Official Linux LPIC-3 Security Course – Exam 303

ATTENTION: If you belong to the LaaS Cert program, the training does not include an exam.

Official Linux LPIC-3 Security Course – Exam 303

What is LPIC-3 Security certification?

The LPIC-3 Security certification is the expert level of the Linux Professional Institute (LPI) certification program, geared towards professionals who manage Linux systems in enterprise environments with an advanced focus on security.

The LPIC-3 Exam 303 validates skills in cryptography, host security, access control, network security, firewalls and VPN in Linux, being one of the most internationally recognized Linux certifications.

This course covers the topics for preparing for exam 303 , which are required for Linux LPI LPIC-3 certification.

Who is the LPIC-3 Security course aimed at?

This official course is aimed at:

• Linux system administrators with advanced experience
• Cybersecurity professionals in Linux environments
  
• Systems and Network Engineers
  
• IT consultants specializing in Linux infrastructures
  
• Professionals who already have LPIC-2 certification and wish to reach the expert level

It is especially recommended for those working in enterprise Linux security, access management, data protection, and critical environments.

Benefits of obtaining LPIC-3 Security certification

Obtaining LPIC-3 Security certification allows you to:

• Demonstrate expert knowledge in enterprise Linux security
  
• Specialize in cryptography, access control, and network security
  
• Improve your professional profile in the areas of Linux cybersecurity
  
• Access to high-level technical roles and greater employability
  
• Obtain a neutral, internationally recognized manufacturer certification

Contents for the LPIC-3 Enterprise Security certification

To receive the LPIC-3 Enterprise Security certification, you must be LPIC-2 certified and pass exam 303.

LPIC-3 exam 303:

• Topic 331: Cryptography
  
• Topic 332: Access Control
  
• Topic 333: Application Security
  
• Topic 334: Operational Safety
  
• Topic 335: Safety Net

Linux LPIC-3 Security course content. Exam 303

Topic 331: Cryptography

331.1 X.509 Certificates and Public Key Infrastructures

Candidates must understand X.509 certificates and public key infrastructures. They must know how to configure and use OpenSSL to implement certificate authorities and issue SSL certificates for various purposes.

Key areas of knowledge:

• Understand X.509 certificates, the X.509 certificate lifecycle, X.509 certificate fields, and X.509v3 certificate extensions
  
• Understanding trust chains and public key infrastructures, including certificate transparency.
  
• Generate and manage public and private keys
  
• Create, operate and secure a certification authority
  
• Request, sign, and manage server and client certificates
  
• Revoke certificates and certification authorities
  
• Knowledge of the basic functions of Let's Encrypt, ACME and certbot
  
• Knowledge of the basic characteristics of CFSSL

331.2 X.509 Certificates for encryption, signing, and authentication

Candidates must be able to use X.509 certificates for both server and client authentication. This includes implementing user and server authentication for Apache HTTPD. The Apache HTTPD version covered is 2.4 or higher.

Key areas of knowledge:

• Understand SSL, TLS, including protocol versions and ciphers.
  
• Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS
  
• Configure Apache HTTPD with mod_ssl to serve certificate chains and adjust encryption settings (no specific encryption knowledge required)
  
• Configure Apache HTTPD with mod_ssl to authenticate users using certificates
  
• Configure Apache HTTPD with mod_ssl to provide OCSP stapling
  
• Use OpenSSL for SSL/TLS client and server testing

331.3 Encrypted File Systems

Candidates must be able to install and configure encrypted file systems.

Key areas of knowledge:

• Understanding block device and file system encryption
  
• Use dm-crypt with LUKS1 to encrypt block devices
  
• Use eCryptfs to encrypt file systems, including home directories, and PAM integration.
  
• Awareness of the simple dm-crypt
  
• Knowledge of LUKS2 characteristics
  
• Conceptual understanding of the fork for LUKS devices and fork PINs for TMP2 and Network-Linked Disk Encryption (NBDE)/Tang

331.4 DNS and cryptography

Candidates must have experience and knowledge of cryptography in the context of DNS and its implementation using BIND. The BIND version covered is 9.7 or higher.

