Behind Red Hat Server Hardening (RH413)

by Scott McBrien (Red Hat)

My name is Scott McBrien. I work for the Red Hat Training Curriculum Development Team and was the project leader for the development of the Red Hat Server Hardening (RH413) course. Before joining the Red Hat Training Curriculum Development Team, I worked as both a Red Hat training instructor and consultant. I hope that my field experiences show through in our new class.

When I first started thinking of writing a security focused class, I tried to think about what story would make a compelling course that I, and other systems administrators, would like to attend. One of the topics that I have seen grow to be pervasive in the systems administration community is Security Policy Compliance. Many of us have had the lovely experience of having someone from another team, or an outside consultant, come in to run some type of scanning software against our machine, and say “You’re not in compliance with SECURITY-STANDARD”. In my experience, the systems administrator is told to fix the deficiency without a lot of direction from the person telling them that there’s a problem, or worse, they are given instructions by someone who is not an expert on the technology, which fixes the audit deficiency, but down the line causes problems. A situation that I see over and over again is systems administrators being told to install non-supported software on their Red Hat Enterprise Linux machines because the version they have is “old” or “vulnerable”. In reality, Red Hat does a lot of work to publish updates to Red Hat Enterprise Linux (and other products) so that an administrator can use supported, packaged software from Red Hat and not have software open to known vulnerabilities. Red Hat’s update management and application of updates is the first topic in “Red Hat Server Hardening”.

As it turns out, a lot of the popular Security Policy Standards (DISA STIG [SCAP], PCI, SOX, HIPA, etc.) share some common topics, password management, for example. The settings required by the different standards vary, but using Pluggable Authentication Modules (PAM) to enforce password requirements is something that can be used, with some configuration changes, to resolve the requirements across many of the standards.

Next, we thought about which standard should we use for class? US Government customers would likely unanimously vote DISA STIG, healthcare customers would probably promote HIPA, general commercial customers PCI or SOX. Instead, what we decided was to take a look at a variety of standards and pick topics that were somewhat common across them and that might be challenging or new to students who had already mastered the RHCE skill set.

While not every topic might be job deployable for every student, I think that we’ve put together a list of interesting topics, and I hope students who attend the Red Hat Server Hardening (RH413) course agree.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

  1. The curriculum for a 4xx course looks a bit weak at first glance when it comes to server hardening. I have followed the recommendations from http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf‎ for a long time. It’s designed for RHEL 5 but most of best practices can be applied to RHEL 6. I’ve followed RH courses since 2007 from RHCT – RHCDS, missing only on RH442, the addition of RH413 is a big plus but I would like to see a broader coverage of security topics that do not overlap RH333.

  2. The curriculum for a 4xx course looks a bit weak at first glance when it comes to server hardening. I have followed the recommendations from http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf‎ for a long time. It’s designed for RHEL 5 but most of best practices can be applied to RHEL 6. I’ve followed RH courses since 2007 from RHCT – RHCDS, missing only on RH442, the addition of RH413 is a big plus but I would like to see a broader coverage of security topics that do not overlap RH333.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s