network and device filesystems. Also included is creating filesystems for devices such as CD-ROMs and a basic feature knowledge of encrypted filesystems.
| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* autofs configuration files
* Unpack source code using common compression and archive utilities.


* Understanding of automount units
* Understand basics of invoking make to compile programs.
 
* Apply parameters to a configure script.


* UDF and ISO9660 tools and utilities
* Know where sources are stored by default.
 
'''Partial list of the used files, terms and utilities:'''
 
* /usr/src/
 
* /usr/local/src/
 
* gunzip
 
* gzip
 
* bzip2


* Awareness of other CD-ROM filesystems (HFS)
* xz


* Awareness of CD-ROM filesystem extensions (Joliet, Rock Ridge, El Torito)
* zstd


* Basic feature knowledge of data encryption (dm-crypt / LUKS)
* tar


'''The following is a partial list of the used files, terms and utilities:'''
* configure


* /etc/auto.master
* make


* /etc/auto.[dir]
* uname


* mkisofs
* install


* cryptsetup
* patch


<br />
<br />
<br />
===''Topic 204: Advanced Storage Device Administration''===


====<span style="color:navy">204.1 Configuring RAID (weight: 3)</span>====
====<span style="color:navy">204.2 Backup Operations (weight: 3)</span>====


{|
{|
| style="background:#dadada" |  
| style="background:#dadada" |


'''Weight'''
'''Weight'''
Line 662: Line 663:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.
| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Software RAID configuration files and utilities
* Understand the concepts of backups, including common backup strategies


'''The following is a partial list of the used files, terms and utilities:'''
* Knowledge about directories that have to be included in backups


* mdadm.conf
* Understand application aspects of backup consistency


* mdadm
* Understand how to leverage file system or block device snapshots for backups


* /proc/mdstat
* Knowledge of the benefits and drawbacks of tapes, disks or other backup media, including cloud storage


* partition type 0xFD
* Perform partial and manual backups using Linux standard tools


<br />
* Verify the integrity of backup files


====<span style="color:navy">204.2 Adjusting Storage Device Access (weight: 2)</span>====
* Partially or fully restore backups


{|
* Awareness of rclone, BorgBackup and restic
| style="background:#dadada" |


'''Weight'''
* Awareness of Bacula, Bareos and BackupPC


| style="background:#eaeaea" | 2
'''Partial list of the used files, terms and utilities:'''
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure kernel options to support various drives. This objective includes software tools to view & modify hard disk settings including iSCSI devices.
* Full, differential and incremental backups
|}


'''Key Knowledge Areas:'''
* dd


* Tools and utilities to configure DMA for IDE devices including ATAPI and SATA
* tar


* Tools and utilities to configure Solid State Drives including AHCI and NVMe
* /dev/st* and /dev/nst*


* Tools and utilities to manipulate or analyse system resources (e.g. interrupts)
* mt


* Awareness of sdparm command and its uses
* rsync


* Tools and utilities for iSCSI
<br />


* Awareness of SAN, including relevant protocols (AoE, FCoE)
====<span style="color:navy">204.3 Resource Management (weight: 4)</span>====


'''The following is a partial list of the used files, terms and utilities:'''
{|
| style="background:#dadada" |


* hdparm, sdparm
'''Weight'''


* nvme
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" |


* tune2fs
'''Description'''


* fstrim
| style="background:#eaeaea" |


* sysctl
Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.


* /dev/hd*, /dev/sd*, /dev/nvme*
|}


* iscsiadm, scsi_id, iscsid and iscsid.conf
'''Key Knowledge Areas:'''


* WWID, WWN, LUN numbers
* Measure CPU, memory, disk and I/O usage.
<br />


====<span style="color:navy">204.3 Logical Volume Manager (weight: 3)</span>====
* Match / correlate system symptoms with likely problems.


{|
* Estimate throughput and identify bottlenecks in a system including networking.
| style="background:#dadada" |


'''Weight'''
* Manage resource consumption of systemd slices, scopes and services


| style="background:#eaeaea" | 3
* Awareness of Cgroups
|-
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.
'''Partial list of the used files, terms and utilities:'''
|}


'''Key Knowledge Areas:'''
* iostat


* Tools in the LVM suite
* iotop


* Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes
* vmstat


* Creating and maintaining snapshots
* ss


* Activating volume groups
* iptraf-ng


'''The following is a partial list of the used files, terms and utilities:'''
* iftop


* /sbin/pv*
* ifstat


* /sbin/lv*
* pstree, ps


* /sbin/vg*
* w


* mount
* lsof
 
* top
 
* uptime
 
* sar
 
* swap
 
* systemctl
 
* systemd-cgls
 
* CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs


* /dev/mapper/
* MemoryMin, MemoryLow, MemoryHigh, MemoryMax


* lvm.conf
* IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec


<br />
<br />
<br />
===''Topic 205: Networking Configuration''===


====<span style="color:navy">205.1 Basic networking configuration (weight: 3)</span>====
====<span style="color:navy">204.4 Advanced Secure Shell (SSH) (weight: 3)</span>====


{|
{|
Line 782: Line 788:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a network device to be able to connect to a local, wired or wireless, and a wide-area network. This objective includes being able to communicate between various subnets within a single network including both IPv4 and IPv6 networks.
| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Utilities to configure and manipulate ethernet network interfaces
* OpenSSH configuration files, tools and utilities


* Configuring basic access to wireless networks
* Login restrictions for the superuser and the normal users


'''The following is a partial list of the used files, terms and utilities:'''
* Using SSH to forward local and remote ports


* ip
* Understand the concept of an SSH CA


* ifconfig
* Use an SSH CA to manage SSH keys


* route
* Awareness of SSH Banners


* arp
'''The following is a partial list of the used files, terms and utilities:'''


* iw
* ssh


* iwconfig
* sshd


* iwlist
* /etc/ssh/sshd_config
 
* /etc/ssh/
 
* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication
 
* ssh-keygen
 
* AuthorizedPrincipalsFile
 
* TrustedUserCAKeys


<br />
<br />
<br />


====<span style="color:navy">205.2 Advanced Network Configuration (weight: 4)</span>====
===''Topic 205: Configuration Management''===
 
====<span style="color:navy">205.1 Ansible Basics (weight: 4)</span>====


{|
{|
Line 816: Line 835:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 4
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a network device to implement various network authentication schemes. This objective includes configuring a multi-homed network device and resolving communication problems.
| style="background:#eaeaea" | Candidates should be able to use Ansible to perform basic system configuration management and administration.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Utilities to manipulate routing tables
* Understand the principles of automated system configuration and software installation
 
* Utilities to configure and manipulate ethernet network interfaces
 
* Utilities to analyse the status of the network devices
 
* Utilities to monitor and analyse the TCP/IP traffic
 
'''The following is a partial list of the used files, terms and utilities:'''


* ip
* Understand how Ansible interacts with remote systems


* ifconfig
* Understand the requirements of Ansible on a target node


* route
* Create and maintain inventory files


* arp
* Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers


* ss
* Awareness of dynamic inventory


* netstat
* Awareness of cloud-init


* lsof
'''Partial list of the used files, terms and utilities:'''


* ping, ping6
* ansible.cfg


* nc
* ansible-playbook


* tcpdump
* ansible-doc


* nmap
<br />


<br />
====<span style="color:navy">205.2 Ansible Modules (weight: 3)</span>====
 
====<span style="color:navy">205.3 Troubleshooting network issues (weight: 4)</span>====


{|
{|
Line 866: Line 875:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 4
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to identify and correct common network setup issues, to include knowledge of locations for basic configuration files and commands.
| style="background:#eaeaea" | Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Location and content of access restriction files
* Understand and use Ansible roles and install Ansible roles from Ansible Galaxy


* Utilities to configure and manipulate ethernet network interfaces
* Understand and use important Ansible tasks


* Utilities to manage routing tables
'''Partial list of the used files, terms and utilities:'''


* Utilities to list network states.
* file


* Utilities to gain information about the network configuration
* copy


* Methods of information about the recognised and used hardware devices
* template


* System initialisation files and their contents (Systemd and SysV init)
* ini_file


