Cybersecurity Labs - Module 8

Master IS Auditing, Security Engineering, and Security Architecture with advanced CISA, ISSEP, and ISSAP certification labs.

These Labs Cover All Cybersecurity Certifications

CompTIA Security+CompTIA CySA+CompTIA PenTest+CompTIA SecurityXISC2 CISSPISC2 SSCPISC2 CCSPISC2 CGRC
ISC2 CSSLPISC2 ISSAPISC2 ISSEPISC2 ISSMPISACA CISAISACA CISMISACA CRISCISACA CDPSE

IS Auditing, Security Engineering & Architecture Labs

Develop expertise in information systems auditing, security engineering principles, and enterprise security architecture.

Lab 22: Linux Security Auditing with Lynis
Terminal
CISA
Scenario: Conduct IS Security Audit for Compliance
FinCorp has requested an information systems security audit of their Linux infrastructure to assess security controls, identify hardening gaps, and ensure compliance with CIS benchmarks and regulatory requirements. Use Lynis, the industry-standard Linux security auditing tool, to perform comprehensive system hardening assessment as part of the IS audit process per CISA Domain 1 (IS Auditing Process) and Domain 4 (IS Operations & Business Resilience).

Learning Objectives:

  • Install and configure Lynis security auditing tool
  • Execute comprehensive system security audit
  • Analyze hardening index and security findings
  • Generate compliance audit reports for documentation

Step-by-Step Instructions

  1. Step 1: Install Lynis Security Auditing Tool
    GOAL: Install Lynis from package repository for system auditing

    WHY THIS MATTERS:
    CISA Domain 1 (IS Auditing Process) requires auditors to use appropriate tools for evidence gathering. Lynis is an open-source security auditing tool used by system administrators and auditors to evaluate Unix/Linux system security. It performs hundreds of individual tests aligned with CIS benchmarks.

    COMMAND:
    sudo apt install lynis -y

    WHAT THIS DOES:
    ◆ Downloads Lynis from Debian/Ubuntu repositories
    ◆ Installs security audit framework
    ◆ Adds 300+ security tests
    ◆ Includes CIS benchmark checks
    ◆ No agent required - runs locally
    CISA TIP: Lynis is used in production by enterprises and governments for compliance auditing (PCI-DSS, HIPAA, SOX, ISO 27001).
  2. Step 2: Check Lynis Version and Update Definitions
    GOAL: Verify installation and check for latest security test definitions

    WHY THIS MATTERS:
    CISA Domain 4 requires auditors to use current tools with updated vulnerability signatures. Outdated audit tools may miss new security issues. Always verify tool versions before conducting audits for complete coverage.

    COMMAND:
    lynis update info

    WHAT THIS DOES:
    ◆ Shows current Lynis version
    ◆ Checks for available updates
    ◆ Displays release date and status
    ◆ Verifies test database currency
    ◆ Identifies if enterprise features available
    AUDIT TIP: Document the tool version in your audit working papers. This establishes the baseline for what tests were executed.
  3. Step 3: Execute Full System Security Audit
    GOAL: Run comprehensive security audit against the target system

    WHY THIS MATTERS:
    CISA Domain 4 (IS Operations) requires assessment of IT general controls including access controls, change management, and operations security. Lynis tests boot security, authentication, file permissions, kernel hardening, network configuration, and 30+ other categories.

    COMMAND:
    sudo lynis audit system

    WHAT THIS DOES:
    ◆ Scans 300+ security controls
    ◆ Tests kernel and boot configuration
    ◆ Checks user/group security
    ◆ Audits file system permissions
    ◆ Evaluates network security
    ◆ Assesses logging and auditing
    ◆ Calculates hardening index (0-100)
    IMPORTANT: Run as root (sudo) for complete audit coverage. Non-root scans skip privileged tests and produce incomplete results.
  4. Step 4: Review Detailed Findings Report
    GOAL: Analyze security warnings and suggestions from audit

    WHY THIS MATTERS:
    CISA auditors must evaluate audit evidence and identify control deficiencies. Lynis categorizes findings by severity (Warning, Suggestion) and provides specific remediation guidance. Each finding maps to security best practices and compliance frameworks.

