Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 3
Security

THE FOLLOWING COMPTIA LINUX+ EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:

3.1 Given a scenario, apply or acquire the appropriate user and/or group permissions and ownership
- File and directory permissions
  - Read, write, execute
  - User, group, other
  - SUID
  - Octal notation
  - umask
  - Sticky bit
  - GUID
  - Inheritance
  - Utilities
    - chmod
    - chown
    - chgrp
    - getfacl
    - setfacl
    - ls
    - ulimit
    - chage
- Context-based permissions
  - SELinux configurations
    - Disabled
    - Permissive
    - Enforcing
  - SELinux policy
    - Targeted
  - SELinux tools
    - setenforce
    - getenforce
    - sestatus
    - setsebool
    - getsebool
    - chcon
    - restorecon
    - ls -Z
    - ps -Z
  - AppArmor
    - aa-disable
    - aa-complain
    - aa-unconfined
    - /etc/apparmor.d/
    - /etc/apparmor.d/tunables
  - Privilege escalation
    - su
    - sudo
    - wheel
    - visudo
    - sudoedit
  - User types
    - Root
    - Standard
    - Service
3.2 Given a scenario, configure and implement appropriate access and authentication methods
- PAM:
  - Password policies
  - LDAP integration
  - User lockouts
  - Required, allowed, or sufficient
  - /etc/pam.d/
  - pam_tally2
  - faillock
- SSH:
  - ~/.ssh/
    - known_hosts
    - authorized_keys
    - config
    - id_rsa
    - id_rsa.pub
  - User-specific access
  - TCP wrappers
  - /etc/sshd/
    - ssh.conf
    - sshd.conf
  - ssh-copy-id
  - ssh-keygen
  - ssh-add
- TTYs:
  - /etc/securetty
  - /dev/tty#
- PTYs:
- PKI:
  - Self-signed
  - Private keys
  - Public keys
  - Hashing
  - Digital signatures
  - Message digest
- VPN as a client:
  - SSL/TLS
  - Transport mode
  - Tunnel mode
  - IPSec
  - DTLS
3.3 Summarize security best practices in a Linux environment
- Boot security
  - Bootloader password
  - UEFI/BIOS password
- Additional authentication methods
  - Multifactor authentication
    - Tokens
    - (i) Hardware
    - (ii) Software
    - OTP
    - Biometrics
  - RADIUS
  - TACACS+
  - LDAP
  - Kerberos
    - kinit
    - klist
- Importance of disabling root login via SSH
- Password-less login
  - Enforce use of PKI
- Chroot jail services
- No shared IDs
- Importance of denying hosts
- Separation of OS data from application data
  - Disk partition to maximize system availability
- Change default ports
- Importance of disabling or uninstalling unused and unsecure services
  - FTP
  - Telnet
  - Finger
  - Sendmail
  - Postfix
- Importance of enabling SSL/TLS
- Importance of enabling auditd
- CVE monitoring
- Discouraging use of USB devices
- Disk encryption
  - LUKS
- Restrict cron access
- Disable Ctrl+Alt+Del
- Add banner
- MOTD
3.4 Given a scenario, implement logging services
- Key file locations
  - /var/log/secure
  - /var/log/messages
  - /var/log/[application]
  - /var/log/kern.log
- Log management
  - Third-party agents
  - logrotate
  - /etc/rsyslog.conf
  - journald
    - journalctl
- lastb
3.5 Given a scenario, implement and configure Linux firewalls
- Access control lists
  - Source
  - Destination
  - Ports
  - Protocol
  - Logging
  - Stateful vs. stateless
  - Accept
  - Reject
  - Drop
  - Log
- Technologies
  - firewalld
    - Zones
    - Runtime
  - iptables
    - Persistency
    - Chains
  - ufw
    - /etc/default/ufw
    - /etc/ufw/
  - Netfilter
- IP forwarding
  - /proc/sys/net/ipv4/ip_forward
  - /proc/sys/net/ipv6/ip_forward
- Dynamic rule sets
  - DenyHosts
  - Fail2ban
  - IPset
- Common application firewall configurations
  - /etc/services
  - Privileged ports
3.6 Given a scenario, backup, restore, and compress files
- Archive and restore utilities
  - tar
  - cpio
  - dd
- Compression
  - gzip
  - xz
  - bzip2
  - zip
- Backup types
  - Incremental
  - Full
  - Snapshot clones
  - Differential
  - Image
- Off-site/Off-system storage
  - SFTP
  - SCP
  - rsync
- Integrity checks
  - MD5
  - SHA

Which command will create an image of the /dev/sda1 disk partition and place that image into a file called output.img?
