LPIC-3 303: Security — Deep Dive Study Guide
~3 min read
LPIlpic-3303securitycryptographypkiopensslpamsshhardening
The LPIC-3 303: Security exam covers cryptography, public key infrastructure, file and network security, PAM, SSH hardening, access control systems (SELinux/AppArmor), and system auditing. This guide provides a command-level deep dive into each objective.
Cryptography Concepts
Symmetric vs Asymmetric Encryption
| Type | Key Usage | Algorithms | Performance |
|---|---|---|---|
| Symmetric | Same key for encrypt/decrypt | AES, ChaCha20, Twofish | Fast, suitable for bulk data |
| Asymmetric | Public/private key pair | RSA, ECDSA, Ed25519 | Slow, used for key exchange and signatures |
| Hybrid | Symmetric key encrypted with asymmetric | TLS, SSH, OpenPGP | Practical combination |
OpenSSL Command Reference
# Generate an RSA private key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out private.key
# Generate an ECDSA key (NIST P-256)
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out ecdsa.key
# Generate a self-signed certificate
openssl req -x509 -new -nodes -key private.key -sha256 -days 365 \
-subj "/C=DE/ST=Berlin/L=Berlin/O=Example/CN=server.example.com" \
-out cert.pem
# View certificate details
openssl x509 -in cert.pem -text -noout
# Generate a CSR
openssl req -new -key private.key -out request.csr \
-subj "/CN=server.example.com"
# Encrypt a file with AES-256
openssl enc -aes-256-cbc -salt -in plain.txt -out encrypted.enc
# Decrypt a file
openssl enc -d -aes-256-cbc -in encrypted.enc -out plain.txt
Public Key Infrastructure (PKI)
Certificate Authority Setup
# Create the CA directory structure
mkdir -p ca/{certs,crl,newcerts,private,requests}
chmod 700 ca/private
echo 1000 > ca/serial
touch ca/index.txt
# Configure openssl-ca.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
database = ca/index.txt
serial = ca/serial
private_key = ca/private/ca.key.pem
certificate = ca/certs/ca.cert.pem
default_days = 365
default_md = sha256
policy = policy_strict
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# Generate CA key and self-signed certificate
openssl genpkey -algorithm RSA -out ca/private/ca.key.pem -pkeyopt rsa_keygen_bits:4096
openssl req -x509 -new -key ca/private/ca.key.pem -out ca/certs/ca.cert.pem \
-days 3650 -subj "/C=DE/O=Example CA/CN=Example Root CA"
# Sign a server CSR
openssl ca -config openssl-ca.cnf -in server.csr -out server.crt
# Revoke a certificate
openssl ca -config openssl-ca.cnf -revoke server.crt
# Generate CRL
openssl ca -config openssl-ca.cnf -gencrl -out ca/crl/ca.crl.pem
# Verify CRL
openssl crl -in ca/crl/ca.crl.pem -text -noout
Certificate Path Validation
# Verify certificate chain
openssl verify -CAfile ca.cert.pem -untrusted intermediate.cert.pem server.crt
# Check if certificate is revoked (with CRL)
openssl verify -CAfile ca.cert.pem -CRLfile ca.crl.pem server.crt
File Security
POSIX ACLs
# View ACLs
getfacl /path/to/file
# Set ACL: grant user read/write
setfacl -m u:jdoe:rw /path/to/file
# Set ACL: grant group read/execute
setfacl -m g:developers:rx /path/to/dir
# Remove specific ACL entry
setfacl -x u:jdoe /path/to/file
# Set default ACL for directory (inherited by new files)
setfacl -d -m g:developers:rx /path/to/dir
# Recursive ACL application
setfacl -R -m g:developers:rx /path/to/dir
# Backup and restore ACLs
getfacl -R /path > acls.backup
setfacl --restore=acls.backup
Extended Attributes (xattrs)
# Set extended attribute
setfattr -n user.comment -v "Important document" file.txt
# View extended attributes
getfattr -d file.txt
# Remove extended attribute
setfattr -x user.comment file.txt
# List attributes (shows only attribute names)
attr -l file.txt
# Security extended attributes (SELinux context)
getfattr -n security.selinux file.txt
Immutable and Append-Only Flags
# Make a file immutable (even root cannot modify)
chattr +i /etc/hosts
# Append-only mode (log files)
chattr +a /var/log/auth.log
# View flags
lsattr /etc/hosts
# Remove immutable flag
chattr -i /etc/hosts
Network Security
nftables Configuration
# Create a ruleset file: /etc/nftables.conf
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
ct state invalid drop
iif "lo" accept
ip protocol icmp accept
tcp dport 22 counter accept
tcp dport 80 counter accept
tcp dport 443 counter accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# Apply ruleset
nft -f /etc/nftables.conf
# List rules
nft list ruleset
# Add temporary rule
nft add rule inet filter input tcp dport 8080 accept
# Delete rule (get handle first)
nft -a list ruleset
nft delete rule inet filter input handle 3
fail2ban Configuration
# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600
# Custom filter: /etc/fail2ban/filter.d/nginx-botsearch.conf
[Definition]
failregex = ^<HOST> - -.*GET.*(?:/wp-admin|/admin|/\.env).*HTTP
ignoreregex =
# Manage jails
fail2ban-client status
fail2ban-client status sshd
fail2ban-client set sshd unbanip 10.0.0.5
PAM (Pluggable Authentication Modules)
PAM Module Types
| Module Type | Purpose |
|---|---|
| auth | Verify user identity (password, biometric, 2FA) |
| account | Check account validity (expiration, time of day) |
| session | Set up session environment (mount home, log audit) |