* Awareness of NetworkManager and its impact on network configuration
* lineinfile


'''The following is a partial list of the used files, terms and utilities:'''
* patch


* ip
* replace


* ifconfig
* user


* route
* group


* ss
* command


* netstat
* shell


* /etc/network/, /etc/sysconfig/network-scripts/
* service


* ping, ping6
* systemd


* traceroute, traceroute6
* cron


* mtr
* apt


* hostname
* debconf


* System log files such as /var/log/syslog, /var/log/messages and the systemd journal
* yum


* dmesg
* git


* /etc/resolv.conf
* debug


* /etc/hosts
* ansible-galaxy


* /etc/hostname, /etc/HOSTNAME
<br />


* /etc/hosts.allow, /etc/hosts.deny
====<span style="color:navy">205.3 Ansible Templates and Variables (weight: 4)</span>====
 
<br />
<br />
 
===''Topic 206: System Maintenance''===
 
====<span style="color:navy">206.1 Make and install programs from source (weight: 2)</span>====


{|
{|
Line 937: Line 939:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.
| style="background:#eaeaea" | Candidates should be able to understand variables and facts and write simple Jinja2 templates.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Unpack source code using common compression and archive utilities.
* Set and use variables and facts


* Understand basics of invoking make to compile programs.
* Maintain secrets using Ansible vaults


* Apply parameters to a configure script.
* Write Jinja2 templates, including using common filters, loops and conditionals


* Know where sources are stored by default.
'''Partial list of the used files, terms and utilities:'''


'''The following is a partial list of the used files, terms and utilities:'''
* Jinja2 syntax


* /usr/src/
* ansible-vault


* gunzip
<br />
<br />


* gzip
==Objectives: Exam 202==


* bzip2
===''Topic 206: Domain Name Server''===


* xz
====<span style="color:navy">206.1 Basic DNS Server Configuration (weight: 3)</span>====
 
* tar
 
* configure
 
* make
 
* uname
 
* install
 
* patch
 
<br />
 
====<span style="color:navy">206.2 Backup operations (weight: 3)</span>====


{|
{|
Line 991: Line 978:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to use system tools to back up important system data.  
| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Knowledge about directories that have to be included in backups
* Understanding the principles of the Domain Name System


* Awareness of network backup solutions such as Amanda, Bacula, Bareos and BackupPC
* BIND 9.x configuration files, terms and utilities


* Knowledge of the benefits and drawbacks of tapes, CDR, disk or other backup media
* Defining the location of the BIND zone files in BIND configuration files


* Perform partial and manual backups.
* Reloading modified configuration and zone files


* Verify the integrity of backup files.
* Awareness of dnsmasq and PowerDNS as alternate name servers
 
* Partially or fully restore backups.


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /bin/sh
* named.conf


* dd
* rndc


* tar
* named-checkconf


* /dev/st* and /dev/nst*
* host


* mt
* dig
 
* rsync


<br />
<br />


====<span style="color:navy">206.3 Notify users on system-related issues (weight: 1)</span>====
====<span style="color:navy">206.2 Create and Maintain DNS Zones (weight: 3)</span>====


{|
{|
Line 1,031: Line 1,014:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 1
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to notify the users about current issues related to the system.  
| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Automate communication with users through logon messages.
* BIND 9 configuration files, terms and utilities


* Inform active users of system maintenance
* Utilities to request information from the DNS server
 
* Layout, content and file location of the BIND zone files
 
* Various methods to add a new host in the zone files, including reverse zones


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/issue
* /var/named/


* /etc/issue.net
* zone file syntax


* /etc/motd
* resource record formats


* wall
* named-checkzone


* shutdown
* named-compilezone


* systemctl
* masterfile-format


<br />
<br />
<br />


==Objectives: Exam 202==
====<span style="color:navy">206.3 Securing a DNS Server (weight: 2)</span>====
 
===''Topic 207: Domain Name Server''===
 
====<span style="color:navy">207.1 Basic DNS server configuration (weight: 3)</span>====


{|
{|
Line 1,072: Line 1,054:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.
| style="background:#eaeaea" | Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE. This objectives covers BIND version 9.16 or a later version.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIND 9.x configuration files, terms and utilities
* BIND 9 configuration files
 
* Split configuration of BIND using the forwarders statement
 
* Configuring and using transaction signatures (TSIG)


* Defining the location of the BIND zone files in BIND configuration files
* Key & Signing Policy (KASP)


* Reloading modified configuration and zone files
* Awareness of DNSSEC and basic tools


* Awareness of dnsmasq, djbdns and PowerDNS as alternate name servers
* Awareness of DANE and related records


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''
Line 1,093: Line 1,079:
* /etc/named.conf
* /etc/named.conf


* /var/named/
* DNSSEC
 
* rndc


* named-checkconf
* dnssec-policy


* kill
* tsig-keygen


* host
<br />
<br />


* dig
===''Topic 207: HTTP Services''===


<br />
====<span style="color:navy">207.1 HTTP Protocol (weight: 2)</span>====
 
====<span style="color:navy">207.2 Create and maintain DNS zones (weight: 3)</span>====


{|
{|
Line 1,114: Line 1,097:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to create a zone file for a forward or reverse zone and hints for root level servers. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.
| style="background:#eaeaea" | Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIND 9 configuration files, terms and utilities
* Understanding the principles of HTTP versions 1.1, 2 and 3


* Utilities to request information from the DNS server
* Understanding the principle of virtual hosts


* Layout, content and file location of the BIND zone files
* Understanding the principles of proxy servers and application layer gateways


* Various methods to add a new host in the zone files, including reverse zones
* Application Server Integration


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /var/named/
* HTTP methods and status codes


* zone file syntax
* HTTP headers


* resource record formats
* HTTP cookies


* named-checkzone
* CGI, FastCGI, WSGI, AJP
 
* named-compilezone
 
* masterfile-format
 
* dig
 
* nslookup
 
* host


<br />
<br />


====<span style="color:navy">207.3 Securing a DNS server (weight: 2)</span>====
====<span style="color:navy">207.2 HTTPS, PKI and TLS (weight: 4)</span>====


{|
{|
Line 1,160: Line 1,133:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.
| style="background:#eaeaea" | Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* BIND 9 configuration files
* Cryptographic concepts


* Configuring BIND to run in a chroot jail
* TLS and SNI


* Split configuration of BIND using the forwarders statement
* X.509 certificates, including important fields for HTTPS


* Configuring and using transaction signatures (TSIG)
* PKI


* Awareness of DNSSEC and basic tools
* Generate a self-signed Certificate


* Awareness of DANE and related records
* Generate a server private key and CSR for a commercial CA


'''The following is a partial list of the used files, terms and utilities:'''
* Install the key and certificate, including intermediate CAs


* /etc/named.conf
* Let's Encrypt for certificate procurement


* /etc/passwd
* Security issues in SSL use, awareness of insecure protocols and ciphers


* DNSSEC
'''The following is a partial list of the used files, terms and utilities:'''


* dnssec-keygen
* Symmetric and asymmetric cryptography


* dnssec-signzone
* Hash functions
 
* Key exchange algorithms
 
* Perfect forward secrecy
 
* Certification Authorities
 
* ACME, including challenges
 
* openssl
 
* certbot


<br />
<br />
<br />


===''Topic 208: HTTP Services''===
====<span style="color:navy">207.3 Apache HTTPD Configuration (weight: 4)</span>====
 
====<span style="color:navy">208.1 Basic Apache configuration (weight: 4)</span>====


{|
{|
Line 1,209: Line 1,191:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.  
| style="background:#eaeaea" | Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Apache 2.4 configuration files, terms and utilities
* Apache HTTPD 2.4 architecture, configuration files, terms and utilities
 
* Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)
 
* HTTPS configuration for IP and name-based virtual hosts


* Apache log files configuration and content
* Apache log files configuration and content
Line 1,220: Line 1,206:
* Access restriction methods and files
* Access restriction methods and files


* mod_perl and PHP configuration
* Client user authentication files and utilities
 
* Using redirect statements in Apache's configuration files to customize file access
 
* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP
 
* mod_php and PHP FPM


* Client user authentication files and utilities
* mod_python and Python WSGI


* Configuration of maximum requests, minimum and maximum servers and clients  
* Configuration of maximum requests, minimum and maximum servers and clients  


* Apache 2.4 virtual host implementation (with and without dedicated IP addresses)
* Awareness of mod_security and mod_evasive
 
* Using redirect statements in Apache's configuration files to customize file access


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''
Line 1,243: Line 1,233:


* AuthUserFile, AuthGroupFile
* AuthUserFile, AuthGroupFile
* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable


* apachectl, apache2ctl
* apachectl, apache2ctl
Line 1,250: Line 1,244:
<br />
<br />


====<span style="color:navy">208.2 Apache configuration for HTTPS (weight: 3)</span>====
====<span style="color:navy">207.4 NGINX Configuration (weight: 4)</span>====


{|
{|
Line 1,257: Line 1,251:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a web server to provide HTTPS.  
| style="background:#eaeaea" | Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* SSL configuration files, tools and utilities
* NGINX architecture, configuration files, terms and utilities


* Generate a server private key and CSR for a commercial CA
* NGINX virtual host implementation (with and without dedicated IP addresses)


* Generate a self-signed Certificate
* HTTPS configuration for IP and name-based virtual hosts


* Install the key and certificate, including intermediate CAs
* NGINX log files configuration and content


* Configure Virtual Hosting using SNI
* Access restriction methods and files


* Awareness of the issues with Virtual Hosting and use of SSL
* Client user authentication files and utilities


* Security issues in SSL use, disable insecure protocols and ciphers
* Configure redirects


'''The following is a partial list of the used files, terms and utilities:'''
* Configure reverse proxies for HTTP, FastCGI, WSGI and AJP


* Apache2 configuration files
* Configuration of maximum requests, minimum and maximum servers and clients


* /etc/ssl/, /etc/pki/
'''The following is a partial list of the used files, terms and utilities:'''


* openssl, CA.pl
* nginx


* SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
<br />
 
<br />
* SSLCACertificateFile, SSLCACertificatePath
 
* SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable


<br />
===''Topic 208: File Sharing''===


====<span style="color:navy">208.3 Implementing Squid as a caching proxy (weight: 2)</span>====
====<span style="color:navy">208.1 Samba File Server Configuration (weight: 4)</span>====


{|
{|
Line 1,303: Line 1,294:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.
| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is configuring a Linux client to use a Samba server. Troubleshooting installations is also tested. Setting up and managing an Active Directory domain is not part of the objectives.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Squid 3.x configuration files, terms and utilities
* Samba 4 configuration files


* Access restriction methods
* Samba 4 tools and utilities and daemons


* Client user authentication methods
* Mounting CIFS shares on Linux


* Layout and content of ACL in the Squid configuration files
* Mapping Windows user names to Linux user names
 
* User-level security
 
* Active Directory membership


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* squid.conf
* samba, smbd, nmbd, winbindd


* acl
* smbcontrol, smbstatus, testparm, smbpasswd


* http_access
* samba-tool


<br />
* net


====<span style="color:navy">208.4 Implementing Nginx as a web server and a reverse proxy (weight: 2)</span>====
* smbclient


{|
* mount.cifs
 
* /etc/samba/
 
<br />
 
====<span style="color:navy">208.2 NFS Server Configuration (weight: 3)</span>====
 
{|
| style="background:#dadada" |  
| style="background:#dadada" |  


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure a reverse proxy server, Nginx.  Basic configuration of Nginx as a HTTP server is included.  
| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Nginx
* NFS version 3 and 4 configuration files
 
* NFS tools and utilities


* Reverse Proxy
* Access restrictions to specific hosts and/or subnets


* Basic Web Server
* Mount options on server and client


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/nginx/
* /etc/exports


* nginx
* exportfs


<br />
* showmount
<br />


===''Topic 209: File Sharing''===
* nfsstat


====<span style="color:navy">209.1 Samba Server Configuration (weight: 5)</span>====
* /proc/mounts


{|
* /etc/fstab
| style="background:#dadada" |  
 
* rpcinfo
 
* mountd
 
* portmapper
 
<br />
<br />
 
===''Topic 209: Network Client Management''===
 
====<span style="color:navy">209.1 DHCP Configuration (weight: 3)</span>====
 
{|
| style="background:#dadada" |  


'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 5
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS and printer shares is covered. Also covered is a configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.  
| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Samba 4 documentation
* ISC DHCP configuration files, terms and utilities for DHCPv4


* Samba 4 configuration files
* ISC DHCP configuration files, terms and utilities for DHCPv6
 
* radvd configuration files, terms and utilities for IPv6 SLAAC


* Samba 4 tools and utilities and daemons
* Subnet and dynamically-allocated DHCP range setup


* Mounting CIFS shares on Linux
* Subnet and host-specific DHCP range setup


* Mapping Windows user names to Linux user names
* DHCPv4 and DHCPv6 options for PXE boot


* User-Level, Share-Level and AD security
* Awareness of Kea


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* smbd, nmbd, winbindd
* dhcpd.conf


* smbcontrol, smbstatus, testparm, smbpasswd, nmblookup
* dhcpd6.conf


* samba-tool
* dhcpd.leases


* net
* dhcpd6.leases


* smbclient
* radvd.conf


* mount.cifs
* dhcpd


* /etc/samba/
* radvd


* /var/log/samba/
* DHCP Log messages in syslog or systemd journal


<br />
<br />


====<span style="color:navy">209.2 NFS Server Configuration (weight: 3)</span>====
====<span style="color:navy">209.2 PAM Authentication (weight: 4)</span>====


{|
{|
Line 1,418: Line 1,439:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.
| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality as well as configuring 2 factor authentication.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* NFS version 3 configuration files
* PAM configuration files, terms and utilities


* NFS tools and utilities
* passwd and shadow passwords


* Access restrictions to certain hosts and/or subnets
* Use sssd for LDAP authentication


* Mount options on server and client
* Use 2 factor authentication for SSH access


* TCP Wrappers
'''The following is a partial list of the used files, terms and utilities:'''


* Awareness of NFSv4
* /etc/pam.d/


'''The following is a partial list of the used files, terms and utilities:'''
* pam.conf


* /etc/exports
* nsswitch.conf


* exportfs
* pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss, pam_oath and pam_otp


* showmount
* sssd.conf


* nfsstat
* /etc/users.oath


* /proc/mounts
* oathtool


* /etc/fstab
* /etc/ssh/sshd_config (ChallengeResponseAuthentication, UsePAM)
 
* rpcinfo
 
* mountd
 
* portmapper


<br />
<br />
<br />


===''Topic 210: Network Client Management''===
====<span style="color:navy">209.3 LDAP Client Usage (weight: 2)</span>====
 
====<span style="color:navy">210.1 DHCP configuration (weight: 2)</span>====


{|
{|
Line 1,475: Line 1,487:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.
| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users. Setting up and managing an LDAP server is not part of this objective.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* DHCP configuration files, terms and utilities
* Understand key concepts of LDAP
 
* LDAP utilities for data management and queries


* Subnet and dynamically-allocated range setup
* Change user passwords


* Awareness of DHCPv6 and IPv6 Router Advertisements
* Querying the LDAP directory


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* dhcpd.conf
* ldapsearch


* dhcpd.leases
* ldappasswd


* DHCP Log messages in syslog or systemd journal
* ldapadd


* arp
* ldapdelete
 
* dhcpd
 
* radvd
 
* radvd.conf


<br />
<br />


====<span style="color:navy">210.2 PAM authentication (weight: 3)</span>====
====<span style="color:navy">209.4 Authentication Mechanisms and Standards (weight: 2)</span>====


{|
{|
Line 1,511: Line 1,519:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 3
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality.
| style="background:#eaeaea" | Candidates should be able to understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services. Setting up the various services is not part of the objectives.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* PAM configuration files, terms and utilities
* Directory service and authentication standards
 
* Domains and authentication management systems
 
* Web-based authentication standards


* passwd and shadow passwords  
* Multi-factor authentication and one-time passwords (OTP)


