Linux Security & Hardening

Learn more


Advanced RHEL/CentOS Defensive Security & Hardening is dedicated training about how we can protect and attack a Linux OS. Linux Kernel Runtime Guard, sandboxing, root user limitation and low-level accountability, ACL, service isolation on different layers: seccomp, namespaces, capabilities, or SELinux are just the beginning of the fun.

During dedicated labs, you will find out how to use different offensive and defensive tools, scripts, services, and techniques to better understand how an attacker thinks and what are the most important actions of this modern adversary. Additionally, you will explore how to design secure, hardened systems and applications network services. Training content in the formula “protection vs attack” will help you understand risks, identify network security blind spots and unexpected, uncovered spaces inside an OS.

This training is intended to increase the skills needed to ensure data integrity on a critical system for organizations with the highest security standards. The discussed methods of automation will support the process of achieving compliance.


  • Introduction:
    • Defense in depth
    • DevSecOps methodology
    • Threat hunting
    • NIST / STIG / CIS benchmarks
    • MITRE ATT&CK Framework
  • The current state of Linux malware / APT campaigns:
    • User space rootkits:
    • Kernel space rootkits
  • Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
  • Secure file system design:
    • Attributes
    • Flags
    • ACL
    • FS encryption
    • Hardlinks & Symlinks
  • Local and network-based vulnerability scanning / CVE tracking at scale:
    • Host
    • Container
  • Local and external enumeration and reconnaissance tactics
  • Hardened binaries: 
    • SSP
    • NX
    • PIE
    • RELRO
    • ASLR
  • The importance of SELinux:
    • Targeted policy vs exploits
    • SELinux Architecture and capabilities:
      • Flask Model
      • Mandatory Access Control
      • Rule-Based Access Control
      • Multi-Level Security
      • Multi-Category Security
      • Domains and types, security context, domain and type transition
    • Analysis of targeted SELinux policy:
      • Source code analysis of RHEL / CentOS and Tresys Reference Policy
      • Types and modes
      • Filesystem locations
    • SELinux module development and compilation:
      • Syntax of m4 language
      • Classes and objects
      • Interfaces and macros
      • Aliases, types, and attributes
      • Boolean variables definition
      • Compilation modes
    • Access Vector Cache
    • Tools used to create and modify the SELinux policy.
    • Creating SELinux users and roles.
    • Using SELinux for hardening Docker containers and cloud environments.
    • SELinux against exploits → real security use-cases.
    • SELinux tips and tricks.
  • Linux capabilities vs SUID attacks
  • $PATH Hijacking
  • Restricted shells + PAM
  • System call restriction - seccomp-BPF vs exploits
  • In-memory process execution
  • Shared library injection
  • Chroot / jail / nsjail vs escaping
  • Linux Containers - Docker security vs escaping
  • LKM-off / ptrace-yama / and other important sysctl enforcing options
  • Debuggers and profilers:
    • gdb
    • strace
    • ltrace
    • ldd
    • yara
  • Behavioral analysis and hacker’s fishing:
    • systemtap
    • eBPF
    • sysdig
  • Integrity checking - IMA/EVM
  • Grub and secure boot configuration
  • Linux Domain Controller:
    • HBAC
    • SUDO
    • RBAC
  • File Access Policy Daemon 
  • PAM configuration: 2FA / sudo_pair / time-based access
  • Secure SSH / SCP / SFTP + tips and tricks
  • NFS (In)Security
  • Advanced network packet filtering:
    • iptables / nftables / ebtables
    • TOR detection, ipsets, IP reputation, port knocking
  • Linux visibility, auditing & accounting:
    • auditd
    • syslog
    • OSSEC
    • OSquery
    • Falco
    • Tracee
  • Memory forensics - Volatility Framework vs Linux malware.
  • Automation of STIG Hardening standard by using:
    • Ansible roles
    • Puppet manifests
    • Chef cookbooks
  •  Summary and final lab.

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

  • Linux Administrators & System Engineers
  • DevOps / Sysops team members
  • System Architects
  • IT Security Experts and Consultants
  • Blue Team Members

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer, and Security Researcher with over 20 years of experience in the Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator, and system developer, Solution Engineer, DevOps, and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals, and forensics. Constantly tries to figure out “what the AI/ML Network Security vendors try to sell. In his free time, he likes to break into the “IoT world” just for fun.

Still learning hard every single day.


If you are interested in dedicated, private training for your Security Operations team let us know. We love delivering live training sessions!