    COMMAND:
    sudo cat /var/log/lynis.log | grep -E "warning|suggestion"

    WHAT THIS DOES:
    ◆ Filters audit log for findings
    ◆ Shows security warnings (HIGH priority)
    ◆ Lists hardening suggestions (MEDIUM priority)
    ◆ Includes test IDs for tracking
    ◆ Provides remediation guidance
    EVIDENCE: Export all warnings to your audit working papers. Each finding becomes a potential audit observation requiring management response.
  5. Step 5: View Hardening Index Score
    GOAL: Obtain the system's overall security hardening score

    WHY THIS MATTERS:
    CISA Domain 5 (Protection of Information Assets) requires quantitative assessment of security controls. The hardening index provides a single metric (0-100) representing overall system security posture - essential for benchmarking and trending across audit periods.

    COMMAND:
    sudo lynis show details

    WHAT THIS DOES:
    ◆ Displays hardening index (target: 85+)
    ◆ Shows tests performed vs passed
    ◆ Lists active plugins used
    ◆ Reveals compliance test results
    ◆ Provides comparison benchmarks

    HARDENING INDEX Interpretation:
    ◆ 85-100: Excellent (Hardened)
    ◆ 70-84: Good (Some gaps)
    ◆ 55-69: Fair (Needs improvement)
    ◆ Below 55: Poor (Critical gaps)
    COMPLIANCE: Compare hardening index against organizational policy. Most enterprises require 75+ for production systems.
  6. Step 6: Generate Compliance Audit Report
    GOAL: Export formal audit report for documentation and evidence

    WHY THIS MATTERS:
    CISA standards require auditors to maintain sufficient, reliable, relevant evidence in working papers. The Lynis report provides structured output suitable for audit documentation, management reporting, and regulatory compliance evidence.

    COMMAND:
    sudo lynis audit system --report-file /tmp/fincorp_audit_report.dat

    WHAT THIS DOES:
    ◆ Creates machine-readable report
    ◆ Timestamps all findings
    ◆ Includes system identification
    ◆ Maps to compliance frameworks
    ◆ Suitable for audit management systems

    REPORT CONTENTS:
    ◆ System profile and configuration
    ◆ All test results with pass/fail
    ◆ Warnings and suggestions
    ◆ Hardening index calculation
    ◆ Remediation recommendations
    REVIEW: Check the Activity Log above to verify all steps were completed. The dashboard is automatically updated as you complete each step.

    WORKING PAPERS: Store reports securely with restricted access. They contain sensitive security configuration data protected under audit confidentiality.
  7. Step 7: IS Audit Knowledge Check Questions

    📄 Review the Lynis audit findings and answer these CISA certification-level questions to demonstrate your understanding of IS auditing principles and security control assessment.

    Question 1 of 3: According to CISA Domain 1 (IS Auditing Process), what is the PRIMARY purpose of using automated audit tools like Lynis during an IS audit?

    Question 2 of 3: The Lynis hardening index score ranges from 0-100. Per CISA Domain 5 (Protection of Information Assets), a system with a hardening index of 62 would be classified as:

    Question 3 of 3: When Lynis identifies security "warnings" versus "suggestions", how should an IS auditor categorize these findings in the audit report per CISA standards?

    📝 Note: All three questions must be answered correctly to complete this lab. These questions align with CISA exam domains and test practical audit knowledge.
Kali Linux 2024.1 - CISA IS Audit Workstation
Kali Linux 2024.1 - CISA IS Audit Environment *** Lynis Security Auditing Tool Lab *** Conduct Linux security audit per CISA Domain 1 & 4. Type commands EXACTLY as shown (case-sensitive).
auditor@kali:~$
Progress: 0/7
Score: 0/100
Lab 23: Security Engineering & Systems Design
GUI-Based
ISSEP
Scenario: Design Secure System Architecture
GovSecure Agency requires a new secure information system. As the ISSEP, you must apply security engineering principles from NIST SP 800-160 to design the system security architecture, perform risk assessment, define security requirements, and create verification & validation plans following the Systems Security Engineering framework.