* Use sssd for LDAP authentication
* Understanding the most important properties and use cases of relevant protocols and standards


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/pam.d/
* LDAP
 
* Kerberos 5


* pam.conf
* Active Directory


* nsswitch.conf
* FreeIPA


* pam_unix, pam_cracklib, pam_limits, pam_listfile, pam_sss
* Oauth2


* sssd.conf
* OpenID Connect


<br />
<br />
<br />
===''Topic 210: Email Services''===


====<span style="color:navy">210.3 LDAP client usage (weight: 2)</span>====
====<span style="color:navy">210.1 Managing Email Transfer (weight: 4)</span>====


{|
{|
Line 1,547: Line 1,564:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 4
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
| style="background:#eaeaea" | Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* LDAP utilities for data management and queries
* Configuration files for postfix


* Change user passwords
* Basic TLS configuration for postfix


* Querying the LDAP directory
* Basic knowledge of the SMTP protocol


'''The following is a partial list of the used files, terms and utilities:'''
* Configure Postfix for SASL authentication using cyrus-sasl


* ldapsearch
* Configure nullmailer for email relay


* ldappasswd
* Awareness of exim


* ldapadd
'''The following is a partial list of the used files, terms and utilities:'''
 
* Configuration files and commands for postfix
 
* /etc/postfix/
 
* /var/spool/postfix/
 
* /etc/aliases
 
* mail-related logs in /var/log/
 
* /etc/sasl2/smtpd.conf
 
* testsaslauthd
 
* nullmailer/me
 
* nullmailer/remotes


* ldapdelete
* nullmailer/defaultdomain


<br />
<br />


====<span style="color:navy">210.4 Configuring an OpenLDAP server (weight: 4)</span>====
====<span style="color:navy">210.2 Managing Email Delivery (weight: 2)</span>====


{|
{|
Line 1,581: Line 1,616:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 4
| style="background:#eaeaea" | 2
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to configure a basic OpenLDAP server including knowledge of LDIF format and essential access controls.
| style="background:#eaeaea" | Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.  
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* OpenLDAP
* Understanding of Sieve functionality, syntax and operators


* Directory based configuration
* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size


* Access Control
'''The following is a partial list of the used files, terms and utilities:'''


* Distinguished Names
* Conditions and comparison operators


* Changetype Operations
* keep, fileinto, redirect, reject, discard, stop


* Schemas and Whitepages
* Dovecot vacation extension


* Directories
<br />


* Object IDs, Attributes and Classes
====<span style="color:navy">210.3 Managing Mailbox Access (weight: 2)</span>====


'''The following is a partial list of the used files, terms and utilities:'''
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to install and configure IMAP daemons.
|}


* slapd
'''Key Knowledge Areas:'''


* slapd-config
* Dovecot IMAP configuration and administration


* LDIF
* Basic TLS configuration for Dovecot


* slapadd
'''The following is a partial list of the used files, terms and utilities:'''


* slapcat
* /etc/dovecot/


* slapindex
* dovecot.conf


* /var/lib/ldap/
* doveconf


* loglevel
* doveadm


<br />
<br />
<br />
<br />


===''Topic 211: E-Mail Services''===
===''Topic 211: Network Security''===


====<span style="color:navy">211.1 Using e-mail servers (weight: 4)</span>====
====<span style="color:navy">211.1 Routing and Packet Filtering (weight: 4)</span>====


{|
{|
Line 1,640: Line 1,685:
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to manage an e-mail server, including the configuration of e-mail aliases, e-mail quotas and virtual e-mail domains. This objective includes configuring internal e-mail relays and monitoring e-mail servers.
| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Configuration files for postfix
* Understand the concepts of routing, network address translation and packet filtering


* Basic TLS configuration for postfix
* Understand the concepts and differences of iptables and nftables


* Basic knowledge of the SMTP protocol
* Query packet filter ruleset using nft


* Awareness of sendmail and exim
* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address using iptables and ip6tables compatibility commands


'''The following is a partial list of the used files, terms and utilities:'''
* Tools, commands and utilities to manage routing tables.


* Configuration files and commands for postfix
* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)


* /etc/postfix/
* Port redirection and IP forwarding
 
* Understand the main concepts of firewalld
 
* Use firewalld to implement a simple edge node and router firewall
 
* Awareness of ufw
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* /proc/sys/net/ipv4/
 
* /proc/sys/net/ipv6/
 
* /etc/sysctl.conf and /etc/sysctl.conf.d/
 
* /etc/services
 
* iptables


* /var/spool/postfix/
* ip6tables


* sendmail emulation layer commands
* nft


* /etc/aliases
* firewall-cmd


* mail-related logs in /var/log/  
* /etc/firewalld/firewalld.conf


<br />
<br />


====<span style="color:navy">211.2 Managing E-Mail Delivery (weight: 2)</span>====
====<span style="color:navy">211.2 Security Assessment and Intrusion Prevention (weight: 3)</span>====


{|
{|
Line 1,676: Line 1,739:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 3
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to implement client e-mail management software to filter, sort and monitor incoming user e-mail.  
| style="background:#eaeaea" | Candidates should be able to confirm the effectiveness of security measures. This includes determining which services run on their servers. Furthermore, candidates should understand the concepts of tools commonly used to improve network security.
 
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Understanding of Sieve functionality, syntax and operators
* Scan and test open ports on a server


* Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size
* Understand and configure fail2ban


* Awareness of procmail
* Understand the concepts of common features of network intrusion detection and prevention systems


'''The following is a partial list of the used files, terms and utilities:'''
* Understand the concepts of common features of network vulnerability scanners


* Conditions and comparison operators
* Understand the concepts of common features of packet sniffers


* keep, fileinto, redirect, reject, discard, stop
* Awareness of Snort and Suricata
 
* Awareness of OpenVAS and Metasploit
 
* Awareness of Wireshark
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* fail2ban
 
* nmap


* Dovecot vacation extension
* nc


<br />
<br />


====<span style="color:navy">211.3 Managing Mailbox Access (weight: 2)</span>====
====<span style="color:navy">211.3 Virtual Private Networks (weight: 5)</span>====


{|
{|
Line 1,708: Line 1,782:
'''Weight'''
'''Weight'''


| style="background:#eaeaea" | 2
| style="background:#eaeaea" | 5
|-
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
| style="background:#dadada; padding-right:1em" | '''Description'''


| style="background:#eaeaea" | Candidates should be able to install and configure POP and IMAP daemons.  
| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}
|}


'''Key Knowledge Areas:'''
'''Key Knowledge Areas:'''


* Dovecot IMAP and POP3 configuration and administration
* Understand the concepts of a virtual private network
 
* Understand the different requirements of site-to-site and dial-in VPN
 
* Basic configuration of OpenVPN as site-to-site and dial-in VPN


* Basic TLS configuration for Dovecot
* Basic configuration of Wireguard as a site-to-site VPN
 
* Awareness of the main differences between OpenVPN and Wireguard


* Awareness of Courier
* Awareness of IPsec and IKE2


'''The following is a partial list of the used files, terms and utilities:'''
'''The following is a partial list of the used files, terms and utilities:'''


* /etc/dovecot/
* /etc/openvpn/
 
* openvpn


* dovecot.conf
* /etc/wireguard/


* doveconf
* wg


* doveadm
* wg-quick


<br />
<br />
<br />
<br />


===''Topic 212: System Security''===
==Future Change Considerations==


====<span style="color:navy">212.1 Configuring a router (weight: 3)</span>====
Future changes to the objective will/may include:
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.
|}
 
'''Key Knowledge Areas:'''
 
* iptables and ip6tables configuration files, tools and utilities
 
* Tools, commands and utilities to manage routing tables.
 
* Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
 
* Port redirection and IP forwarding
 
* List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address
 
* Save and reload filtering configurations
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* /proc/sys/net/ipv4/
 
* /proc/sys/net/ipv6/
 
* /etc/services
 
* iptables
 
* ip6tables
 
<br />
 
====<span style="color:navy">212.2 Managing FTP servers (weight: 2)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access.
|}
 
'''Key Knowledge Areas:'''
 
* Configuration files, tools and utilities for Pure-FTPd and vsftpd
 
* Awareness of ProFTPd
 
* Understanding of passive vs. active FTP connections
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* vsftpd.conf
 
* important Pure-FTPd command line options
 
<br />
 
====<span style="color:navy">212.3 Secure shell (SSH) (weight: 4)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 4
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.
|}
 
'''Key Knowledge Areas:'''
 
* OpenSSH configuration files, tools and utilities
 
* Login restrictions for the superuser and the normal users
 
* Managing and using server and client keys to login with and without password
 
* Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* ssh
 
* sshd
 
* /etc/ssh/sshd_config
 
* /etc/ssh/
 
* Private and public key files
 
* PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol
 
<br />
 
====<span style="color:navy">212.4 Security tasks (weight: 3)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 3
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
|}
 
'''Key Knowledge Areas:'''
 
* Tools and utilities to scan and test ports on a server
 
* Locations and organisations that report security alerts as Bugtraq, CERT or other sources
 
* Tools and utilities to implement an intrusion detection system (IDS)
 
* Awareness of OpenVAS and Snort
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* telnet
 
* nmap
 
* fail2ban
 
* nc
 
* iptables
 
<br />
 
====<span style="color:navy">212.5 OpenVPN (weight: 2)</span>====
 
{|
| style="background:#dadada" |
 
'''Weight'''
 
| style="background:#eaeaea" | 2
|-
| style="background:#dadada; padding-right:1em" | '''Description'''
 
| style="background:#eaeaea" | Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
|}
 
'''Key Knowledge Areas:'''
 
* OpenVPN
 
'''The following is a partial list of the used files, terms and utilities:'''
 
* /etc/openvpn/
 
* openvpn
 
<br />
<br />
 
==Future Change Considerations==
 
Future changes to the objective will/may include:
 
* Extend the amount of NetworkManager covered, i.e. including the CLI
 
* lighttpd would have been too much coverage of web services.  Perhaps reduce Apache next revision to make room.
 
* host level IDS (tripwire, AIDE, etc) to be covered in future LPIC-1.
 
* introduction (or more) to FreeIPA
 
* add coverage of mod_security and mod_evasive to Apache HTTP (maybe as a separate topic: Web Application Firewall)
 
* add coverage of a higher-level firewall package like firewalld or ufw
 
* Reconsider mod_perl
 
* Add firewall-cmd and /etc/firewalld/firewalld.conf related to firewalld to LPIC-2
 
* Awareness of firewalld
 
* Add nmcli and nmtui to LPIC-2
 
* Full coverage of IPv6 auto configuration
 
* Remove djbdns
 
* Advanced shell scripting (sed -e, set -x, set -o, pipefail, PIPESTATUS, declare)
 
* Filesystem quota (similar to the topic removed from LPIC-1)
 
* Understanding of consistency in backups, e.g. for databases
 
* Let's Encrypt for certification procurement
 
* 202.2: Reconsider NVMe booting
 
* 207.1: Consider dropping djbdns and consider unbound
 
* 207.1: /var/named/ is distro-specific
 
* 207.2: Remove creation of root.hints
 
* 207.2: Reconsider nslookup
 
* 207.3: Reconsider chroot
 
* 208.2: Remove CA.pl
 
* 208.2: Remove SNI specialties
 
* 208.2: Remove client certificate options
 
* 208.3: Reconsider the relevance of Squid
 
* 209.1: Remove Samba Share-Level security
 
* 209.1: Remove nmblookup
 
* 210.1: Remove arp
 
* 210.4: Aggregate Whitepages, schemas, classes etc.
 
* 212.2: Remove FTP
 
* 212.3: Remove Protocol
 
* 212.4: Remove bugtraq etc.


* Remove paths to commands and configuration files wherever possible
* Remove paths to commands and configuration files wherever possible

Latest revision as of 20:08, 9 May 2024

Overview of Tasks

These are required exams for LPI certification Level 2. It covers advanced skills for the Linux professional that are common across all distributions of Linux. Also, LPIC-1 must be obtained in order to receive the certification. Exams may be taken in any order but all of the requirements must be met.

To pass LPIC-2, the candidate should be able to:

  • Administer a small to medium-sized site.
  • Plan, implement, maintain, keep consistent, secure, and troubleshoot a small mixed (MS, Linux) network, including a:
    • LAN server (Samba, NFS, DNS, DHCP, client management).
    • Internet Gateway (firewall, VPN, SSH, mail).
    • Internet Server (web server and reverse proxy).
  • Supervise assistants.
  • Advise management on automation and purchases.


Exams

In order to be certified LPIC-2, the candidate must pass both the 201 and 202 exams and be a holder of an active LPIC-1 certification.


Version Information

These objectives are A DRAFT version 5.0.0.

The version 4.5 of the LPIC-2 Objectives are still online.

Addenda



Translations of Objectives

The following translations of the objectives are available on this wiki:

If you would like to help translating the objectives, please contact Fabian



Objectives: Exam 201

Topic 201: System Startup

201.1 Linux Kernel (weight: 3)

Weight

3
Description Candidates should understand the startup of a Linux system, including all relevant components. Candidates should understand the architecture of the Linux kernel and how it allows device access. Furthermore, candidates should be able to manage Linux kernel modules, updates of the Linux kernel and use DKMS to install kernel modules.

Key Knowledge Areas:

  • Understanding the Linux startup process
  • Understanding the Linux kernel architecture, including kernel modules
  • Linux kernel release and versioning scheme
  • Linux kernel modules
  • DKMS
  • udev

Partial list of the used files, terms and utilities:

  • Bootloader
  • Kernel
  • Initramfs
  • Init
  • Udev
  • mkinitramfs
  • uname
  • Module configuration files in /etc/
  • modules.dep
  • depmod
  • modinfo
  • modprobe
  • insmod
  • lsmod
  • rmmod
  • kmod
  • dmesg
  • lshw
  • lspci
  • lsusb
  • udevadm monitor
  • /etc/udev
  • /proc
  • /proc/sys
  • /etc/sysctl.conf, /etc/sysctl.conf.d/
  • sysctl


201.2 Sytemd Startup Configuration (weight: 4)

Weight

4
Description Candidates should be able to configure the startup of a Linux system using system. This includes understanding the most important systemd concepts, including various unit types used to manage the system startup, as well as tools to configure the system startup.

Key Knowledge Areas:

  • Systemd concepts
  • Systemd unit types (Service, Socket, Target, Slice)
  • Systemd System and User Slices
  • Systemd Override and Drop-In Units
  • Awareness of SystemV init and OpenRC

Partial list of the used files, terms and utilities:

  • /usr/lib/systemd/
  • /etc/systemd/
  • /run/systemd/
  • systemctl
  • systemd-delta


201.3 systemd Security (weight: 2)

Weight

2
Description Candidates should be able to use systemd to protect and restrict processes started by systemd units.

Key Knowledge Areas:

  • Configure systemd units to run with specific privileges
  • Configure systemd units with a private /tmp directory
  • Use systemd to restrict device access of services
  • Use systemd to manage network accessiability of services
  • Awareness of capabilities and Cgroups

The following is a partial list of the used files, terms and utilities:

  • User
  • Group
  • SupplementaryGroups
  • PrivateTmp
  • DeviceAllow
  • IPAddressAllow
  • IPAddressDeny
  • RestrictNetworkInterfaces


201.4 Bootloaders and System Recovery (weight: 4)

Weight

4
Description Candidates should be able to properly manipulate a Linux system during both the boot process and during recovery mode. This objective includes using both the init utility and init-related kernel options. Candidates should be able to determine the cause of errors in loading and usage of bootloaders. GRUB version 2 and system-boot are the bootloader of interest. Both BIOS and UEFI systems are covered. Furthermore, configuring PXE and iPXE boot is covered.

