Training > Cybersecurity > Security and the Linux Kernel (LFD441)

INSTRUCTOR-LED COURSE

Security expertise for Linux systems is in high demand and will remain so for the foreseeable future. Master Linux kernel security to protect critical infrastructure and open doors to high-impact roles in cybersecurity, staying ahead in the rapidly growing cybersecurity field.

NOTE: The price for this instructor-led course will increase from $3,250 to $3,495 on January 1, 2026. Register now to secure any available session at the current rate of $3,250 before the increase.

Who Is It For

This course is designed for systems level programmers or kernel engineers who want to learn more about the security options provided by the Linux kernel, as well as userspace developers who want to learn more about Linux kernel security mitigations. Learners should know how to build a Linux kernel, write and use Linux kernel modules, as well as have basic Linux command line and system administration skills.

read less read more

What You’ll Learn

The course covers the fundamentals of Linux kernel security, including memory protection, process management, system calls, and filesystem security. Students will learn about various security mechanisms in the Linux kernel, such as Mandatory Access Control (MAC), Linux Security Modules (LSM), and secureboot. Throughout the course, students will gain hands-on experience in securing both userspace and the Linux kernel through various security mechanisms.

read less read more

What It Prepares You For

This course prepares students to be able to secure a system using the various mechanisms and systems available as part of the Linux kernel and operating system. These skills can be used to secure anything from embedded systems, to mobile computers, desktop systems, servers or virtual machines.

read less read more

Course Outline

Expand All

Collapse All

Introduction

- Objectives
- Who You Are
- The Linux Foundation{
- Copyright and No Confidential Information
- The Linux Foundation{ Training
- Certification Programs and Digital Badging
- Linux Distributions
- Platforms
- Things Change in Linux and Open Source Projects

Preliminaries

- Kernel Versions
- Kernel Sources and Use of git

Lab environment

- Virtual Machine
- Why proxmox {?
- Our Lab Environment
- Labs

How to Work in OSS Projects **

- Overview on How to Contribute Properly
- Know Where the Code is Coming From: DCO and CLA
- Stay Close to Mainline for Security and Quality
- Study and Understand the Project DNA
- Figure Out What Itch You Want to Scratch
- Identify Maintainers and Their Work Flows and Methods
- Get Early Input and Work in the Open
- Contribute Incremental Bits, Not Large Code Dumps
- Leave Your Ego at the Door: Don't Be Thin-Skinned
- Be Patient, Develop Long Term Relationships, Be Helpful

Reducing Attack Surfaces

- Why Security?
- Types of Security
- Vulnerabilities
- Layers of Protection
- Software Exploits
- Labs

Kernel Features

- Components of the Kernel
- User-Space vs. Kernel-Space
- What are System Calls?
- Available System Calls
- Scheduling Algorithms and Task Structures
- Process Context
- Labs

Kernel Deprecated Interfaces

- Why Deprecated
- __deprecated
- BUG() and BUG_ON()
- Computed Sizes for kmalloc()
- simple_strtol() Family of Routines
- strcpy(), strncpy(), strlcpy()
- printk() %p Format Specifier
- Variable Length Arrays
- Switch Case Fall-Through
- Zero-Length and One-Element Arrays in Structs

Address Space Layout Randomization (ASLR)

- Why ASLR?
- How to Use ASLR
- Disabling ASLR for Specific Programs
- Kernel Configuration
- Kernel Address Space Layout Randomization (KASLR)
- How KASLR Works
- Enabling KASLR
- Labs

Kernel Structure Layout Randomization

- Benefits
- How Structure Randomization Works
- Structure Initialization
- Opt-in vs Opt-out
- Partial Randomization
- Enabling Structure Randomization
- Building Out-of-tree Modules with Structure Randomization

Introduction to Linux Kernel Security

- Linux Kernel Security Basics
- Discretionary Access Control (DAC)
- POSIX ACLs
- POSIX Capabilities
- Namespaces
- Linux Security Modules (LSM)
- Netfilter
- Cryptographic Methods
- The Kernel Self Protection Project

CGroups

- Introduction to CGroups
- Overview
- Components of CGroup
- cgroup initialization
- cgroup Activation
- cgroups Parameters
- Testing cgroups
- systemd and cgroups
- Labs

eBPF

- BPF
- eBPF
- Installation
- bcc Tools
- bpftrace
- Labs

Seccomp

- What is seccomp
- The seccomp Interface
- seccomp Strict Mode
- seccomp Filter Mode
- Labs

Secure Boot

- Why Secure Boot?
- Secure Boot x86
- Embedded Systems Secure Boot
- Labs

Module Signing

- What is Module Signing?
- Basics of Signatures
- Module Signing Keys
- Enabling Module Signature Verification
- How It Works
- Signing Modules
- Labs

Integrity Measurement Architecture (IMA)