Key areas of knowledge:

• Understand the concepts of DNS, zones, and resource records.
  
• Understand DNSSEC, including key signing keys, zone signing keys, and relevant DNS records such as DS, DNSKEY, RRSIG, NSEC, NSEC3
  and NSEC3PARAM
• Configure and troubleshoot BIND as an authoritative name server serving DNSSEC protected zones
• Manage DNSSEC signed zones, including key generation, key renewal, and zone signing renewal
• Configure BIND as a recursive name server that performs DNSSEC validation on behalf of your clients
• Understand CAA and DANE, including relevant DNS records such as CAA and TLSA
• Use CAA and DANE to publish X.509 certificate and certificate authority information in DNS
• Use TSIG for secure communication with BIND
• Knowledge of DNS over TLS and DNS over HTTPS
• Knowledge of the multicast DNS

Topic 332: Host Security

332.1 Host Hardening

Candidates must be able to protect computers running Linux against common threats.

Key areas of knowledge:

• Configure BIOS and bootloader (GRUB 2) security
  
• Deactivate unused software and services
  
• Understand and eliminate unnecessary capabilities for specific systemd units and for the entire system
  
• Understanding and configuring Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and Exec-Shield
  
• Whitelist and blacklist of USB devices connected to a computer using USBGuard
  
• Create an SSH CA, create SSH certificates for host and user keys using the CA, and configure OpenSSH to use SSH certificates
  
• Working with chroot environments
  
• Use systemd units to limit system calls and capabilities available to a process
  
• Use systemd units to start processes with limited or no access to specific files and devices
  
• Use systemd units to start processes with dedicated temporary and /dev directories and no network access
  
• Understand the implications of Linux Meltdown and Spectre mitigations and enable/disable the mitigations
  
• Polkit consciousness
  
• Awareness of the security advantages of virtualization and containerization

332.2 Host Intrusion Detection

Candidates should be familiar with the use and configuration of common host intrusion detection software. This includes managing Linux audit systems and verifying system integrity.

Key areas of knowledge:

• Using and configuring the Linux audit system
  
• Use chkrootkit
  
• Using and configuring rkhunter, including updates
  
• Use Linux Malware Detect
  
• Automate host scans using cron
  
• Use the RPM and DPKG package management tools to verify the integrity of the installed files.
  
• Configure and use AIDE, including rules management
  
• OpenSCAP Awareness

332.3 Resource Control

Candidates should be able to restrict the resources that services and programs can consume.

Key areas of knowledge:

• Understanding and configuring ulimits
  
• Understanding cgroups, including classes, limits, and accounting.
  
• Manage cgroups and process cgroup associations
  
• Understanding the portions, scopes, and services of systemd
  
• Use systemd units to limit the system resources that processes can consume.
  
• Knowledge of the cgmanager and libcgroup utilities

Topic 333: Access Control

333.1 Discretionary access control

Candidates must understand discretionary access control (DAC) and know how to implement it using access control lists (ACLs). They must also understand and know how to use extended attributes.

Key areas of knowledge:

• Understand and manage file ownership and permissions, including SetUID and SetGID bits
  
• Understanding and managing access control lists
  
• Understanding and managing extended attributes and attribute classes

333.2 Mandatory access control

Candidates should be familiar with mandatory access control (MAC) systems for Linux. Specifically, they should have a thorough understanding of SELinux. They should also be familiar with other mandatory access control systems for Linux. This includes the main features of these systems, but not their configuration or usage.

Key areas of knowledge:

• Understand the concepts of type application, role-based access control, mandatory access control, and discretionary access control.
  
• Configure, manage and use SELinux
  
• Knowledge of AppArmor and Smack

Topic 334: Network Security

334.1 Strengthening the network

Candidates must be able to protect networks against common threats. This includes analyzing network traffic from specific nodes and protocols.