Key Knowledge Areas:

  • BIOS and UEFI
  • GRUB version 2
  • GRUB shell
  • GRUB configuration
  • GRUB password security
  • systemd-boot installation
  • systemd-boot configuration
  • boot loader start and hand off to kernel
  • kernel loading
  • hardware initialization and setup
  • daemon/service initialization and setup
  • Know the different boot loader install locations on a hard disk or removable device.
  • Overwrite standard boot loader options and using boot loader shells.
  • Use systemd rescue and emergency modes.
  • Understanding of PXE and iPXE for both BIOS and UEFI

Partial list of the used files, terms and utilities:

  • mount
  • fsck
  • The contents of /boot/, /boot/grub/ and /boot/efi/
  • EFI System Partition (ESP)
  • GRUB
  • grub-install
  • bootctl
  • loader.conf
  • efibootmgr
  • efivar
  • UEFI shell
  • initrd, initramfs
  • Master boot record
  • GUID Partition Table
  • systemctl
  • pxelinux.0
  • pxelinux.cfg/
  • uefi/shim.efi
  • uefi/grubx64.efi



Topic 202: Advanced Storage Device Administration

202.1 Storage Device Integrity and Encryption (weight: 3)

Weight

3
Description Candidates should be able to maintain the integrity of storage device and encrypt the information stored on a storage device.

Key Knowledge Areas:

  • Query, understand and monitor SMART values
  • Understand the concepts of disk and file system encryption
  • Understand the concepts of dm-crypt and LUKS
  • Use LUKS to encrypt storage devices
  • Awareness of SAN, including relevant protocols (iSCSI, AoE, FCoE)
  • Awareness of WWID, WWN, LUN numbers

Partial list of the used files, terms and utilities:

  • smartd
  • smartctl
  • cryptsetup
  • /etc/crypttab


202.2 Configuring RAID (weight: 4)

Weight

4
Description Candidates should be able to configure and implement software RAID. This objective includes using and configuring RAID 0, 1 and 5.

Key Knowledge Areas:

  • Software RAID configuration files and utilities
  • Understanding the RAID levels 0, 1, 5 and 10
  • Awareness of the RAID levels 6, 7 and 50
  • Recovery of a failed RAID device
  • Replacement of a failed disk within a RAID device

Partial list of the used files, terms and utilities:

  • mdadm.conf
  • mdadm
  • /proc/mdstat


202.3 Logical Volume Manager (weight: 4)

Weight

4
Description Candidates should be able to create and remove logical volumes, volume groups, and physical volumes. This objective includes snapshots and resizing logical volumes.

Key Knowledge Areas:

  • Tools in the LVM suite
  • Resizing, renaming, creating, and removing logical volumes, volume groups, and physical volumes
  • Creating and maintaining snapshots
  • Activating volume groups

Partial list of the used files, terms and utilities:

  • /sbin/pv*
  • /sbin/lv*
  • /sbin/vg*
  • mount
  • /dev/mapper/
  • lvm.conf


202.4 Basic ZFS Operations (weight: 2)

Weight

2
Description Candidates should be able to create and manage a ZFS file system. This includes managing subvolumes and awareness of ZFS raid features.

Key Knowledge Areas:

  • Understand the concepts of ZFS
  • Create and use a ZFS file system
  • Create and manage ZFS subvolumes, including quota
  • Awareness of ZFS RAID features

Partial list of the used files, terms and utilities:

  • VDEV
  • Zpool
  • zfs



Topic 203: Advanced Networking Configuration

203.1 Runtime Networking Configuration (weight: 3)

Weight

3
Description Candidates should be able to configure wired and wireless network device using iproute2. This includes managing links, addresses and routes for IPv4 and IPv6.

Key Knowledge Areas:

  • Understand IPv4 and IPv6 addressing and routing
  • Manage wireless network interfaces
  • Manage links, addresses and routes using iproute2
  • Awareness of VLANs, bridges and bonds

Partial list of the used files, terms and utilities:

  • ip
  • iw
  • wpa_supplicant
  • iwd
  • iwctl


203.2 Persistent Network Configuration (weight: 4)

Weight

4
Description Candidates should be able to configure wired and wireless network device using NetworkMananger as well as systemd-networkd. This includes managing links, addresses and routes for IPv4 and IPv6.

Key Knowledge Areas:

  • Understand the architecture and configuration of NetworkMananger
  • Understand the architecture and configuration of systemd-networkd and systemd-resolved
  • Configure manual IPv4 and IPv6 addresses and routes
  • Configure automatic IPv4 and IPv6 configuration
  • Awareness of Netplan

Partial list of the used files, terms and utilities:

  • nmcli
  • nmtui
  • systemctl
  • networkctl
  • resolvectl
  • hostnamectl
  • Systemd network units


203.3 Network Troubleshooting (weight: 4)

Weight

4
Description Candidates should be able to identify and correct common network setup issues.

Key Knowledge Areas:

  • Determine what network configuration framework a system uses
  • Utilities to gain information about the network configuration
  • Identify common issues in network configuration and relate symptoms to configuration issues
  • Awareness of ifupdown, Wicked and netplan

Partial list of the used files, terms and utilities:

  • ip
  • ping
  • ss
  • lsof
  • nc
  • /etc/network/interfaces, /etc/sysconfig/network-scripts
  • mtr
  • hostname
  • /etc/resolv.conf
  • /etc/hosts
  • /etc/hostname



Topic 204: System Maintenance

204.1 Make and Install Programs from Source (weight: 2)

Weight

2
Description Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources.

Key Knowledge Areas:

  • Unpack source code using common compression and archive utilities.
  • Understand basics of invoking make to compile programs.
  • Apply parameters to a configure script.
  • Know where sources are stored by default.

Partial list of the used files, terms and utilities:

  • /usr/src/
  • /usr/local/src/
  • gunzip
  • gzip
  • bzip2
  • xz
  • zstd
  • tar
  • configure
  • make
  • uname
  • install
  • patch


204.2 Backup Operations (weight: 3)

Weight

3
Description Candidates should be able to use system tools to back up important system data.

Key Knowledge Areas:

  • Understand the concepts of backups, including common backup strategies
  • Knowledge about directories that have to be included in backups
  • Understand application aspects of backup consistency
  • Understand how to leverage file system or block device snapshots for backups
  • Knowledge of the benefits and drawbacks of tapes, disks or other backup media, including cloud storage
  • Perform partial and manual backups using Linux standard tools
  • Verify the integrity of backup files
  • Partially or fully restore backups
  • Awareness of rclone, BorgBackup and restic
  • Awareness of Bacula, Bareos and BackupPC

Partial list of the used files, terms and utilities:

  • Full, differential and incremental backups
  • dd
  • tar
  • /dev/st* and /dev/nst*
  • mt
  • rsync


204.3 Resource Management (weight: 4)

Weight

4

Description

Candidates should be able to measure hardware resource consumption. This includes identifying and troubleshooting resource problems. Furthermore, candidates should be able to restrict the consumption of hardware resources using systemd resource management features.

Key Knowledge Areas:

  • Measure CPU, memory, disk and I/O usage.
  • Match / correlate system symptoms with likely problems.
  • Estimate throughput and identify bottlenecks in a system including networking.
  • Manage resource consumption of systemd slices, scopes and services
  • Awareness of Cgroups

Partial list of the used files, terms and utilities:

  • iostat
  • iotop
  • vmstat
  • ss
  • iptraf-ng
  • iftop
  • ifstat
  • pstree, ps
  • w
  • lsof
  • top
  • uptime
  • sar
  • swap
  • systemctl
  • systemd-cgls
  • CPUWeight, CPUQuota, CPUQuotaPeriodSec, AllowedCPUs
  • MemoryMin, MemoryLow, MemoryHigh, MemoryMax
  • IOWeight, IODeviceWeight, IOReadBandwidthMax, IOReadIOPSMax, IODeviceLatencyTargetSec


204.4 Advanced Secure Shell (SSH) (weight: 3)

Weight

3
Description Candidates should be able to configure and secure an SSH daemon. This objective includes managing keys using an SSH CA. Candidates should also be able to forward an application protocol over SSH and manage the SSH login.