- Why IMA?
- Conceptual Operations
- Modes of Operation
- Collect Mode textit {(Collect and Store)
- Logging Mode textit {(Appraise and Audit)
- Enforcing Mode textit {(Appraise and Protect)
- Extended Verification Module (EVM)
- Labs

DM-Verity

- What is dm-verity?
- How dm-verity Works
- Enabling dm-verity
- Setting up dm-verity
- Using dm-verity
- Signing with dm-verity
- Booting with dm-verity
- Labs

Encrypted Storage

- Why Encrypted Storage?
- Data Encryption Solutions
- Survey of Storage Encryption Options
- Block Encryption
- Block Encryption Use
- Filesystem Encryption
- Filesystem Encryption Use
- Layered Filesystem Encryption
- Layered Filesystem Encryption Use
- Labs

Linux Security Modules (LSM)

- What are Linux Security Modules?
- LSM Basics
- LSM Choices
- How LSM Works
- An LSM Example: Yama
- Labs

SELinux

- SELinux
- SELinux Overview
- SELinux Modes
- SELinux Policies
- Context Utilities
- SELinux and Standard Command Line Tools
- SELinux Context Inheritance and Preservation**
- restorecon**
- semanage fcontext**
- Using SELinux Booleans**
- getsebool and setsebool**
- Troubleshooting Tools
- Labs

AppArmor

- What is AppArmor?
- Checking Status
- Modes and Profiles
- Profiles
- Utilities

Yama (LSM)

- Why Yama?
- Configuring Yama
- How Yama Works
- Labs

LoadPin (LSM)

- Why LoadPin?
- Enabling LoadPin
- Using LoadPin
- How LoadPin Works

Lockdown

- Why Lockdown?
- Lockdown Modes
- What Things are Locked Down?
- How It Works
- A Few Notes
- Labs

Safesetid

- Why Safesetid?
- Configuring Safesetid
- How Safesetid Works
- Labs

Netfilter

- What is netfilter?
- Netfilter Hooks
- Netfilter Implementation
- Hooking into Netfilter
- Iptables
- nftables
- Labs

Netlink Sockets**

- What are netlink Sockets?
- Opening a netlink Socket
- netlink Messages
- Labs

Closing and Evaluation Survey

- Evaluation Survey

Kernel Architecture I

- UNIX and Linux **
- Monolithic and Micro Kernels
- Object-Oriented Methods
- Main Kernel Components
- User-Space and Kernel-Space

Kernel Programming Preview

- Task Structure
- Memory Allocation
- Transferring Data between User and Kernel Spaces
- Object-Oriented Inheritance - Sort Of
- Linked Lists
- Jiffies
- Labs

Modules

- What are Modules?
- A Trivial Example
- Compiling Modules
- Modules vs Built-in
- Module Utilities
- Automatic Module Loading
- Module Usage Count
- Module Licensing
- Exporting Symbols
- Resolving Symbols **
- Labs

Kernel Architecture II

- Processes, Threads, and Tasks
- Kernel Preemption
- Real Time Preemption Patch
- Labs

Kernel Configuration and Compilation

- Installation and Layout of the Kernel Source
- Kernel Browsers
- Kernel Configuration Files
- Kernel Building and Makefiles
- initrd and initramfs
- Labs

Kernel Style and General Considerations

- Coding Style
- Using Generic Kernel Routines and Methods
- Making a Kernel Patch
- sparse
- Using likely() and unlikely()
- Writing Portable Code, CPU, 32/64-bit, Endianness
- Writing for SMP
- Writing for High Memory Systems
- Power Management
- Keeping Security in Mind
- Labs

Race Conditions and Synchronization Methods

- Concurrency and Synchronization Methods
- Atomic Operations
- Bit Operations
- Spinlocks
- Seqlocks
- Disabling Preemption
- Mutexes
- Semaphores
- Completion Functions
- Read-Copy-Update (RCU)
- Reference Counts
- Labs

Memory Addressing

- Virtual Memory Management
- Systems With and Without MMU and the TLB
- Memory Addresses
- High and Low Memory
- Memory Zones
- Special Device Nodes
- NUMA
- Paging
- Page Tables
- page structure
- Labs

Memory Allocation

- Requesting and Releasing Pages
- Buddy System
- Slabs and Cache Allocations
- Memory Pools
- kmalloc()
- vmalloc()
- Early Allocations and bootmem()
- Memory Defragmentation
- Labs

**
These sections may be considered in part or in whole as optional. They contain either background reference material, specialized topics, or advanced subjects. The instructor may choose to cover or not cover them depending on classroom experience and time constraints.

Prerequisites

To make the most of this course, you should:

Be proficient in the C programming language.
Be familiar with basic Linux (UNIX) utilities such as ls, grep and tar.
Be comfortable using any of the available text editors (e.g. emacs, vi, etc.).
Experience with any major Linux distribution is helpful but not strictly required.
Have experience equivalent to having taken LFD420: Linux Kernel Internals and Development.

