CHAPTER 9. Securing Linux
Exam objectives in this chapter
■ Managing and Monitoring User and Group Accounts
■ File Permissions and Ownership
■ SELinux Basics
■ Implementing Privilege Escalation
■ Security Applications and Utilities
■ Checksum and File Verification Utilities
■ Implementing Remote Access
■ Authentication Methods
Introduction
Linux is regarded as a secure operating system; however, even the most secure systems can have an occasional flaw or be misconfigured, and security is best applied in layers. In this chapter, we'll look at the tasks necessary to make sure your Linux systems live up to their secure reputation.
Managing and Monitoring User and Group Accounts
It's critical to be able to control who gets access to what information to maintain security and may even be a legal requirement. Limiting user accounts protects information and also protects the system itself, from both malice and simple errors.
Tools
The following tools are used to create and manage user accounts.
USERADD
There are a number of steps involved in adding users, and these may include the following:
1. Define the new user in /etc/passwd, and create a new User Identification number (UID). The system uses UIDs to refer to the user internally.
2. Create a password for the user bin /etc/shadow file.
3. Define a new group in /etc/group and a new Group Identification number (GID).
4. Create a new home directory for the user, set the file permissions on it, and copy the default startup files to it.
5. Set up the users e-mail account.
Although it is entirely possible to do each of these steps by hand, the useradd tool automates them. The syntax is useradd [options] username.
Good options to know are
■ -b or --base-dir: location of the home directory.
■ -m or --create-home: create a home directory for the user, and copy the basic user settings files from /etc/skel.
A number of other parameters can be set in the /etc/login.defs and /etc/default/ useradd files, including
■ Range of UID and GID numbers
■ Location of the users e-mail file
■ Account and password time limits
USERDEL
userdel deletes a user, and the syntax is userdel [options] username.
The options are
■ -r or --remove deletes the user's home directory and his or her e-mail spool.
■ --f or --force deletes the user account even if they are currently logged in, deletes the home directory even if other users may be sharing it, and deletes a group that matches the username even if it is used by others on the system.
Note that neither of these will remove files outside of a user's home directory.
USERMOD
usermod changes (modifies) a user account, and syntax is usermod [options] username.
Options include
■ -l or --login changes a username.
■ -d or --home changes the users home directory; use -m to move their files to the new location.
■ -u or --uid and -g or --gid changes the users UID and default groupname or number but doesn't actually change the ownership information of any existing files they may have.
■ -G or --group group1[,group2,…] changes the groups that the user is a member of. The user is removed from any groups not listed unless -a or --append is also used.
■ -L or --lock and -U or --unlock options lock and unlock the account.
Crunch Time
As well as the above commands, there are some that work on groups only:
■ groupadd creates groups, using the next unused GID number; -g or --gid lets you pick a specific number.
■ groupdel deletes groups, removing them from /etc/group and (if used) /etc/gshadow but won't let you remove a user's primary group. groupdel won't change the actual GID information on existing files, and if the GID gets reused, you may get unexpected file access and other security issues.
■ groupmod changes a group's GID or groupname, with -g or --gid GID changing the GID and -n or --new-name newgroupname to change the groupname.
Passwd
Users can use passwd to change their own password, or system administrators can change passwords on their behalf or to reset a forgotten password by providing the username. passwd can also be used to lock and unlock accounts with -l and -u.
Exam Warning
passwd isn't actually listed on the CompTIA list of exam topics, but they do refer to “lock,” so it is advisable to be familiar with both usermod -L and passwd -l.
Who and Whoami
who lists the usernames of people logged into your system and can show where remote users are logged in from and the number of users. who works by looking in the /var/run/utmp file, which keeps track of who is logged into the system. The whoami command simply prints your username.
Fast Facts
w (syntax: w [options] user) provides the information who supplies, plus:
■ What device they logged into?
■ Where they logged in from (console or Internet Protocol (IP) address if remote)?
■ When they logged in?
■ How long their session has been idle?