Learning Objectives:

  • Apply NIST SP 800-160 security engineering principles
  • Perform system risk assessment using NIST RMF
  • Define security requirements and controls
  • Create verification & validation test plans

GUI Step-by-Step Instructions

  1. Step 1: Create System Security Plan
    GOAL: Initialize the System Security Plan (SSP) document

    WHY THIS MATTERS:
    ISSEP Domain 3 (Security Planning) requires creating comprehensive security documentation. The SSP is the foundational document that describes the system, its security controls, and how they're implemented. NIST SP 800-18 provides the template for federal systems.

    ACTIONS:
    1. Click "Create SSP"
    2. System Name: GovSecure-CUI-System
    3. System Identifier: GSA-2024-001
    4. Information Type: Select Controlled Unclassified Information (CUI)
    5. System Categorization: Select MODERATE
    6. Operational Status: Select Under Development
    7. System Environment: Select Cloud Hybrid (FedRAMP)
    8. System Owner: Chief Information Security Officer
    9. Authorizing Official: Agency Director
    10. Security POC: Security Engineering Team Lead
    11. System Description: Enterprise information system for processing CUI with cloud and on-premise components
    12. Click "Create SSP"
    ISSEP TIP: FIPS 199 categorization (Low/Moderate/High) determines the baseline controls. Moderate systems require ~170 controls from NIST 800-53.
  2. Step 2: Perform Risk Assessment
    GOAL: Conduct threat modeling and risk assessment per NIST RMF

    WHY THIS MATTERS:
    ISSEP Domain 2 (Risk Management) requires systematic identification and assessment of risks. Risk assessment informs control selection and helps prioritize security investments. NIST SP 800-30 provides the methodology.

    ACTIONS:
    1. Click "Risk Assessment"
    2. Assessment Scope: Select Full System Boundary
    3. Assessment Methodology: Select NIST SP 800-30
    4. Threat Sources: Select multiple options
    5. Threat Events: Select multiple options
    6. Vulnerability Categories: Select multiple options
    7. Impact Level - Confidentiality: Select Moderate
    8. Impact Level - Integrity: Select Moderate
    9. Impact Level - Availability: Select Low
    10. Overall Risk Level: Select Moderate
    11. Risk Treatment: Select Mitigate through controls
    12. Risk Assessment Notes: Primary risks from nation-state actors targeting CUI data
    13. Click "Complete Assessment"
    RISK FORMULA: Risk = Likelihood ◆ Impact. Document your risk calculations in the assessment notes for audit trail.
  3. Step 3: Define Security Requirements
    GOAL: Specify security requirements based on NIST 800-53 controls

    WHY THIS MATTERS:
    ISSEP Domain 3 requires translating high-level security needs into specific, testable requirements. Security requirements drive system design and provide criteria for acceptance testing. NIST 800-53 Rev 5 contains 1,000+ controls organized into 20 families.

    ACTIONS:
    1. Click "Security Requirements"
    2. Control Baseline: Select NIST 800-53 Moderate
    3. Access Control Family: Select multiple controls
    4. Audit & Accountability Family: Select multiple controls
    5. System & Communications Protection: Select multiple controls
    6. Identification & Authentication: Select multiple controls
    7. Encryption Requirements: Select FIPS 140-2 Level 2
    8. Authentication Method: Select PIV/CAC Multi-Factor
    9. Session Timeout: 15 minutes
    10. Audit Log Retention: 365 days
    11. Custom Requirements: All CUI must be encrypted at rest and in transit using AES-256
    12. Click "Save Requirements"
    TAILORING: Organizations can tailor baselines by adding/removing controls with documented justification. Document all tailoring decisions.
  4. Step 4: Design Security Architecture
    GOAL: Create the technical security architecture design

    WHY THIS MATTERS:
    ISSEP Domain 3 (Security Planning & Design) requires translating requirements into technical architecture. The security architecture shows how controls are implemented through technical mechanisms, network segmentation, and defense-in-depth layers.