Key Knowledge Areas:

  • OpenSSH configuration files, tools and utilities
  • Login restrictions for the superuser and the normal users
  • Using SSH to forward local and remote ports
  • Understand the concept of an SSH CA
  • Use an SSH CA to manage SSH keys
  • Awareness of SSH Banners

The following is a partial list of the used files, terms and utilities:

  • ssh
  • sshd
  • /etc/ssh/sshd_config
  • /etc/ssh/
  • PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication
  • ssh-keygen
  • AuthorizedPrincipalsFile
  • TrustedUserCAKeys



Topic 205: Configuration Management

205.1 Ansible Basics (weight: 4)

Weight

3
Description Candidates should be able to use Ansible to perform basic system configuration management and administration.

Key Knowledge Areas:

  • Understand the principles of automated system configuration and software installation
  • Understand how Ansible interacts with remote systems
  • Understand the requirements of Ansible on a target node
  • Create and maintain inventory files
  • Create, maintain and run Ansible playbooks, including tasks, handlers, conditionals, loops and registers
  • Awareness of dynamic inventory
  • Awareness of cloud-init

Partial list of the used files, terms and utilities:

  • ansible.cfg
  • ansible-playbook
  • ansible-doc


205.2 Ansible Modules (weight: 3)

Weight

3
Description Candidates should be able to use important and commonly used Ansible modules to automate basic Linux system administration tasks.

Key Knowledge Areas:

  • Understand and use Ansible roles and install Ansible roles from Ansible Galaxy
  • Understand and use important Ansible tasks

Partial list of the used files, terms and utilities:

  • file
  • copy
  • template
  • ini_file
  • lineinfile
  • patch
  • replace
  • user
  • group
  • command
  • shell
  • service
  • systemd
  • cron
  • apt
  • debconf
  • yum
  • git
  • debug
  • ansible-galaxy


205.3 Ansible Templates and Variables (weight: 4)

Weight

4
Description Candidates should be able to understand variables and facts and write simple Jinja2 templates.

Key Knowledge Areas:

  • Set and use variables and facts
  • Maintain secrets using Ansible vaults
  • Write Jinja2 templates, including using common filters, loops and conditionals

Partial list of the used files, terms and utilities:

  • Jinja2 syntax
  • ansible-vault



Objectives: Exam 202

Topic 206: Domain Name Server

206.1 Basic DNS Server Configuration (weight: 3)

Weight

3
Description Candidates should be able to configure BIND to function as an authoritative and as a recursive, caching-only DNS server. This objective includes the ability to manage a running server and configuring logging.

Key Knowledge Areas:

  • Understanding the principles of the Domain Name System
  • BIND 9.x configuration files, terms and utilities
  • Defining the location of the BIND zone files in BIND configuration files
  • Reloading modified configuration and zone files
  • Awareness of dnsmasq and PowerDNS as alternate name servers

The following is a partial list of the used files, terms and utilities:

  • named.conf
  • rndc
  • named-checkconf
  • host
  • dig


206.2 Create and Maintain DNS Zones (weight: 3)

Weight

3
Description Candidates should be able to create a zone file for a forward or reverse zone. This objective includes setting appropriate values for records, adding hosts in zones and adding zones to the DNS. A candidate should also be able to delegate zones to another DNS server.

Key Knowledge Areas:

  • BIND 9 configuration files, terms and utilities
  • Utilities to request information from the DNS server
  • Layout, content and file location of the BIND zone files
  • Various methods to add a new host in the zone files, including reverse zones

The following is a partial list of the used files, terms and utilities:

  • /var/named/
  • zone file syntax
  • resource record formats
  • named-checkzone
  • named-compilezone
  • masterfile-format


206.3 Securing a DNS Server (weight: 2)

Weight

2
Description Candidates should be able to secure a BIND DNS server. This objective includes secure exchange of data between DNS servers. Furthermore, this topic includes awareness of DNSSEC and DANE. This objectives covers BIND version 9.16 or a later version.

Key Knowledge Areas:

  • BIND 9 configuration files
  • Split configuration of BIND using the forwarders statement
  • Configuring and using transaction signatures (TSIG)
  • Key & Signing Policy (KASP)
  • Awareness of DNSSEC and basic tools
  • Awareness of DANE and related records

The following is a partial list of the used files, terms and utilities:

  • /etc/named.conf
  • DNSSEC
  • dnssec-policy
  • tsig-keygen



Topic 207: HTTP Services

207.1 HTTP Protocol (weight: 2)

Weight

2
Description Candidates should understand the basics of the HTTP procotol. This includes major differences of HTTP versions, important headers as well as how HTTP is used in various other standards.

Key Knowledge Areas:

  • Understanding the principles of HTTP versions 1.1, 2 and 3
  • Understanding the principle of virtual hosts
  • Understanding the principles of proxy servers and application layer gateways
  • Application Server Integration

The following is a partial list of the used files, terms and utilities:

  • HTTP methods and status codes
  • HTTP headers
  • HTTP cookies
  • CGI, FastCGI, WSGI, AJP


207.2 HTTPS, PKI and TLS (weight: 4)

Weight

4
Description Candidates should understand how X.509 Public Key Infrastructures work. This includes procuring X.509 certifications from an existing certificate authority, as well as understanding the cryptographic basics involved in PKI. Furthermore candidates should understand the principles of TLS, in order to be able to configure various services to use TLS for connection encryption.

Key Knowledge Areas:

  • Cryptographic concepts
  • TLS and SNI
  • X.509 certificates, including important fields for HTTPS
  • PKI
  • Generate a self-signed Certificate
  • Generate a server private key and CSR for a commercial CA
  • Install the key and certificate, including intermediate CAs
  • Let's Encrypt for certificate procurement
  • Security issues in SSL use, awareness of insecure protocols and ciphers

The following is a partial list of the used files, terms and utilities:

  • Symmetric and asymmetric cryptography
  • Hash functions
  • Key exchange algorithms
  • Perfect forward secrecy
  • Certification Authorities
  • ACME, including challenges
  • openssl
  • certbot


207.3 Apache HTTPD Configuration (weight: 4)

Weight

4
Description Candidates should be able to install and configure a web server using Apache HTTPD. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.

Key Knowledge Areas:

  • Apache HTTPD 2.4 architecture, configuration files, terms and utilities
  • Apache HTTPD Virtual host implementation (with and without dedicated IP addresses)
  • HTTPS configuration for IP and name-based virtual hosts
  • Apache log files configuration and content
  • Access restriction methods and files
  • Client user authentication files and utilities
  • Using redirect statements in Apache's configuration files to customize file access
  • Configure reverse proxies for HTTP, FastCGI, WSGI and AJP
  • mod_php and PHP FPM
  • mod_python and Python WSGI
  • Configuration of maximum requests, minimum and maximum servers and clients
  • Awareness of mod_security and mod_evasive

The following is a partial list of the used files, terms and utilities:

  • access logs and error logs
  • .htaccess
  • httpd.conf
  • mod_auth_basic, mod_authz_host and mod_access_compat
  • htpasswd
  • AuthUserFile, AuthGroupFile
  • SSLEngine, SSLCertificateKeyFile, SSLCertificateFile
  • SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable
  • apachectl, apache2ctl
  • httpd, apache2


207.4 NGINX Configuration (weight: 4)

Weight

4
Description Candidates should be able to install and configure a web server using NGINX. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. Candidates should be able to configure a web server to use virtual hosts and customize file access.

Key Knowledge Areas:

  • NGINX architecture, configuration files, terms and utilities
  • NGINX virtual host implementation (with and without dedicated IP addresses)
  • HTTPS configuration for IP and name-based virtual hosts
  • NGINX log files configuration and content
  • Access restriction methods and files
  • Client user authentication files and utilities
  • Configure redirects
  • Configure reverse proxies for HTTP, FastCGI, WSGI and AJP
  • Configuration of maximum requests, minimum and maximum servers and clients

The following is a partial list of the used files, terms and utilities:

  • nginx



Topic 208: File Sharing

208.1 Samba File Server Configuration (weight: 4)

Weight

4
Description Candidates should be able to set up a Samba server for various clients. This objective includes setting up Samba as a standalone server as well as integrating Samba as a member in an Active Directory. Furthermore, the configuration of simple CIFS file and printer shares is covered. Also covered is configuring a Linux client to use a Samba server. Troubleshooting installations is also tested. Setting up and managing an Active Directory domain is not part of the objectives.

