Secure Container Host Operating System

By Ermin

Let's get started learning everything you need to know about securing containers.

14 hours
  • 67 Lessons
  • 6 Hands-On Labs

About the course

This is the first course of a four-course learning path related to securing containers. This course will teach you how to prepare and harden the operating system so it is secured as much as possible before we actually deploy containers. We will go over various configurations and see how we can use the operating system’s security mechanisms to best protect and harden our system.

In the first part of the course, we provide knowledge regarding firewalld and SELinux. firewalld is a Linux tool used for managing iptables. We need a firewall so we can control what kind of traffic is let through and what kind of traffic is denied. We will go over the firewalld installation and overall setup. Here we teach several basic firewalld commands and how to utilize them regarding zones, ports, services, and other related system aspects. We will also talk about traffic control where we learn how we can allow traffic from one IP to a port, how to allow traffic from a list of IPs (whitelisting), and how to create a list of IPs we do not want to have access (blacklisting), etc. After firewalld, we will move on to SELinux. SELinux is a tool that allows fine control over access to files, controls, processes, or other things on the system. It is used by practically all Red Hat-based distributions. In this section, we will start off by talking about SElinux states, the SELinux context, and context adjustments. We will then go over some useful commands that enable us to list restricted ports and protocols, talk about booleans, port labels, SELinux modules, and logs. Later on in the course, we will also have a section dedicated to firewalld and SElinux automated scripts.

When we have learned the basics of firewalld and SELinux, we will move on to learn about server access and authentication configuration. At this point, we are going to play around with access to the system. In addition to doing some base configuration by just changing the default port we use to connect via an SSH service port, we will also perform changes such as adding extra layers of authentication and creating a jump point server which is similar to a VPN with SSH. We will show how to set up different authentication methods to work simultaneously: standard key-based authentication, password-based authentication, plus a third layer of authentication where we integrate Google Authenticator. We will need our phone in order to log in to the server. This significantly improves our security since it is highly unlikely someone has access to our key, our phone, and our password. We will also get acquainted with jump points. We show what jump points are and what they are used for. A jump point is a place where we connect. It allows us to connect to the rest of our infrastructure. They can greatly improve the security of our front-facing and infrastructure servers.

Furthermore, we also talk about seccomp (Secure Computing Mode). This is an important tool that we will use along with containers and properly impose some additional limitations. We use it to restrict system calls. Basically, it participates in jailing a process and limiting what can be done from the process itself. It gives us the ability to dictate what the process cannot do. After dealing with seccomp, we will move on to a section regarding logs, where we will learn some useful commands to help navigate through large log files. We will also learn about notification systems. In the last section of the course, we will talk about vulnerability scans and reports.

  • Chapter 1 7 Lessons Getting Started 20:37

    An Important Note About A Cloud Guru and Linux Academy Courses

    1:19

    About the Author

    1:45

    About the Course

    6:08

    How to Get Help

    2:43

    Prerequisites

    3:48

    Text Editor Vim Basics (Optional)

    3:18

    Job Market (Optional)

    1:36
  • Chapter 2 6 Lessons firewalld 46:31

    firewalld Part 1 - Installation, Zones, Interfaces

    10:01

    firewalld Part 2 - Ports and Services

    10:26

    firewalld Part 3 - Ping Block

    1:55

    firewalld Part 4 - ipset, blacklist, whitelist

    9:27

    firewalld Part 5 - ipset, blacklist, redirect

    8:31

    firewalld Part 6 - Lockdown, Panic

    6:11
  • Chapter 3 10 Lessons SELinux 1:12:48

    SELinux Part 1 - SELinux States

    5:54

    SELinux Part 2 - Move, Copy, Create

    4:33

    SELinux Part 3 - SELinux Context

    9:04

    SELinux Part 4 - Context Adjustments

    12:11

    SELinux Part 5 - Booleans

    6:00

    SELinux Part 6 - Port Labels

    7:31

    SELinux Part 7 - SELinux Domains

    4:09

    SELinux Part 8 - SELinux Modules

    7:10

    SELinux Part 9 - SELinux Logs

    16:16

    Finding a Problem Caused by a Misconfiguration of SELinux and Troubleshooting the Issue

    0:00 Hands-On Lab
  • Chapter 4 2 Lessons Initial SSH Configuration 15:14

    SSH Configuration Part 1 - No root Login, Change Default Port, Adapt Firewall and SELinux Rules