■ How much processor time they've used?
■ What program they are running?
Last
last reviews the /var/log/wtmp file to show information about who has logged in (and out) since the file was created. The syntax is last [options] [name] [tty].
Options include
■ -t YYYYMMDDHHMMSS to show who was logged in at a specific time.
■ name gives the log-in information for a specific user account. The system logs in with a “pseudo user” account called reboot each time it gets rebooted, so last reboot shows a list of times the system has been rebooted since the creation of the /var/log/wtmp file.
Files
We've touched on a number of files used to maintain user information; now, we'll take a closer look at a couple of them.
/etc/skel
Each user account has a home directory where his or her account settings and preferences are held. A set of template files, in the /etc/skel (short for “skeleton”) directory, are copied to a new user's home directory by useradd. The template files can be used to give users helpful defaults for their BASH shell, standardized options for a company preferred text editor, and other standardized settings. It can even be used to give company standard browser favorites or a company directory file.
/etc/passwd
The /etc/passwd file is a text file but can only be edited by a user with elevated privileges. Each user has its own line, with fields by colons. The fields, in order, are
■ username
■ password
■ UID
■ GID
■ comment(s)
■ user's home directory
■ user's default shell: “/bin/false” here means that user doesn't get shell access
/etc/shadow
/etc/passwd is used by many common utilities to cross-reference username and UID/GID information. Having easy access to every user's password, even if encrypted, is a bad thing. To solve that problem, there is a mechanism called a shadow password file; /etc/shadow can only be read by system administrators and contains the actual passwords. It can also be read by processes and utilities that are setuid 0.
Exam Warning
If you hand-edit the /etc/passwd file, be careful not to leave the password field blank. This clears the password, so anyone can connect as that username without a password. This is considered a poor security practice, even if other steps have been taken to limit that account.
/etc/group
/etc/group contains a list of groups and related information, one group per line, with fields separated by colons:
■ groupname
■ password
■ GID
■ members: separated by commas
Groups use a similar mechanism as users to set a password, which can be used to delegate group management to member users. gpasswd manages the passwords, which can be securely stored in the /etc/gshadow file.
File Permissions and Ownership
The basic tools to manipulate permissions and ownership are described below.
Tools
There are a number of commands used to manage permission bits and other file attributes.
CHMOD
chmod is used to change the permission bits with syntax: chmod [options] MODE FILE.
Two useful options:
■ -R or --recursive makes changes in the entire subdirectory tree.
■ --reference = file1 file2 sets the permission bits on file2 to match file1.
There are also two very different ways to represent the mode: using numbers and using letters.
Numbers use a three digit base-8 (octal) number, with the first digit for the owner, second for the group, and third for everyone else (other), as shown in Table 9.1. To set a file so only owner and group can read and write to it, you would enter chmod 660 file3.
When using the numbers, all the bits get set at once, where with letters you can adjust individual parameters one at a time. The specific format has a lot of combinations of options but is basically:
chmod who what_changes filename
The what_changes option comprises two parts: the action you want to perform (add, delete, and so on) along with one or more permissions, as shown in Table 9.2.
To allow the user and group to be able to execute a file, you would use: chmod ug+x file3.
CHOWN
chown is used to change a file's owner and group with syntax: chown [OPTION] [username][:[groupname]] filename.
Exam Warning
The execute bit has to be set before a binary executable file can be run, but because a script has to be opened for the interpreter to see the commands inside, it needs both the read and execute bits set.
The most useful options are the same as for chmod:
■ -R or --recursive makes changes in the subdirectory tree.
■ username:groupname filename changes the file's owner to username and the group to groupname.
■ username:filename changes the file's owner to username and change the group to the users primary group (note the colon after the username).
■ :groupname filename changes the file's group to groupname.
You can use the numeric UID or GID in place of a username or groupname.
CHGRP
chgrp works the same as chown :group and includes the same useful options of -R and --reference. Syntax is chgrp [OPTION] groupname filename.