Key Knowledge Areas:

  • Samba 4 configuration files
  • Samba 4 tools and utilities and daemons
  • Mounting CIFS shares on Linux
  • Mapping Windows user names to Linux user names
  • User-level security
  • Active Directory membership

The following is a partial list of the used files, terms and utilities:

  • samba, smbd, nmbd, winbindd
  • smbcontrol, smbstatus, testparm, smbpasswd
  • samba-tool
  • net
  • smbclient
  • mount.cifs
  • /etc/samba/


208.2 NFS Server Configuration (weight: 3)

Weight

3
Description Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.

Key Knowledge Areas:

  • NFS version 3 and 4 configuration files
  • NFS tools and utilities
  • Access restrictions to specific hosts and/or subnets
  • Mount options on server and client

The following is a partial list of the used files, terms and utilities:

  • /etc/exports
  • exportfs
  • showmount
  • nfsstat
  • /proc/mounts
  • /etc/fstab
  • rpcinfo
  • mountd
  • portmapper



Topic 209: Network Client Management

209.1 DHCP Configuration (weight: 3)

Weight

3
Description Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.

Key Knowledge Areas:

  • ISC DHCP configuration files, terms and utilities for DHCPv4
  • ISC DHCP configuration files, terms and utilities for DHCPv6
  • radvd configuration files, terms and utilities for IPv6 SLAAC
  • Subnet and dynamically-allocated DHCP range setup
  • Subnet and host-specific DHCP range setup
  • DHCPv4 and DHCPv6 options for PXE boot
  • Awareness of Kea

The following is a partial list of the used files, terms and utilities:

  • dhcpd.conf
  • dhcpd6.conf
  • dhcpd.leases
  • dhcpd6.leases
  • radvd.conf
  • dhcpd
  • radvd
  • DHCP Log messages in syslog or systemd journal


209.2 PAM Authentication (weight: 4)

Weight

4
Description The candidate should be able to configure PAM to support authentication using various available methods. This includes basic SSSD functionality as well as configuring 2 factor authentication.

Key Knowledge Areas:

  • PAM configuration files, terms and utilities
  • passwd and shadow passwords
  • Use sssd for LDAP authentication
  • Use 2 factor authentication for SSH access

The following is a partial list of the used files, terms and utilities:

  • /etc/pam.d/
  • pam.conf
  • nsswitch.conf
  • pam_unix, pam_pwquality, pam_limits, pam_listfile, pam_sss, pam_oath and pam_otp
  • sssd.conf
  • /etc/users.oath
  • oathtool
  • /etc/ssh/sshd_config (ChallengeResponseAuthentication, UsePAM)


209.3 LDAP Client Usage (weight: 2)

Weight

2
Description Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users. Setting up and managing an LDAP server is not part of this objective.

Key Knowledge Areas:

  • Understand key concepts of LDAP
  • LDAP utilities for data management and queries
  • Change user passwords
  • Querying the LDAP directory

The following is a partial list of the used files, terms and utilities:

  • ldapsearch
  • ldappasswd
  • ldapadd
  • ldapdelete


209.4 Authentication Mechanisms and Standards (weight: 2)

Weight

2
Description Candidates should be able to understand the main principles of various authentication mechanisms and standards, including their use in Linux and Linux-based services. Setting up the various services is not part of the objectives.

Key Knowledge Areas:

  • Directory service and authentication standards
  • Domains and authentication management systems
  • Web-based authentication standards
  • Multi-factor authentication and one-time passwords (OTP)
  • Understanding the most important properties and use cases of relevant protocols and standards

The following is a partial list of the used files, terms and utilities:

  • LDAP
  • Kerberos 5
  • Active Directory
  • FreeIPA
  • Oauth2
  • OpenID Connect



Topic 210: Email Services

210.1 Managing Email Transfer (weight: 4)

Weight

4
Description Candidates should be able to manage an email server, including the configuration of email aliases, email quotas and virtual email domains. This objective includes configuring internal email relays and monitoring email servers.

Key Knowledge Areas:

  • Configuration files for postfix
  • Basic TLS configuration for postfix
  • Basic knowledge of the SMTP protocol
  • Configure Postfix for SASL authentication using cyrus-sasl
  • Configure nullmailer for email relay
  • Awareness of exim

The following is a partial list of the used files, terms and utilities:

  • Configuration files and commands for postfix
  • /etc/postfix/
  • /var/spool/postfix/
  • /etc/aliases
  • mail-related logs in /var/log/
  • /etc/sasl2/smtpd.conf
  • testsaslauthd
  • nullmailer/me
  • nullmailer/remotes
  • nullmailer/defaultdomain


210.2 Managing Email Delivery (weight: 2)

Weight

2
Description Candidates should be able to implement client email management software to filter, sort and monitor incoming user email.

Key Knowledge Areas:

  • Understanding of Sieve functionality, syntax and operators
  • Use Sieve to filter and sort mail with respect to sender, recipient(s), headers and size

The following is a partial list of the used files, terms and utilities:

  • Conditions and comparison operators
  • keep, fileinto, redirect, reject, discard, stop
  • Dovecot vacation extension


210.3 Managing Mailbox Access (weight: 2)

Weight

2
Description Candidates should be able to install and configure IMAP daemons.

Key Knowledge Areas:

  • Dovecot IMAP configuration and administration
  • Basic TLS configuration for Dovecot

The following is a partial list of the used files, terms and utilities:

  • /etc/dovecot/
  • dovecot.conf
  • doveconf
  • doveadm



Topic 211: Network Security

211.1 Routing and Packet Filtering (weight: 4)

Weight

4
Description Candidates should be able to configure a system to forward IP packet and perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks.

Key Knowledge Areas:

  • Understand the concepts of routing, network address translation and packet filtering
  • Understand the concepts and differences of iptables and nftables
  • Query packet filter ruleset using nft
  • List and write filtering and rules that accept or block IP packets based on source or destination protocol, port and address using iptables and ip6tables compatibility commands
  • Tools, commands and utilities to manage routing tables.
  • Private address ranges (IPv4) and Unique Local Addresses as well as Link Local Addresses (IPv6)
  • Port redirection and IP forwarding
  • Understand the main concepts of firewalld
  • Use firewalld to implement a simple edge node and router firewall
  • Awareness of ufw

The following is a partial list of the used files, terms and utilities:

  • /proc/sys/net/ipv4/
  • /proc/sys/net/ipv6/
  • /etc/sysctl.conf and /etc/sysctl.conf.d/
  • /etc/services
  • iptables
  • ip6tables
  • nft
  • firewall-cmd
  • /etc/firewalld/firewalld.conf


211.2 Security Assessment and Intrusion Prevention (weight: 3)

Weight

3
Description Candidates should be able to confirm the effectiveness of security measures. This includes determining which services run on their servers. Furthermore, candidates should understand the concepts of tools commonly used to improve network security.

Key Knowledge Areas:

  • Scan and test open ports on a server
  • Understand and configure fail2ban
  • Understand the concepts of common features of network intrusion detection and prevention systems
  • Understand the concepts of common features of network vulnerability scanners
  • Understand the concepts of common features of packet sniffers
  • Awareness of Snort and Suricata
  • Awareness of OpenVAS and Metasploit
  • Awareness of Wireshark

The following is a partial list of the used files, terms and utilities:

  • fail2ban
  • nmap
  • nc


211.3 Virtual Private Networks (weight: 5)

Weight

5
Description Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.

Key Knowledge Areas:

  • Understand the concepts of a virtual private network
  • Understand the different requirements of site-to-site and dial-in VPN
  • Basic configuration of OpenVPN as site-to-site and dial-in VPN
  • Basic configuration of Wireguard as a site-to-site VPN
  • Awareness of the main differences between OpenVPN and Wireguard
  • Awareness of IPsec and IKE2

The following is a partial list of the used files, terms and utilities:

  • /etc/openvpn/
  • openvpn
  • /etc/wireguard/
  • wg
  • wg-quick



Future Change Considerations

Future changes to the objective will/may include:

  • Remove paths to commands and configuration files wherever possible
Retrieved from "https://wiki.lpi.org/w/index.php?title=LPIC-2_Objectives_V5.0&oldid=5850"