Linux Hardening Intermediate - 4 days - 4200€ HT
Description
Linux systems form the basis of most infrastructures and workstations. However, a default configuration generally does not limit the impact in the event of a service compromise, nor does it hinder lateral movement. Securing these environments relies on mastering the OS's native restriction and isolation tools.
During this four-day training course, participants will cover four technical modules dedicated to hardening Linux systems: mandatory access control (AppArmor), network filtering (nftables), process containment (systemd), and rootless containerization (podman). These concepts will be systematically put into practice through dedicated labs, ranging from writing strict profiles to manually isolating processes using kernel primitives.
-
4 days (28 hours)
-
4 technical modules dedicated to restriction and isolation mechanisms under Linux
-
Individual Linux virtual machines
-
Strongly hands-on approach (writing AppArmor profiles, configuring nftables, systemd hardening, manual containerization and containerization via Podman)
Objectives
- Understanding and deploying sandboxing mechanisms under Linux
- Setting up a firewall and filtering network traffic in a granular manner
- Confining system services and restricting their privileges
- Isolating processes manually (namespaces, chroot) and via containerization
Public and prerequisites
This training is designed for technical professionals who want to design, administer, or audit hardened Linux systems.
-
Linux System Administrators
-
Secure Application Developers
-
Security Engineers / DevSecOps
A solid understanding of Linux system administration (command line, process management, file systems) as well as basic networking (TCP/IP) and firewall (iptables/nftables) knowledge is required to complete the various modules.
Content
Day 1 : AppArmor
Sandboxing mechanisms: overview of solutions under Linux, comparison of SELinux and AppArmor. AppArmor fundamentals: understanding a profile, cheat sheet of useful commands, common pitfalls. Creation and modification: modifying existing profiles, writing profiles from scratch. Advanced syntax: fine-grained control of transitions (clean exec, profile stacking), network access control, resource limits. Multiple launches: running two instances of a program with separate profiles. Labs: writing profiles, creating a jailed shell (read-only command prompt without network access).
Day 2 : Nftables
Netfilter: the hook system, comparison of iptables vs. nftables. Nftables syntax: rule structure, conntrack and NAT management. Advanced filtering: filtering outbound traffic by UID/GID. Exploitation: counters, logging, and monitoring for rule debugging. Labs: setting up a state-of-the-art nftables firewall on a Linux VM, implementing outbound traffic filtering.
Day 3 : Systemd
Overview: systemd architecture and project. Init management: replacing initrc, systemd services. Hardening: hardening systemd units (file system restrictions, network, capabilities). Advanced features: socket activation. System replacements: replacing cron (systemd timers), ifupdown (systemd-networkd), grub (systemd-boot), resolvconf (systemd-resolved), rsyslog (systemd-journald). Labs: auditing and hardening systemd units.
Day 4 : Podman
Isolation concepts: an introduction to the basic tools of modern containers. Manual isolation (labs): isolating a process from the filesystem (chroot), isolating it from the network (unshare), controlling network access. Modern containerization: fundamental differences between Docker and Podman. Using Podman (labs): compiling exotic code (cross-compilation) without polluting the host system, launching an untrusted graphical application in isolation.
All the details regarding how the training is conducted are described on this page.