1. dd if=sda of=/dev/sda1
2. dd if=output.img of=/dev/sda1
3. dd if=/dev/sda1 of=output.img
4. echo /dev/sda1 > output.img
Which command will watch the Apache log at /var/log/httpd/access.log and continually scroll as new log entries are created?
1. watch /var/log/httpd/access.log
2. tail /var/log/httpd/access.log
3. tail -f /var/log/httpd/access.log
4. mon /var/log/httpd/access.log
You receive a file with a .lzma extension. Which command can you use to decompress this file?
1. xz
2. lz
3. gz
4. bzip
Which of the following commands will correctly change the group ownership of the file called a.out to users?
1. chgrp users a.out
2. chgrp a.out users
3. groupchg a.out users
4. grpchg users a.out
Which option to umask will display the permissions to be used in a POSIX format?
1. -P
2. -p
3. -S
4. -v
According to the FHS, what is the correct location for site-specific data for a server?
1. /etc
2. /var
3. /tmp
4. /srv
Which of the following commands enables the sticky bit for a user on a file called homescript.sh?
1. chmod +sticky homescript.sh
2. chmod 755 homescript.sh
3. chmod u+s homescript.sh
4. chown u+sticky homescript.sh
The umask reports as 022. What is the permission that will be in effect for a newly non-executable created file?
1. u+rw, g+r, w+r
2. 755
3. 022
4. a+r
Which option to chown recursively changes the ownership?
1. -f
2. -R
3. -a
4. -m
Which option to chgrp will change group ownership of all files within a given directory?
1. -directory
2. -d
3. -R
4. -V
A command has the following listing obtained with ls -la:

-rwsr-xr-x 1 suehring suehring 21 Nov 2 13:53 script.sh

What does the s denote within the user permissions in the listing?
1. The suid bit has been set for this program.
2. This is a symlink.
3. The file will not be executable.
4. The file is a special system file.
When sourcing a file in bash, which chmod command would be necessary to provide the minimum privileges in order for the file to be sourced correctly, assuming that your current user owns the file?
1. chmod 600
2. chmod 755
3. chmod 777
4. chmod 400
Which of the following commands removes an expiration from an account?
1. sudo chage -l username
2. sudo chage -E -1 username
3. sudo chage -E now username
4. sudo chage --noexpire username
You need to determine whether LDAP integration is working correctly. In order to do so, you would like to obtain a list of users, as read by /etc/nsswitch.conf. Which command can be used for this purpose?
1. getuser
2. getent
3. usermod
4. userlist
Which file contains a list of users who are not allowed to create cron scheduled tasks?
1. /etc/cron.users
2. /etc/cron.deny
3. /etc/cron.allow
4. /etc/cron.userlist
Which system logging facility is used for messages from the kernel?
1. syslog
2. kernel
3. kern
4. system
Which of the following commands is used to examine the systemd journal or log file?
1. journallist
2. ctlj
3. journalctl
4. jctl
What is the name of the systemd service that provides logging facilities?
1. systemd-journald
2. systemd-loggingd
3. systemd-syslog
4. systemd-logger
Which configuration option in /etc/logrotate.conf will cause the log to be emailed to [email protected] when the log rotation process runs for the selected log?
1. mail [email protected]
2. sendmail [email protected]
3. maillog [email protected]
4. logmail [email protected]
Assuming that the $ModLoad imudp configuration option has been set in the /etc/rsyslog.conf configuration file for rsyslogd, which of the following additional options is necessary to configure the port on which the server will listen?
1. $Port 514
2. $UDPServerRun 514
3. $Listen 514
4. $UDPListen 514
Which option in journald.conf controls the maximum file size for individual journal logs?
1. SystemMaxFileSize
2. MaxFile
3. LogFileSize
4. LogSize
You are deploying an Exim server and need to work with the firewall to ensure that the proper incoming ports are open. Which protocol and port should you allow inbound for normal SMTP traffic?
1. TCP/23
2. TCP/25
3. TCP/110
4. TCP/143
Which option within a logrotate configuration file disables compression of the log file?
1. compressoff
2. limitcompress
3. nocompression
4. nocompress
Which port(s) and protocol(s) should be opened in a firewall in order for the primary and secondary name servers to communicate for a given domain?