CHROOT
chroot is a bit different than the preceding commands, as it doesn't change any of a file's attributes; instead, it changes how much of the file structure a program is allowed to see. It does this by redefining the top of the directory tree to where you specify. The syntax is chroot newroot [command]. This is normally used as a function within a script, but if the command is left off, chroot will give you a BASH shell with the root you specified.
LSATTR
lsattr displays a set of attributes that may be set on files and directories. These attributes define a number of advanced options and features that the computer uses when accessing information.
Did You Know?
The attributes include for a file are varied, described below:
■ i means a file immutable; only the root user or privileged kernel processes can make changes to it. This essentially locks a file that you don't want change.
■ a makes a file append-only, so it can only be added to, handy for log files.
■ d marks a file to be skipped by backups.
■ c marks a file for compression at the kernel level.
■ s marks a file so that it gets overwritten with zeros when deleted, to enhance security.
■ A tells the system not to use atime to update the access time on a file.
■ S tells the system to immediately write any changes to the file, instead of caching them.
■ D does the same as S but for directories.
■ u marks the file to allow it to be undeleted.
■ H indicates that a file uses special block sizing to allow it to be larger than 2 TB.
The syntax for lsattr is lsattr [OPTIONS] [filename].
Options include
■ -d lists directories but not their contents.
■ -R recursively lists subdirectories.
CHATTR
chattr is used to change the attribute bits that were covered in the lsattr section, with a syntax of chattr [OPTIONS] [mode] filename.
mode is a +, -, or = to add, remove, or set exactly a list that consists of valid option letters described in the lsattr section, above.
Exam Warning
Not all the available options may be incorporated into a particular Linux kernel and may have unexpected results even if they are. Additional research should be done before test ing any of these on a production system.
UMASK
umask sets the default file permissions that a file gets when it is first created and uses a list of octal values to indicate what rights to remove. A typical umask is 0022, with the two's meaning new files will have the write privilege removed for members of group and other. You can view your umask by simply typing umask or change it by using umask newmask.
You can also use umask with the same letter syntax as chmod, by using the -S parameter which tells the system which bits to set, as opposed to which bits not to set for the number representation. To make a change permanent, you can add the command to your shell startup script, so it gets run every time you start a shell.
Special Permissions
There are additional special permissions that are represented by a fourth octal number, put in front of the normal three. Octal value of 4 is the setuid, 2 is the setgid, and 1 sets the sticky bit. They are set using the same chmod command as the normal bits, either using a four-digital octal value or the same method using letters, but with the following additional letters:
■ X sets the user or group ID
■ s restricted deletion flag
■ t sticky bit
Fast Facts
The setuid or setgid bit can be set on directories or executable files.
■ On directories, all files within the directory have the UID or GID of the directory.
■ Setting the bits allows for shared directories.
■ On executable files, the program runs with the privileges of the program owner or group membership of the program.
■ Using the setuid bit allows files to be run with administrator rights.
Sticky Bit
When the sticky bit is set on a directory, files within that directory can only be renamed or deleted by their owner, the directories owner, or the system administrator. Without the sticky bit, any user with write and execute privileges in the directory could delete files.
SELinux Basics
Operating systems are a complex set of modules, which will inevitably contain some flaws that need to be patched at some time during their lifecycle. The real risk is that someone figures out how to exploit a flaw or vulnerability in your system before you get a chance to patch it or even before the software provider realizes there is a problem and can fix it.
SELinux reduces the risk of these problems by implementing a system that limits what programs can do. Ideally no user or program should have access to anything more than it needs to do its job – this is a standard security paradigm called least privilege. SELinux is not another Linux distribution, as it is built into the Kernel (from 2.6 onwards). It incorporates mandatory access controls (MAC), a mechanism that enforces least privilege access by program. Normally, a Linux system uses discretionary access controls (DAC) that depend on the user to set the security level.
Using DAC, a program run by a user will have access to everything that user has. Therefore, if the root account (or a process that runs with that privilege) is compromised, the entire system would be compromised. With MAC, the security policies are mandatory and set by the system owner. Even with elevated privileges, the security policy on files and programs cannot be overridden.