Pre-class preparation material will be provided before class.

Reviews

Oct 2025

The virtual environment (Proxmox) setup was very well done.

Oct 2025

I liked the labs, and being able to work on the content that we learned in the chapter.

Oct 2025

The course material touches on many Linux kernel security modules and features in a concise fashion, with labs for applied learning. I find that even though there is a lot of Linux documentation online, it can be hard to organize. In-person instructors can be more engaging, and help with troubleshooting.

Sep 2025

It went through some of the advanced parts of the Linux kernel security.

Sep 2025

I enjoyed the pace of the class. The walk-throughs done, and screen shared when we all had similar issues helped a bunch. Never felt rushed through any sections.

Sep 2025

I liked the breadth - it covered tons of things, giving us options including some security mechanisms I didn't know about.

Sep 2025

I really liked how the Proxmox service was already set up, it made some things easier.

Sep 2025

The lab exercises were helpful towards understanding the material.

Sep 2025

The healthy mix of lectures and labs is always a positive in these type of courses. I also really appreciated that the virtual lab environment was "provided" to the students, so that I didn't have to build/rebuild a kernel on my personal hardware.

Sep 2025

Great class, really enjoyed it. Fascinating stuff that I hope to add to my repertoire.

Sep 2025

The class was great! I gained a lot of information about features of the Linux kernel that I didn't know existed.

Aug 2025

I enjoyed the content on secure boot, and finally gained a better understanding of several topics that I had previously not explored.

Aug 2025

It covered an excellent range of security topics, and presented them in a way that made sense and showed how they fit together.

Jun 2025

The proxmox setup that was provided was fantastic; it cut out any setup time, so we could get right on with the content.

Jun 2025

Learning about new security mechanisms I didn't previously know about in the Linux Kernel. Being hands-on with the mechanisms in order to get a good understanding of how they work.

Jun 2025

This course has a good mix of exercises and theory.

Jun 2025

Well prepared lab environment, and easy setup. The ready-for.sh script is great, and the proxmox approach in digital ocean ran without a hitch during the class. It's a great way to structure a course, when there is a decent chance of destroying your VM.

May 2025

Being able to apply the concepts that we were taught.

May 2025

The lab environment set up worked really well for the time we needed to build the kernel.

May 2025

The instructor was thorough, and helped me understand the topics.

May 2025

There was a good range of topics covered, and the instructor explained the topics well and in an engaging way.

May 2025

The hands-on labs, and adequate time to work on them.

May 2025

It was fantastic being able to all work remotely in the same cloud environment, that made the setup really easy.

May 2025

It was very informative, and I learned a lot.

May 2025

Being provided with an environment, in which it was easy to use and test kernel features that broke the ability to boot into the host (easy to troubleshoot, revert/fix). I also enjoyed the breadth of the content, as it exposed me to technologies I had yet to encounter, while giving me enough information to do further research.

Mar 2025

The trainer didn't follow the script! Don't get me wrong, he taught the material, but went above and beyond by sharing real examples, practical experiences, thoroughly answering questions, and on top of that having great time management.

Mar 2025

The last chapter, Netfilter, was really interesting, and I am looking forward to taking a deeper dive into it.

Mar 2025

The course went into a satisfying level of detail on the advertised topics, and I have definitely come away with something I can put to use in my work. The fact that it was very practical was the best part.

Mar 2025

The instructor was an expert on the subject, and was able to answer most questions, or if not, he investigated and came back with a result. Lots of information on different LSMs, how they work, and how to use them.

Mar 2025

The instructor shared several details about his experience as an embedded kernel developer that were interesting.

Jan 2025

Security is a big topic of discussion, and I liked reviewing many of the security features of Linux.

Nov 2024

The wide range of topics covered. Attending it virtually made it much easier to attend as well.

Sep 2024

Having examples to run, and the opportunity to play around in menuconfig, are always helpful when learning about the kernel.

Sep 2024

The labs were very well developed, and everything was ready to be run.

Jun 2024

I appreciated how easy it was made to recompile a kernel from the sources, and the overall presentation of the different kernel features as well as how the development of the kernel is taking place has been demystified.

Apr 2024

I really enjoyed having John as the instructor, he explained things well without getting too into the weeds, but still covered it well that I was constantly learning new things, and knew where to go to dig more into something myself.

Apr 2024

This was my first LFD offline training. The pace was good, and we covered all the material. John was well-prepared, professional, well-spoken, and funny.

Apr 2024

My favorite part was the labs, specifically the netfilter labs. I was able to deepen my skills here, and I felt accomplished doing so. It was challenging, but not too challenging to be frustrating.

Apr 2024

The broadness of the course material, it covered a lot. As a result I know which areas I will need to focus on, and which classes will be needed to advance my learning.

Apr 2024

I like the breadth of knowledge, i.e., going over all the features that could be considered kernel security features. I also liked that we got a good idea of how the different features were implemented, not just how to use them.