1. udp/53
2. Both tcp/53 and udp/53
3. tcp/53
4. udp/53 and tcp/503
When examining open ports on the server, you see that TCP port 3000 is listed with no corresponding protocol name, such as smtp, imaps, and so on. In which file would you find a list of port-to-protocol translations that could be customized to add this new port?
1. /etc/ports
2. /etc/p2p
3. /etc/ppp
4. /etc/services
On which port does ICMP operate?
1. TCP/43
2. UDP/111
3. UDP/69
4. ICMP does not use ports.
Which of the following protocols uses a three-way handshake?
1. ICMP
2. TCP
3. UDP
4. IP
Which of the following commands displays account information such as expiration date, last password change, and other related details?
1. usermod -l
2. userinfo -a
3. chageuser -l
4. chage -l
Which command is used to create a public/private key pair for use with SSH?
1. ssh -k
2. ssh-keygen
3. ssh-genkey
4. ssh -key
Within which file should you place public keys for servers from which you will accept key-based SSH authentication?
1. ~/.ssh/authorized_keys
2. ~/.ssh/keys
3. ~/.ssh/keyauth
4. ~/.sshd/authkeys
You need to execute a command as a specific user. Which of the following commands enables this to occur?
1. sudo -u
2. sudo -U
3. sudo -s
4. sudo -H
Which option in /etc/sudoers will cause the specified command to not prompt for a password?
1. PASSWORD=NO
2. NOPASSWD
3. NOPASSWORD
4. NOPROMPT
Which of the following commands will display the CPU time, memory, and other limits for the currently logged-in user?
1. reslimit
2. limitres -a
3. ulimit -a
4. proclimit -n
When working with TCP wrappers, which line within the /etc/hosts.deny file will prevent any host within the 192.168.1.0/24 network from accessing services that operate from xinetd?
1. BLOCK: 192.168.1.0/24
2. REJECT: 192.168.1.0
3. ALL: 192.168.1.0/255.255.255.0
4. NONE: 192.168.1/255.255.255.0
You are using an RSA-based key pair for SSH. By default, what is the name of the private key file in ~/.ssh?
1. id_rsa
2. id_rsa.priv
3. id_rsa.key
4. rsa_key.priv
Which option to the su command will execute a single command with a non-interactive session?
1. -s
2. -u
3. -c
4. -e
After specifying the key server, which option to gpg is used to specify the key to send to the key server?
1. key-name
2. keyname
3. send-key
4. sendkey
Which of the following commands should be used to edit the /etc/sudoers file?
1. Any text editor such as Vi or emacs
2. editsudo
3. visudo
4. visudoers
Which file can be used to store a server-wide cache of hosts whose keys are known for SSH?
1. /etc/sshd_known_hosts
2. /etc/ssh_known_hosts
3. ~/.ssh/known_hosts
4. /root/ssh_known_hosts
Which option must be enabled in /etc/sshd/sshd.conf (or /etc/ssh/sshd_config) on the destination server in order for X11 forwarding to work?
1. XForward yes
2. Xenable yes
3. X11Forwarding yes
4. Xconnection yes
Which of the following commands generates a GnuPG key pair?
1. gpg --gen-key
2. gpg --key
3. gpg --send-key
4. gpg --create-key
You need to disable a service found in /etc/inetd.conf. Which of the following is used as a comment character in that file?
1. -
2. #
3. /
4. %
Which file is used as the default storage for public keyrings for gpg?
1. publickeys.gpg
2. pubring.gpg
3. public.gpg
4. pubkeys.gpg
Which option to the su command is used to obtain the normal login environment?
1. -u
2. -U
3. -
4. -login
Which key-derivation function is used by LUKS?
1. PBKDF2
2. SSL
3. RSA
4. DSA
Which of the following commands is used to configure dm-crypt volumes?
1. cryptsetup
2. dm-cryptsetup
3. dm-setup
4. dm-crypts
Which wildcard can be used in /etc/hosts.allow to specify a match for a host whose name does not match its IP address?
1. *
2. ALL
3. PARANOID
4. NAMEMATCH
Which option to the tar command creates a tar file?
1. -c
2. -b
3. -f
4. -d
Which option to tar removes files after adding them to the archive?
1. -r
2. -d
3. --remove-files
4. -f
Which of the following files should be used to display a message to users prior to logging in locally?