Key areas of knowledge:

• Understanding the security mechanisms of wireless networks
  
• Configure FreeRADIUS to authenticate network nodes
  
• Use Wireshark and tcpdump to analyze network traffic, including filters and statistics.
  
• Use Kismet to analyze wireless networks and capture wireless network traffic
  
• Identify and address fake router advertisements and DHCP messages
  
• Awareness of aircrack-ng and bettercap

334.2 Network Intrusion Detection

Candidates must be familiar with the use and configuration of network scanning, monitoring, and intrusion detection software. This includes updating and maintaining security scanners.

Key areas of knowledge:

• Implement bandwidth usage monitoring
  
• Setting up and using Snort, including rules management
  
• Configure and use OpenVAS, including NASL

334.3 Packet Filtering

Candidates should be familiar with the use and configuration of the Linux netfilter package filter.

Key areas of knowledge:

• Understanding common firewall architectures, including the DMZ
  
• Understand and use iptables and ip6tables, including standard modules, testing, and objectives.
  
• Implement packet filtering for IPv4 and IPv6
  
• Implement connection tracking and network address translation
  
• Manage IP sets and use them in netfilter rules
  
• Awareness of nftables and NFTs
  
• Awareness of debts
  
• Awareness of control

334.4 Virtual Private Networks

Candidates should be familiar with using OpenVPN, IPsec, and WireGuard to configure remote access and site-to-site VPNs.

Key areas of knowledge:

• Understand the principles of routed and bridged VPNs
  
• Understand the principles and key differences of the OpenVPN, IPsec, IKEv2, and WireGuard protocols
  
• Configure and operate OpenVPN servers and clients
  
• Configure and operate IPsec servers and clients using strongSwan
  
• Configure and operate WireGuard servers and clients
  
• L2TP Awareness

Topic 335: Threats and vulnerability assessment

335.1 Common security vulnerabilities and threats

Candidates must understand the principle of the main types of vulnerabilities and security threats.

Key areas of knowledge:

• Conceptual understanding of threats against individual nodes
  
• Conceptual understanding of network threats
  
• Conceptual understanding of threats to the application
  
• Conceptual understanding of threats to credentials and confidentiality
  
• Conceptual understanding of honeypots

335.2 Penetration tests

Candidates understand penetration testing concepts, including knowledge of commonly used tools. In addition, they must be able to use nmap to verify the effectiveness of network security measures.

Key areas of knowledge:

• Understand the concepts of penetration testing and ethical hacking.
  
• Understanding the legal implications of penetration testing
  
• Understanding the phases of penetration testing, such as active and passive information gathering, enumeration, gaining access, privilege escalation, maintaining access, and trail covering.
  
• Understand the architecture and components of Metasploit, including the types of Metasploit modules and how Metasploit integrates various security tools.
  
• Use nmap to scan networks and hosts, including different scanning methods, version scans, and operating system reconnaissance.
  
• Understand the concepts of the Nmap Scripting Engine and run existing scripts
  
• Knowledge of Kali Linux, Armitage, and the Social Engineering Toolkit (SET)

Language

• The e-Learning learning components on which the training is based are available in English and Spanish .
• Languages ​​available for the exam at VUE test centers: English, Japanese
• Languages ​​for the exam available online through OnVUE: English, Japanese

Prerequisites for the LPIC-3 Security Exam 303 course

To take the course and qualify for LPIC-3 Security certification, you need to:

• Have active LPIC-2 certification
  
• Experience in advanced Linux system administration is required.
  
• Prior knowledge of Linux networks, users, permissions, and services

Official Linux LPI course taught by Nanfor

Nanfor is an official training partner and offers this official Linux LPIC-3 Security course aligned with the LPI's 303 exam objectives.

The training is delivered with official content, a practical approach and specialized support, guaranteeing a solid preparation for certification.

Other training modalities

If you are interested in taking this course in person or remotely, please contact us:

• Mail: info@nanforiberica.com
• Telephone: +34 91 031 66 78
• WhatsApp: +34 685 60 05 91