    ACTIONS:
    1. Click "Security Architecture"
    2. Architecture Pattern: Select Zero Trust Architecture
    3. Network Segmentation: Select multiple zones
    4. Boundary Protection: Select multiple options
    5. Data Protection: Select multiple options
    6. Identity Infrastructure: Select multiple options
    7. Security Monitoring: Select multiple options
    8. Secure Development: Select multiple options
    9. Cloud Security: Select multiple options
    10. Resilience Design: Select Active-Active Multi-Region
    11. Architecture Notes: Zero trust model with microsegmentation, all traffic inspected regardless of source
    12. Click "Save Architecture"
    DEFENSE IN DEPTH: Layer multiple controls so that failure of one doesn't compromise the system. Network, host, application, and data layers each need protection.
  5. Step 5: Create V&V Test Plan
    GOAL: Develop Verification & Validation test procedures

    WHY THIS MATTERS:
    ISSEP Domain 4 (Systems Implementation, Verification & Validation) requires proving controls work as designed. V&V ensures security requirements are met before system authorization. ST&E (Security Test & Evaluation) is required for ATO.

    ACTIONS:
    1. Click "V&V Test Plan"
    2. Test Plan Name: GovSecure-SSE-TestPlan-v1.0
    3. Test Methodology: Select NIST SP 800-53A
    4. Test Types: Select multiple options
    5. Test Environment: Select Dedicated Security Test Environment
    6. Automated Testing Tools: Select multiple options
    7. Manual Test Procedures: Select multiple options
    8. Penetration Test Scope: Select Full System External and Internal
    9. Test Schedule: Select dates
    10. Success Criteria: 100% of critical controls validated, 95% of all controls tested
    11. POA&M Threshold: No critical or high findings; moderate findings require 90-day remediation
    12. Click "Save Test Plan"
    ASSESSMENT METHODS: NIST 800-53A defines Examine, Interview, and Test procedures. Document which method applies to each control.
  6. Step 6: Generate SSE Documentation
    GOAL: Create comprehensive Systems Security Engineering documentation

    WHY THIS MATTERS:
    Complete SSE documentation is required for Authorization to Operate (ATO). The authorization package includes SSP, SAR (Security Assessment Report), and POA&M. This documentation demonstrates due diligence and supports ongoing authorization.

    ACTIONS:
    1. Click "Generate Documentation"
    2. Review all sections
    3. Click "Download PDF"

    DOCUMENTATION PACKAGE:
    ◆ System Security Plan (SSP)
    ◆ Risk Assessment Report
    ◆ Security Requirements Traceability Matrix
    ◆ Security Architecture Document
    ◆ V&V Test Plan
    ◆ Implementation Schedule
    REVIEW: Check the SSE Activity Log dashboard above to verify all phases were completed. The dashboard is automatically updated as you complete each configuration.

    ATO PROCESS: The Authorizing Official reviews all documentation before granting ATO. Incomplete packages delay authorization by months.
  7. Step 7: Report Analysis Questions

    Question 1 of 3:
    📄 Download and analyze the SSE Documentation PDF carefully before answering these ISSEP certification-focused questions.

    Question 1: According to NIST SP 800-160 Vol 1 (Systems Security Engineering) covered in the documentation, which framework specifically addresses security engineering throughout the system development lifecycle?

  8. Question 2 of 3:
    Question 2: The SSE documentation shows 6 key lifecycle phases per NIST 800-160. Which phase is specifically responsible for proving that security requirements are correctly implemented?

  9. Question 3 of 3:
    Question 3: The Zero Trust Architecture documented in Step 4 is based on which fundamental security principle?

Systems Security Engineering PlatformGovSecure Agency - NIST SP 800-160

System Security Plan

Not Created

Categorization: -

Risk Assessment

Not Completed

Risk Level: -

Security Requirements

Controls Selected: 0

Baseline: -

V&V Status

Not Started

Test Coverage: 0%

SSE Activity Log
TimestampActivityDetailsStatus
No activity yet
Progress: 0/7
Score: 0/100
Lab 24: Identity & Access Management Architecture
GUI-Based
ISSAP
Scenario: Design Enterprise IAM Architecture
TechGlobal Corporation is implementing a Zero Trust security model and requires a comprehensive Identity & Access Management architecture. As the ISSAP, design the enterprise IAM solution covering identity lifecycle management, authentication mechanisms, authorization models, privileged access management, and federation services.