Fast Facts
To make it easier to set things up, SELinux provides three running modes:
■ enabled: SELinux is up and running, any forbidden actions are blocked.
■ disabled: SELinux is there but not turned on.
■ permissive: SELinux is up and running, with the rules in place, but when something forbidden is attempted, SELinux allows it.
■ Initially, SELinux sets to permissive mode to identify conflicts easily.
Implementing Privilege Escalation
As a system administrator, you need to be careful what you do; even a small typo can cause devastation. Consider the difference between rm -r /tmp/test and rm -r /tmp/test. The difference of a single space causes the system to try and delete every file on your machine. To protect your system as well as to use the idea of “least privilege,” it's advisable to use your system with normal user privileges whenever possible. When extra authority is called for, you can use privilege escalation.
Fast Facts
There are two ways to escalate your privileges: su and sudo.
■ sudo is put in front of commands, and after you press the Enter key, it will ask for your regular user password and run the command as administrator. Once you authenticate, sudo will remember the password for a few minutes, so additional uses don't ask for a password.
■ Only users who are listed in the/etc/sudoers file can use privilege escalation. It is recommended that you use visudo as root to make any changes, which opens the sudoers file in vi and protects it from simultaneous edits.
■ It is often easier to start an entire new command shell with administrative privileges with the su command. su uses the administrator password.
Security Applications and Utilities
The following tools are open source and available online and are all very complex and feature rich. For the exam, it is important to know what each tool is used for.
Exam Warning
These tools are very useful for protecting your systems, but like any power tool, they can just as easily be misused. Be sure you have full authorization – preferably in writing – before using them outside of your own test environment. The tools that send out test packets are capable of sending information that can cripple or reboot some systems, which is a great way to test if a system is vulnerable, but could lead to a lot of problems. Please use these tools with care.
Fast Facts
There are numerous tools to test for vulnerabilities on a system and to ascertain what ports are being listened to. The main ones are
■ nmap is a network scanning tool and is invaluable for seeing what is attached to your network. It can test for services or open network ports, finding unauthorized network devices and services and testing firewalls.
■ nessus tests networked systems for security vulnerabilities and works by using a list of currently known security problems, which is kept updated by means of downloaded plug-ins.
wireshark
wireshark is a graphical network traffic analyzer built on the text-based tcpdump utility and monitors all network traffic coming in and out of an interface on your computer. It is very useful for fixing network applications, such as client/server database problems, remote access authentication issues, and printing errors. Frequently, the client software hides error details from the user, and a lower level view is needed to isolate the real issue.
snort
snort is a Network Intrusion Detection System (NIDS) that watches traffic and lets you set a list of traffic you might find interesting, or you can download lists of known signatures of traffic. If an interesting packet wanders by, snort can send out an alert, so you can then investigate further.
Tripwire
Tripwire is a Host-based Network Intrusion System, and when first installed, it takes a digital “thumbprint” of key files (more detail in the next section), and occasionally, it checks to make sure that they haven't been tampered with.
Checksum and File Verification Utilities
One complex security problem involves being able to trust that files you rely on haven't been tampered with. Every Transmission Control Protocol (TCP) packet passing through every router is checked; the router “adds up” the bits, and if they match the total that the sending device claims it did, everything is assumed to be okay. When it comes to security, though, it requires protection against possible malicious intent not just random errors.
Fast Facts
A number of methods are currently used to certify that files haven't been tampered.
■ md5sum uses the MD5 algorithm to calculate a checksum for a downloaded file, which is compared to a checksum supplied by the file's creator. If they match, you have a good copy.
■ sha1sum has similar functionality to md5sum but uses the SHA-1 algorithm.