1. /etc/loginmesg
2. /etc/logmessage.txt
3. /etc/issue
4. /etc/banner
Which option to the rsync command, when used in archive mode, will remove files that no longer exist on the host?
1. --delete
2. --remove
3. -del
4. -rem
When creating a tar archive, you need to exclude certain files from the archive. Which option facilitates this scenario?
1. -x
2. --exclude
3. --ex
4. --remove
Which file contains a message that is displayed after successful login?
1. /etc/loginbanner
2. /etc/issue
3. /etc/motd
4. /etc/message
Which of the following options to the tar command can be used to uncompress a file that has been compressed using gzip?
1. -z
2. -x
3. -c
4. -f
Which of the following files can be used to provide a message to users logging in remotely with a protocol such as telnet?
1. /etc/telnet.msg
2. /etc/issue.net
3. /etc/login.msg
4. /etc/telnet.login
Which option to the rsync command changes the resolution for determining file modifications?
1. --mod-time
2. --modify-time
3. --mod-res
4. --modify-window
Which of the following options to bzip2 sends the output to STDOUT?
1. -s
2. -c
3. -d
4. -f
Which option to the gzip command will suppress all warning messages and might be useful in a situation where output is not appropriate?
1. -v
2. -q
3. -L
4. -r
Which option to rsync specifies that the remote shell or transport for the synchronization process should use SSH?
1. -t ssh
2. --overssh
3. -e ssh
4. -F ssh
When configuring BIND for a chroot jail scenario, within which of the following files should the home directory be set for the chroot user to use with bind?
1. /etc/bind.home
2. /etc/bind.user
3. /etc/passwd
4. /etc/bindauth
Which algorithm must be used for rndc authentication when generating a key with dnssec-keygen?
1. sha1
2. sha256
3. md5
4. hmac-md5
Which option enables SSL configuration for a given website or server?
1. SSLEngine
2. SSLDirect
3. SSLEnable
4. SSLConnect
On which port does Squid listen by default?
1. 3000
2. 3128
3. 5150
4. 10300
When using the net command in an Active Directory environment, which option enables authentication using Kerberos?
1. -b
2. -k
3. -l
4. -a
Within which directory are individual configuration files stored for the Pluggable Authentication Module mechanism?
1. /etc/pamd
2. /etc/pam
3. /etc/pam.d
4. /etc/pam.conf.d
On which port does the slapd LDAP daemon listen for connections?
1. 389
2. 3389
3. 3306
4. 110
Which PAM module prevents logins from accounts other than root when the file /etc/nologin exists?
1. pam_login.so
2. pam_preventlogin.so
3. pam_nologin.so
4. pam_logindef.so
Which PAM module is responsible for normal or standard password authentication?
1. pam_auth.so
2. pam_login.so
3. pam_unix.so
4. pam_standardlogin.so
Which PAM module provides a mechanism for checking and enforcing the strength of passwords in order to enforce a password policy?
1. pam_passwdstr.so
2. pam_cracklib.so
3. pam_libpasswd.so
4. pam_strpass.so
Which format should the certificate and key be in for a Postfix TLS configuration?
1. PKCS
2. PEM
3. TLS
4. SSL
Which iptables chain is used to create a port redirect?
1. REDIRECT
2. PREROUTING
3. PORTREDIR
4. ROUTING
Which of the following commands saves the current set of iptables rules into a file?
1. save-iptables
2. iptables-create
3. iptables-save
4. ipt-save
Which of the following commands lists the current iptables rules, while not attempting to resolve host or port names?
1. iptables -L
2. iptables -List -no-resolve
3. iptables -a
4. iptables -nL
Which of the following directories contains configuration files for the fail2ban system?
1. /etc/fail2ban.cfg
2. /etc/fail2ban.d
3. /etc/f2b
4. /etc/fail2ban
Within an OpenSSH configuration, which option disables the use of empty passwords?
1. DisableEmptyPass
2. PermitEmptyPasswords
3. EmptyPasswordAuth
4. PermitPasswordLength
Which of the following commands sets the default policy for the INPUT chain to discard packets that don’t have a specific rule allowing them?
1. iptables INPUT DROP
2. iptables chain INPUT policy DROP
3. iptables -P INPUT DROP
4. iptables POLICY=DROP CHAIN=INPUT
On which port and protocol does OpenVPN listen?
1. ICMP/1194
2. UDP/1194
3. TCP/1194
4. VPN/1194
Which of the following best describes the difference between the DROP and REJECT targets in iptables?