| password | Update authentication tokens (password change) |
PAM Configuration Format
# /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
# /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3 minlen=12
password [success=1 default=ignore] pam_unix.so obscure use_authtok sha512
password requisite pam_deny.so
password required pam_permit.so
# /etc/pam.d/common-session
session required pam_env.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
Control Flags
| Flag | Behavior |
|---|---|
| required | Must succeed; continues checking other modules regardless |
| requisite | Must succeed; stops immediately on failure |
| sufficient | If succeeds, skips remaining auth modules |
| optional | Result matters only if this is the only module |
| include | Include entire configuration from another file |
| substack | Like include but success/failure scoped to the substack |
PAM Example: Google Authenticator 2FA
# Install
apt-get install libpam-google-authenticator
# Configure user
google-authenticator
# /etc/pam.d/sshd
auth required pam_google_authenticator.so
auth required pam_unix.so
# /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
SSH Hardening
Server Configuration (/etc/ssh/sshd_config)
# Cryptographic
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
KexAlgorithms sntrup761x25519-sha512@openssh.com,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Authentication
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods publickey
PermitRootLogin prohibit-password
MaxAuthTries 3
LoginGraceTime 30
# Session
ClientAliveInterval 300
ClientAliveCountMax 2
MaxSessions 10
AllowUsers jdoe admin
# Forwarding
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
SSH Key Management
# Generate Ed25519 key (recommended)
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519
# Generate RSA key (for legacy systems)
ssh-keygen -t rsa -b 4096 -a 100 -f ~/.ssh/id_rsa
# Copy public key to host
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@host
# Use SSH agent for key forwarding
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
ssh -A user@host
# SSH tunnel (local port forwarding)
ssh -L 8080:internal-web:80 user@bastion
# SSH tunnel (remote port forwarding)
ssh -R 9090:localhost:3000 user@public-host
Mandatory Access Control: SELinux
SELinux Modes
# Check current mode
getenforce
# Check mode and policy
sestatus
# Change mode temporarily
setenforce 0 # Permissive
setenforce 1 # Enforcing
# Change mode permanently
# /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
SELinux Contexts
# View file context
ls -Z /var/www/html/index.html
# View process context
ps -eZ | grep httpd
# Change file context
chcon -t httpd_sys_content_t /var/www/html/index.html
# Restore default context
restorecon -Rv /var/www/html/
# Apply contexts based on policy spec
setfiles /etc/selinux/targeted/contexts/files/file_contexts /var/www
# Set file context persistently (for relabeling)
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -Rv /web
SELinux Booleans
# List booleans
getsebool -a
# Check specific boolean
getsebool httpd_can_network_connect
# Set boolean (temporary)
setsebool httpd_can_network_connect on
# Set boolean (permanent)
setsebool -P httpd_can_network_connect on
SELinux Audit Analysis
# View denials
grep AVC /var/log/audit/audit.log
# Analyze with sealert
sealert -a /var/log/audit/audit.log
# Create policy module for a custom application
audit2allow -a -M myapp
semodule -i myapp.pp
AppArmor (Alternative to SELinux)
# Check AppArmor status
apparmor_status
# Set profile mode
aa-enforce /path/to/profile # Enforcing
aa-complain /path/to/profile # Log-only
# Generate profile for a binary
aa-genprof /usr/bin/myapp
# Update profile based on logs
aa-logprof
# Custom profile: /etc/apparmor.d/usr.bin.myapp
#include <tunables/global>
/usr/bin/myapp {
#include <abstractions/base>
/etc/myapp/config r,
/var/lib/myapp/** rw,
/tmp/myapp-* rw,
network inet tcp,
}
System Auditing with auditd
# Install and start
apt-get install auditd audispd-plugins
# Add audit rule
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -a exit,always -S execve -F uid!>=1000 -k user_commands
# List rules
auditctl -l
# Search audit log
ausearch -k passwd_changes
ausearch -ts today -k user_commands
# Generate report
aureport -l # Login report
aureport -x # Command execution report
aureport -k # Keyed event report
# Make rules persistent
# /etc/audit/rules.d/audit.rules
Test Your Knowledge with Practice Exams
Ready to put this knowledge to the test? Our LPI practice portal includes 200+ realistic questions covering LPIC-1, LPIC-2, LPIC-3, and DevOps Tools Engineer certifications. Study mode, timed exams, domain breakdowns, and weak-area analysis included.
Related Articles
- LPIC-3 Certification Guide — "LPIC-3 Certification Guide"
- LPIC-3 300: Mixed Environment — Deep Dive Study Guide — "LPIC-3 300 Mixed Environment Deep Dive"
- LPIC-3 304: Virtualization & HA — Deep Dive Study Guide — "LPIC-3 304 Virtualization & HA Deep Dive"
- Is LPIC Worth It in 2026? — Salary impact, employer demand, and certification ROI
- LPIC vs RHCSA vs CompTIA Linux+ — Which certification path is right for you?
- Browse All LPI Resources — Full library of study guides, deep dives, and practice questions