■ md5sum uses 128 bit encryption, and sha1sum uses 160 bit encryption.
gpg
gpg (Gnu Privacy Guard) uses an open implementation of pretty good privacy (PGP) to encrypt and/or sign files using public/private key pairs. Although it is normally used for signing and encrypting e-mail to make sure it hasn't been read or changed, it can also be used to sign files. It works like this:
■ The sender of a file creates a public/private key pair, keeping the private key secret and sharing the public key with anyone who will need to decrypt or verify information from him. The key generation process only has to be done once. Sharing the key can be done in-person or using a key-escrow service.
■ The recipient of the file obtains the senders public key and imports it into his system.
■ When the recipient gets a file, he or she uses the sender's stored public key to decrypt or just authenticate the file.
Implementing Remote Access
Secure methods of remote access are defined below.
SSH
Although Telnet is still available, the preferred method for accessing a command shell on a remote system is with the secure shell (SSH). An ssh client is used to connect to a remote system running the sshd daemon. The syntax for ssh is ssh [OPTIONS] [username@]hostname [command].
Basic connectivity to connect to server1 is to type ssh server1 and assumes you want to use the same username on the remote system, as you are using on the local one. To log in to the remote system with a different username, you can either use the -l username option or put the username in front of the host name, with an @ between them, like this: ssh bob@server1
The first time ssh is used to connect to a host, the new hosts signature is shown, and ssh asks if you'd like to add the signature to your list of known hosts.
Secure Tunnels
ssh can catch traffic going to a local TCP port, pass it through its own encrypted connection, and hand it off to a TCP port on the remote side, encrypted normally unencrypted network traffic. This is called forwarding or tunneling.
To create a tunnel, you need to know the TCP port of the service on the remote server that you want to tunnel to and pick a random unused TCP port on your local service. The syntax looks like this:
ssh -Llocal_tcp_port:localhost:remote_tcp_port remote_host_name
SFTP
ssh can be used instead of File Transfer Protocol (FTP), which doesn't use any encryption, using sftp. Once you log in to the remote system, you can then use sftp commands to send and receive files. The syntax to get connected in this way is the same as regular ssh.
Fast Facts
SFTP commands are similar to both BASH and FTP, including
■ cd path changes the remote directory.
■ ls views the contents of the remote directory.
■ put copies a file from the local to the remote machine.
■ get copies a file from the remote machine to the local.
■ bye or quit exits sftp.
X11 Forwarding
One feature of ssh is X11 forwarding, which is essentially the same as the TCP port forwarding discussed earlier. It allows you to connect your local X11 server to the remote X11 client such that a program running on the far end draws a graphic interface on your local screen. To test it, log into a remote host with ssh or ssh –X if X11 forwarding is not enabled, and execute a program that has a graphic interface. You may want to add an & at the end of the command to run it in the background.
Keygen
The ssh-keygen command is used to create a public/private key pair. Once the public key is placed on the remote host, ssh uses the keys to authenticate your log-in, and passwords are no longer required. The steps are
1. Use ssh-keygen to create a key pair.
2. Copy the public key from your local user home directory .ssh/id_rsa.pub to the remote user home directory .ssh/authorized_keys.
3. ssh checks for matching keys when logging in, and if they are found, it doesn't ask for a password.
Once the keys are in place, ssh can be configured to require public/private keys to log in remotely, which makes for a very secure system, as long as your keys remain safe and don't get lost.
Authentication Methods
Authentication is the process the system uses to determine you are supposed to be given access when you type in your username and password. It comes in two basic flavors:
■ Local authentication is limited to a single computer. It knows who you are, but no other computers do. It is easy to set up and administer on a few computers but scales poorly.
■ Centralized authentication allows user information and other settings to be gathered into a single repository and then accessed from trusted computers. Centralized systems can be much more complicated to configure, but make it much easier to administer large networks of computers.
PAM
Pluggable Authentication Modules (PAMs) provide dynamic authentication requests from Linux programs and services. The modular design means that implementing some new authentication technology (like a fingerprint scanner) or policy (like mandatory password complexity) is as easy as plugging in the appropriate modules and telling the system to use them by updating the appropriate configuration file. Each authentication program has its own PAM configuration file. Configuration files are stored in the /etc/pam.d directory.