1. Both DROP and REJECT do the same thing.
2. DROP silently discards packets, while REJECT sends back an ICMP acknowledgement.
3. REJECT silently discards packets, while DROP sends back an ICMP acknowledgement.
4. DROP sends back a direct message, and REJECT sends a redirect.
Which of the following partial iptables rules sets up a configuration that limits log entries to three per minute?
1. -m limit 3 -j LOG
2. -m limit --limit 3/minute --limit-burst 3 -j LOG
3. -m limit --limit 3
4. -m limit --limit-minute 3 --burst 3 -j LOG
Which of the following partial iptables rules allows incoming ICMP traffic?
1. -A INPUT -p ICMP -j ACCEPT
2. -A IN -P ICMP
3. -A INPUT -P ACCEPT-ICMP
4. -A IN -P ICMP -j ACCEPT
Which of the following partial iptables rules blocks all traffic from source IP 192.168.51.50?
1. -A INPUT -p ALL 192.168.51.50 -j ACCEPT
2. -A INPUT -p ALL -s 192.168.51.50 -j DROP
3. -A INPUT -p ALL -s 192.168.51.50 -j BLOCK
4. -A INPUT -p ALL -f 192.168.51.50 -j DISCARD
Which of the following partial iptables rules will allow all hosts to connect to TCP port 2222?
1. -A INPUT -p TCP -s 0/0 --destination-port 2222 -j ACCEPT
2. -A TCP -s ALL -p 2222 -j ACCEPT
3. -A INPUT -p TCP -s *.* --destination-port 2222 -j ALLOW
4. -A INPUT --destination-port */* -j ACCEPT
Which of the following commands enables forwarding such as would be used for NAT?
1. echo "1" > /proc/sys/net/ipv4/nat
2. echo "1" > /proc/sys/net/ipv4/ip_forward
3. iptables --enable-forwarding
4. ip-forward --enable
Within a jail configuration for fail2ban, which configuration option sets the name and location of the log file to monitor for failures?
1. logpath
2. monitor
3. logfile_mon
4. monitor_log
Which command sends a copy of the public key identity to another server for use with SSH?
1. ssh-key
2. ssh-copy-key
3. ssh-sendkey
4. ssh-copy-id
Which option in /etc/sudoers sets the destination address for administrative and security emails related to sudo?
1. mail
2. mailto
3. secmail
4. adminmail
Which port should be allowed through a firewall for NTP communication?
1. Port 139
2. Port 161
3. Port 123
4. Port 194
Which options are encompassed when the -a option to rsync is invoked?
1. -rlpt
2. -rlptgo
3. -rpfsxl
4. -rlptgoD
You are looking for files related to the SSL configuration on the server. After looking in /etc/ssl, within which other directory might the files reside?
1. /etc/sslconfig
2. /usr/share/ssl
3. /etc/pki
4. /etc/private
Which OpenSSH configuration directive is used to specify the users who will be allowed to log in using SSH?
1. AllowUsers
2. PermitUsers
3. UsersAllowed
4. AllowedUsers
Which option within a LOG target for iptables sets a string that will be prepended to log entries?
1. --log-prefix
2. --prepend
3. --log-prepend
4. --log-str
Within the SELinux configuration, which option controls whether the policy will be targeted or strict?
1. SEPOLICY
2. SELINUXTYPE
3. SETARGET
4. SELINUXPOLICY
Which of the following best describes the status of SELinux when the command getenforce returns Permissive?
1. A Permissive return means SELinux is enabled, but rules are not enforced, although DAC rules are still in effect.
2. A Permissive return means SELinux is not enabled.
3. A Permissive return means SELinux is enabled, although rules are not enforced and DAC rules are not in effect.
4. A Permissive return means SELinux is using an enforcing policy.
Which of the following describes the primary difference between the configuration files ssh.conf and sshd.conf (typically found in /etc/sshd/ or /etc/ssh)?
1. sshd.conf is the configuration file for the system SSH, and ssh.conf is the options configuration file.
2. sshd.conf is the configuration file for the system SSH daemon, and ssh.conf provides system-wide client SSH configuration.
3. sshd.conf is used when SSH will be disabled, and ssh.conf is used when SSH is enabled.
4. sshd.conf is the first configuration file read for a client connection, while ssh.conf is the first configuration read for a server configuration.
When working with PAM, a module that is marked as required has failed. Which of the following describes what happens to the other modules in that realm?