Learning Objectives:

  • Design identity lifecycle management processes
  • Implement multi-factor authentication architecture
  • Configure RBAC/ABAC authorization models
  • Design privileged access management (PAM) solution
  • Implement federation with SAML/OAuth2/OIDC

GUI Step-by-Step Instructions

  1. Step 1: Configure Identity Lifecycle Management
    GOAL: Design identity provisioning, modification, and deprovisioning workflows

    WHY THIS MATTERS:
    ISSAP Domain 4 (IAM Architecture) requires comprehensive identity lifecycle management. The identity lifecycle covers joiner-mover-leaver processes, ensuring users have appropriate access throughout their employment and access is revoked when no longer needed.

    ACTIONS:
    1. Click "Identity Lifecycle"
    2. ILM Platform: Select Microsoft Entra ID (Azure AD)
    3. Provisioning Source: Select HR System (Workday)
    4. Joiner Workflow: Select all applicable options
    5. Mover Workflow: Select all applicable options
    6. Leaver Workflow: Select all applicable options
    7. Access Review Frequency: Select Quarterly
    8. Certification Scope: Select All privileged access
    9. Orphan Account Detection: Select Daily automated scan
    10. Self-Service Capabilities: Select multiple options
    11. Approval Workflow: Manager approval for standard access, Security team for privileged
    12. Click "Save Configuration"
    ISSAP TIP: Automate provisioning from authoritative sources (HR systems). Manual provisioning leads to errors and orphan accounts.
  2. Step 2: Design Authentication Architecture
    GOAL: Implement multi-factor authentication with adaptive risk policies

    WHY THIS MATTERS:
    Authentication is the first line of defense. ISSAP architects must design authentication that balances security with usability. Modern architectures use risk-based adaptive authentication that adjusts requirements based on context.

    ACTIONS:
    1. Click "Authentication Design"
    2. Primary Authentication: Select Password + MFA Required
    3. MFA Methods: Select multiple options
    4. Passwordless Options: Select multiple options
    5. Risk-Based Authentication: Select Enabled with ML analysis
    6. High-Risk Triggers: Select multiple conditions
    7. Session Management: Select Continuous validation
    8. Session Timeout - Standard: 8 hours
    9. Session Timeout - Privileged: 1 hour
    10. Device Trust: Select Compliant managed devices only for sensitive apps
    11. Location Policy: Block high-risk countries, step-up MFA for new locations
    12. Click "Save Authentication Design"
    ZERO TRUST: Never trust, always verify. Every access request should be authenticated and authorized regardless of network location.
  3. Step 3: Configure Authorization Model
    GOAL: Design RBAC/ABAC hybrid authorization with least privilege

    WHY THIS MATTERS:
    Authorization determines what authenticated users can do. ISSAP Domain 4 requires understanding RBAC (Role-Based), ABAC (Attribute-Based), and hybrid models. Least privilege means users get minimum permissions necessary for their job function.

    ACTIONS:
    1. Click "Authorization Model"
    2. Primary Model: Select Hybrid RBAC + ABAC
    3. Role Hierarchy: Select Enabled with inheritance
    4. Maximum Roles Per User: 5
    5. Role Mining: Select AI-assisted with manual review
    6. ABAC Attributes: Select multiple attribute types
    7. Policy Decision Point: Select Centralized PDP
    8. Policy Enforcement Points: Select multiple options
    9. Separation of Duties: Select Enforced with conflict detection
    10. SoD Conflict Rules: Select multiple conflicts
    11. Emergency Access: Break-glass procedures with full audit trail and auto-expiry
    12. Click "Save Authorization Model"
    ROLE EXPLOSION: Too many granular roles become unmanageable. Use ABAC for fine-grained dynamic decisions, RBAC for coarse-grained static assignments.
  4. Step 4: Design PAM Solution
    GOAL: Architect Privileged Access Management for administrative accounts

    WHY THIS MATTERS:
    Privileged accounts are the keys to the kingdom. PAM solutions protect, monitor, and manage privileged access. ISSAP architects must design PAM to prevent credential theft and detect privileged misuse - a top attack vector in breaches.