    10:36

    SSH Configuration Part 2 - Ports and firewalld

    4:38
  • Chapter 5 4 Lessons Multi-Step SSH Verification 32:22

    Configure a 3-Step Verification for SSH Part 1 - Key-Based and Key Generation

    9:16

    Configure a 3-Step Verification for SSH Part 2 - Adding Password-Based Authentication

    6:25

    Configure a 3-Step Verification for SSH Part 3 - Google Authenticator

    16:41

    Configure SSH to Work with Google Authenticator

    0:00 Hands-On Lab
  • Chapter 6 6 Lessons SSH Jump Point 41:47

    SSH Jump Point Part 1 - Characteristics

    4:18

    SSH Jump Point Part 2 - Container Server Configuration

    8:09

    SSH Jump Point Part 3 - Container Server Configuration

    6:49

    SSH Jump Point Part 4 - SSH Tunnel, SOCKS5

    11:03

    SSH Jump Point Part 5 - SOCKS5 Proxy

    11:28

    Configure an SSH SOCKS5 Proxy as a Jump Point

    0:00 Hands-On Lab
  • Chapter 7 10 Lessons Seccomp - Secure Computing 1:34:08

    Seccomp Part 1 - Introduction

    4:59

    Seccomp Part 2 - Check Seccomp Status from within a Program

    15:51

    Seccomp Part 3 - Strace and Syscalls

    7:48

    Seccomp Part 4 - Seccomp in Code Restrictions

    13:28

    Seccomp Part 5 - Seccomp in Code Restrictions

    10:09

    Seccomp Part 6 - Seccomp in Code Restrictions Troubleshooting

    7:29

    Seccomp Part 7 - Seccomp in Code Restrictions Command-Line Arguments

    4:21

    Seccomp Part 8 - Seccomp systemd Restrictions Troubleshooting

    11:39

    Seccomp Part 9 - Seccomp systemd Restrictions Troubleshooting

    6:06

    Seccomp Part 10 - Seccomp in Code Restrictions

    12:18
  • Chapter 8 11 Lessons Logs 1:36:40

    Logs Part 1 - tail

    4:00

    Logs Part 2 - cat

    4:57

    Logs Part 3 - Log Files

    9:27

    Logs Part 4 - auditd Start, Stop, Restart, Reload, Status, Rules, and General Information

    4:46

    Logs Part 5 - Audit Configuration, Log Configuration, systemd Service File

    11:39

    Logs Part 6 - File System Rules

    12:41

    Logs Part 7 - System Call Rules

    13:49

    Logs Part 8 - Audit Config Troubleshooting

    11:10

    Logs Part 9 - journalctl

    13:36

    Logs Part 10 - journalctl

    10:35

    Design Custom Logging for the Listed Events

    0:00 Hands-On Lab
  • Chapter 9 7 Lessons Notifications 59:02

    Notifications Part 1 - General Talk

    8:52

    Notifications Part 2 - Email Notifications Cover Password

    11:54

    Notifications Part 3 - SMS Notifications, AWS, LAMBDA

    12:16

    Notifications Part 4 - SMS Notifications, AWS, LAMBDA

    9:30

    Notifications Part 5 - SMS Notifications, AWS, REST API CALL

    11:23

    Notifications Part 6 - SMS Notifications, AWS, REST API CALL

    5:07

    Design an email Notification on user login via SSH

    0:00 Hands-On Lab
  • Chapter 10 3 Lessons Vulnerability Scans and Reports 21:09

    Nmap Vulnerability Scans Part 1

    11:51

    Nmap Vulnerability Scans Part 2

    9:18

    Write a Script to Perform a Vulnerability Scan of the Listed Services

    0:00 Hands-On Lab
  • Chapter 11 1 Lesson Final Steps 4:44

    Course Summary

    4:44

What you will need

  • * Python Programming Language * Bash Scripting * VIM Text Editor * Linux File System * Linux Command Line * Basic Understanding of Networks

What are Hands-on Labs

What's the difference between theoretical knowledge and real skills? Practical real-world experience. That's where Hands-on Labs come in! Hands-on Labs are guided, interactive experiences that help you learn and practice real-world scenarios in real cloud environments. Hands-on Labs are seamlessly integrated in courses, so you can learn by doing.

Get Started
Who’s going to be learning?
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!