1. Processing stops immediately when a failure of a required module occurs.
2. Processing stops after all required modules are processed.
3. Processing continues until another required module is encountered.
4. Processing continues through other modules but ultimately fails.
What is the UID of the root account?
1. 1000
2. 0
3. 100
4. 65535
Using a system such as Google Authenticator to provide two-factor authentication is an example of which type of token?
1. Hardware
2. Software
3. Token-based
4. Usage-based
You need to disable the ability to reboot the Linux computer using the Ctrl+Alt+Del key combination. Within which file will you find the configuration for this key combination?
1. /etc/ctrlaltdel
2. /etc/shutdown
3. /etc/keymap
4. /etc/inittab
Within which directory are the predefined zones for firewalld?
1. /etc/firewalld/
2. /usr/lib/firewalld/zones/
3. /usr/firewalld/zones/
4. /etc/firewall/zones
You need to set a bootloader password for GRUB. To do so, which of the following configuration options should be set in /boot/grub/grub.conf?
1. login
2. prompt
3. boot-passwd
4. password
Assuming that the output from the sestatus command indicates that SELinux is in Permissive mode, which of the following commands is used to change the mode to Enforcing?
1. setenforce en
2. setenforce 1
3. setenforce on
4. setenforce --enable
Your organization uses ssh-agent for authentication assistance with SSH. Which command can be used to add a private key to ssh-agent?
1. ssh-privkey
2. ssh-agent-key
3. ssh-add
4. ssh-addkey
Which of the following commands is used to display information about the access control list for a given file?
1. getfacl
2. getacl
3. acldisp
4. showacl
Which of the following commands can be used to prevent the root user from logging in at the console?
1. echo > /etc/securetty
2. echo "NoRootCon" > /etc/securetty
3. rm /etc/securetty
4. echo "RootCon=no" > /etc/securetty
You need to provide a special username and other parameters related to a specific host to which you connect using SSH. To which file should you add this information?
1. ~/.ssh/hosts
2. ~/.ssh/known_hosts
3. ~/.ssh/config
4. ~/.ssh/hostconfig
You are using chmod in order to change several web-related files so that the web server/public can read them. Which option should you add to the chmod command in order for the permissions to inherit to other files?
1. -R
2. -v
3. -i
4. -M
Which of the following commands can be used to obtain more information about a GUID partition table?
1. guidinfo
2. guid -info
3. gdisk
4. blkguid
Which option to setsebool writes the current values to disk so that they will be applied at next reboot?
1. -A
2. -P
3. -D
4. -M
When working with AppArmor, within which directory are profiles located?
1. /etc/apparmor/
2. /etc/apparmor.d/
3. /etc/appa.d/
4. /etc/armor.d/
Which of the following protocols provides datagram security?
1. DS
2. DSSL
3. DTLS
4. DLS
Which of the following commands shows a list of failed login attempts?
1. badlogin
2. lastb
3. lastf
4. flogins
When using Kerberos authentication, which of the following commands shows the ticket cache?
1. ktix
2. ktel
3. kinit
4. klist
You suspect that a third-party logging agent is using a significant amount of system resources. Which of the following commands could help troubleshoot this issue?
1. ps aux | grep <agent>
2. uptime
3. sysreport <agent>
4. psrep
Which of the following options to the ls command displays ownership and permission information?
1. -m
2. -l
3. -b
4. -f
Which option to getsebool returns the entire list of SELinux booleans?
1. -a
2. -b
3. -c
4. -d
Which AppArmor command uses netstat to determine the network-related processes that do not have AppArmor profiles?
1. aa-profiles
2. aa-netstat
3. aa-unconfined
4. aa-netlist
Which group can be used to restrict access to execute the su command?
1. super
2. admins
3. wheel
4. runsu
You need to change the SELinux security context of a file. Which of the following commands should be used for this purpose?
1. setcontext
2. sesecon
3. chcon
4. setcon
Which of the following is an advantage of using an SSL-based VPN client?
1. The transport may be able to get around firewalls that otherwise block VPN traffic.
2. The use of SSL makes default configuration easier.
3. The use of SSL means keys do not need to be configured.
4. The use of SSL makes no difference.
When configuring PKI on a Red Hat system, which options are available as hashing algorithms when RSA is used as a key type?
1. SHA256withRSA
2. MD4
3. SHA2048
4. SHA1withEC
Which type of backup captures changes from the previous backup and only backs up those files that have changed?