    ACTIONS:
    1. Click "PAM Architecture"
    2. PAM Platform: Select CyberArk Privileged Access Security
    3. Credential Vaulting: Select All privileged credentials in vault
    4. Password Rotation: Select After each use
    5. Session Recording: Select Full session recording with keystroke logging
    6. Just-in-Time Access: Select Enabled with approval workflow
    7. JIT Duration - Servers: 4 hours
    8. JIT Duration - Domain Admin: 1 hour
    9. Privileged Account Types: Select all account types
    10. Service Account Management: Select Automated rotation with dependency mapping
    11. Behavioral Analytics: ML-based anomaly detection on all privileged sessions
    12. Click "Save PAM Design"
    STANDING PRIVILEGES: Eliminate standing admin access. Use JIT provisioning so admins only have elevated rights when needed and approved.
  5. Step 5: Configure Federation Services
    GOAL: Design identity federation with partners and cloud services

    WHY THIS MATTERS:
    Federation enables SSO across organizational boundaries without sharing credentials. ISSAP architects must understand SAML 2.0, OAuth 2.0, and OpenID Connect protocols to design secure federation relationships with partners and SaaS applications.

    ACTIONS:
    1. Click "Federation Services"
    2. Federation Protocol - Enterprise Apps: Select SAML 2.0
    3. Federation Protocol - Modern Apps: Select OpenID Connect
    4. Federation Protocol - API Access: Select OAuth 2.0
    5. IdP Role: Select Primary Identity Provider
    6. SP Connections: Select multiple service provider types
    7. B2B Federation: Select Enabled with partner vetting
    8. Partner Trust Level: Select multiple trust levels
    9. Token Lifetime - SAML: 8 hours
    10. Token Lifetime - OAuth Access: 1 hour
    11. Token Lifetime - OAuth Refresh: 24 hours
    12. Attribute Mapping: Minimize attributes shared, encrypt sensitive claims
    13. Click "Save Federation Config"
    TOKEN SECURITY: Short-lived access tokens + longer refresh tokens balance security and usability. Always use HTTPS and validate token signatures.
  6. Step 6: Generate IAM Architecture Document
    GOAL: Create comprehensive IAM architecture documentation

    WHY THIS MATTERS:
    Complete IAM architecture documentation enables implementation teams to build correctly and auditors to validate controls. The document serves as the blueprint for enterprise identity and access management.

    ACTIONS:
    1. Click "Generate Documentation"
    2. Review all sections
    3. Click "Download PDF"

    DOCUMENTATION INCLUDES:
    ◆ Identity Lifecycle Workflows
    ◆ Authentication Architecture
    ◆ Authorization Model Design
    ◆ PAM Solution Architecture
    ◆ Federation Configuration
    ◆ Implementation Roadmap
    REVIEW: Check the IAM Configuration Log dashboard above to verify all components were configured. The dashboard is automatically updated as you complete each step.

    IMPLEMENTATION ORDER: Deploy ILM first, then authentication, authorization, PAM, and finally federation. Each layer builds on the previous.
  7. Step 7: Report Analysis Questions

    Question 1 of 3:
    📄 Download and analyze the IAM Architecture Documentation PDF carefully before answering these ISSAP-focused questions.

    Question 1: Per ISSAP Domain 4 (IAM Architecture), what is the PRIMARY purpose of the identity lifecycle Joiner-Mover-Leaver process documented in Step 1?

  8. Question 2 of 3:
    Question 2: In the Zero Trust authentication architecture (Step 2), what is the purpose of adaptive MFA based on risk signals?

  9. Question 3 of 3:
    Question 3: Why is Just-in-Time (JIT) privileged access (Step 4) preferred over standing privileges in PAM architecture?

IAM Architecture PlatformTechGlobal Corporation - Zero Trust IAM

Identity Lifecycle

Not Configured

Platform: -

Authentication

Not Configured

MFA: -

Authorization

Model: -

SoD: -

PAM Status

Not Configured

JIT Access: -

IAM Configuration Log
TimestampComponentConfigurationStatus
No activity yet
Progress: 0/7
Score: 0/100