1. Full
2. Snapshot clone
3. Incremental
4. Image
Two individuals within your organization share the same username and password for an administrative account. Which security best practice does this violate?
1. Integrity
2. Availability
3. Shared IDs
4. Password policy
Which of the following passwords can be used to secure a system such that it will not boot, even if the attacker has physical access to place a USB boot disk in the computer?
1. GRUB password
2. UEFI/BIOS password
3. Root password
4. SHA1 password
Which of the following can be used in Linux to provide biometric authentication?
1. finger
2. fprint
3. bio
4. freader
Which option to the restorecon utility can be used to view the current contexts without making changes?
1. -n
2. -r
3. -g
4. -p
You need to allow a user to edit a file that is owned by root. Which of the following commands should be used for this purpose, assuming the use of sudo to execute the command?
1. vim
2. nano
3. sudoedit
4. visudo
You need to view the SELinux contexts for various processes on the system. Which of the following commands will accomplish this task?
1. showcon
2. proccon
3. lcon -Z
4. ps -Z
Which PAM module can be used to lock accounts after failed login attempts?
1. pam_lock
2. pam_tally2
3. pam_loginlock
4. pam_watchlog
Which VPN mode is typically used for client-to-server VPN traffic?
1. Tunnel
2. Transport
3. Site-to-Site
4. Site-to-Server
What is the device-naming convention used to indicate a pseudo-terminal in Linux?
1. /dev/ttyS0
2. /dev/ttyP0
3. /dev/pty
4. /dev/tys
Which of the following commands places all AppArmor profiles into complain mode?
1. aa-complain /etc/apparmor.d/*
2. aa-enable -complain /etc/apparmor.d/*
3. aa-enable -complain /etc/apparmor/*
4. aa-complain /etc/apparmor/*
Which of the following logs is used to store information related to authentication and authorization?
1. /var/log/sec.log
2. /var/log/messages
3. /var/log/kern.log
4. /var/log/secure
Which option within the sshd_config file controls whether the root user can log in directly with SSH?
1. PermitRoot
2. PermitRootLogin
3. RootDirectLogin
4. AllowRootLogin
RADIUS provides AAA services for remote login. To what does AAA refer?
1. Authentication, Authorization, Availability
2. Authentication, Authorization, AppArmor
3. Authentication, Authorization, Assistance
4. Authentication, Authorization, Accounting
Which option to the firewall-cmd command sets the current runtime configuration to be available on next reboot of the computer?
1. --set-perm
2. --make-perm
3. --runtime-to-permanent
4. --current-to-persistent
One of your customers needs to transfer a large file and is asking for FTP to be enabled on the server. Thinking of security, what options can you offer that are more secure?
1. USB
2. Email (SMTP)
3. SSL
4. SFTP
Which site should you use to monitor for new security bulletins that have been reported using the CVE process?
1. News sites
2. https://cve.mitre.org
3. https://www.example.com
4. Vendor sites
When working with ufw, you need to allow SSH traffic. Which of the following commands facilitates this scenario?
1. ufw allow tcp/22
2. ufw enable ssh
3. ufw allow ssh
4. ufw enable tcp/21-22
Which daemon can be used to monitor the system for changes to system files?
1. end
2. alogd
3. auditd
4. mond
You need to provide authentication for various network components like routers and switches within the enterprise network. Which authentication service can be added to the Linux server to facilitate this scenario?
1. SSH
2. Kerberos
3. TACACS+
4. Telnet
Which of the following is the name for the firewall control software associated with Netfilter?
1. iptables
2. ipt
3. netfw
4. netfilterfw
You need to extract files from a backup created with an older version of HPUX. The tar command does not seem to work for these files. Which of the following may be able to extract from this backup?
1. gzip
2. bzip2
3. cpio
4. hpb
When copying files using scp, which port needs to be open in the firewall?
1. TCP/21
2. TCP/22
3. TCP/20 and TCP/21
4. UDP/53
You are viewing the contents of a directory with the ls command but do not see files that begin with a single dot (.). Which option to ls shows those files?
1. -a
2. -b
3. -c
4. -d
You believe that the system has been broken into and files may have been changed. After taking the system offline and unmounting one of the affected partitions, what could you do next?
1. Use dd to make an image of the partition to preserve it.
2. Create a backup using tar.
3. Examine the partition with fdisk.
4. Use mkfs to reformat the partition.
Which option to SSH specifies the private key to use for authentication?
1. -m
2. -i
3. -k
4. -a
Which utility can be used to create a checksum of a file in order to ensure its integrity?
1. sha1sum
2. mdsum
3. shasum
4. shacheck
Which option to the zip command causes the command to traverse directories?
1. -g
2. -m
3. -r
4. -a
You are working on a Debian system and need to set ownership on a file such that the user used to execute Apache can write to the file. What command can you use to determine which user Apache is running as?
1. ps auwx | grep apache
2. ls -a
3. free | grep httpd
4. monapache
You have found that the owner of the Apache process is www-data. What command will change the ownership of a file, given as <filename>, such that www-data can write to the file?
1. chown www-data <filename>
2. chown apache-www-data <filename>
3. chmod www-data +w <filename>
4. chmod www-data.apache <filename>
When using sudo in a scripted environment, which option can be used to specify a non-interactive mode?
1. -f
2. -m
3. -n
4. -l
On which port does telnet operate?
1. TCP/22
2. TCP/20
3. TCP/100
4. TCP/23
Which command is used to turn off AppArmor profiles?
1. aa-disable
2. aa-turnoff
3. aa-enable -d
4. aa-off
Which command and option are used to view the SELinux security context of a given file?
1. ls -context
2. file -Z
3. ls -Z
4. sel -context
Digital signatures can be provided in Linux through which of the following commands?
1. gds
2. gpg
3. dmc
4. gds2
You need to make a change to the global behavior of AppArmor. Rather than editing the profiles directly, which directory contains common settings that can be changed instead?
1. /etc/apparmor.d/configs
2. /etc/apparmor/globals
3. /etc/apparmor/edits
4. /etc/apparmor.d/tunables
Which of the following directories contains configuration for UFW?
1. /etc/ufwd
2. /etc/ufw.d
3. /etc/ufw
4. /etc/ufirewall
Which software can be used in connection with iptables in order to more effectively block traffic from entire network ranges?
1. ipblock
2. ipset
3. iplist
4. ipcoll
You have created a public key and private key for use with SSH. The contents of which key should be copied to a remote host in order to enable authentication?
1. The public key
2. The private key
3. Both the public and private keys
4. Neither the public nor the private key. It must be generated on the remote host.
What is the octal notation to specify that a directory should have read-write-execute permissions for the owner and read-execute permissions for the group and other?
1. 711
2. 644
3. 755
4. 777
When using rsyslog for logging, within which file can you look to determine what items are logged on the system?
1. /etc/rsyslogd.conf
2. /etc/rsys.conf
3. /etc/rsyslog.conf
4. /etc/rsys.cfg
Which option to sestatus shows the context of a file?
1. -f
2. -v
3. -m
4. -a
Which option to chage sets the maximum days that a password is valid?
1. -v
2. -m
3. -M
4. -d
Which option within an SSH server configuration enables authentication using Kerberos?
1. UseKerberos
2. KerberosAuthentication
3. EnableKerberos
4. KerberosEnable
You are working with iptables-save to examine the contents of tables in a scripted environment. Which option to iptables-save can be used to specify the table name rather than outputting information for all tables?
1. -t
2. -a
3. -s
4. -i
Ports below what number are considered to be the well-known ports?
1. 256
2. 512
3. 1024
4. 65535
Within which directory will you find configuration files for various logs that are to be rotated with logrotate?
1. /etc/logrotate
2. /etc/logs
3. /etc/logrotate.d
4. /var/spool/logrotate
Which option to the journalctl command will continuously update the display as new log entries are created?
1. -tail
2. -t
3. -f
4. -l
Which PAM module is responsible for enforcing limits such as the maximum number of logins and CPU time used?
1. pam_enforce.so
2. pam_limittest.so
3. pam_max.so
4. pam_limits.so
When using LDAP for authentication, what will be logged with the loglevel set to 0x10 in a slapd.conf configuration file?
1. No debugging
2. Trace debugging
3. Stats logging
4. Packets sent and received
On which port does LDAP over SSL listen for connections?
1. 389
2. 443
3. 636
4. 3128
Which of the following PAM modules can be used for authorization and authentication scenarios using external files?
1. pam_fileauth.so
2. pam_listfiles.so
3. pam_filesauth.so
4. pam_fileauth.so
Which option to ssh-keygen sets the type of key that will be created?
1. -k
2. -t
3. -e
4. -i

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 3 Security

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 3 Security