Fast Facts
There are four groups of management tasks that are covered by PAM:
■ Authentication modules verifies users.
■ Account modules checks that the account is still valid, tracking items such as passwords, account expiration, and time of day.
■ Session modules handles tasks related to the start and close of a user session. Sessions cannot start until the user is authenticated.
■ Password modules are used to update password or other authentication mechanism and can enforce the strength of the password.
Each PAM configuration file lists types of management task, which module(s) to check while performing the task, and a control that tells if passing the module test is, among other checks, mandatory or optional. The actual PAM modules are stored in /lib/security/.
LDAP
Lightweight Directory Access Protocol (LDAP) is used to query and modify directory services on TCP/IP. A directory can be considered to be a set of objects, each with their own attributes which are organized in a hierarchical manner. The LDAP directory tree often uses DNS to structure the upper levels of this hierarchy with specific organizational structures below this which could be organizations, teams, individual people, or even hardware such as printers.
LDAP systems typically use the stand-alone LDAP daemon; slapd provides the back-end server functionality to store user information. Individual workstations then access the slapd directory information as needed: usually via a PAM plug-in for authentication or maybe through an e-mail client to look up e-mail addresses.
NIS
Network Information System (NIS) is another option for storing centralized user and other configuration files. It was originally called the yellow pages, so many NIS commands and files start with “yp.” NIS has a central directory of information containing users, groups, host names, and e-mail addresses as well a plethora of other information. There is a database of configuration files that can be shared across the network, and as /etc/passwd, /etc/group and /etc/shadow are shared, and a user can log-in on different workstations.
RADIUS
Remote Authentication Dial In User Service (RADIUS) was originally developed for dial-in access via modems but is now used as centralized authentication and authorization system across networks. It is a client/server protocol with the client forwarding requests to the RADIUS server to grant or deny the request.
Two-factor Authentication
Two-factor authentication refers to a requirement to provide two things when you log in, usually “something you know” – a password – and “something you have” – an access token of some sort. Two-factor authentication makes it much harder to break into someone else's account because just guessing his or her password is no longer good enough.
Summary of Exam Objectives
Although “security” is frequently associated with “restrictions,” it's helpful to consider it in terms of “allowances.” To summarize, remember that the adduser command creates accounts to allow access to the system, chmod modifies what users can do with files, and groupadd can be used to create groups that can be used to allow users to share information. The su and sudo commands extend user privileges to allow administrative tasks, and ssh allows users access to other systems. User account information can be shared between systems with ldap or nis, and authentication requirements can be customized using on a Linux system with pam.
There are number of applications for observing the Linux system environment, including
■ Nessus and nmap for scanning networks
■ Wireshark for capturing packets on a network interface
■ Snort for watching a network for suspicious traffic
■ Tripwire to watch for suspicious file updates
SELinux is used to limit what an application can do using MACs, and gpg can be used to encrypt information or to guarantee it hasn't been altered.
1. You need to create a new group to support a new product roll-out. What command, or commands, will let you make a new account?
A. addgroup project_x
B. groupadd -g project_x
C. newgroup project_x
D. groupadd project_x
2. You want to tighten security on a particular Linux computer by limiting which users have access to the sudo command. Which file should you edit to lock down this feature?
A. /etc/users
B. /etc/shadow
C. /etc/sudoers
D. /etc/passwd
3. You need to set a shared file for read and write access for the file owner and members of the file group and no access for anyone else. Which command(s) will give the desired result?
A. chmod 440 shared_file
B. chmod 660 shared_file
C. chmod ug=rw,o= shared_file
D. chmod og=r,e= shared_file
4. You are testing out SELinux to enhance security on your Linux computer. What mode would you use to let all programs run, but log anything that would fail if you were to lock it down?
A. enabled
B. allowed
C. permissive
D. test
5. You are running out of room on your backup system and want to flag a large temporary file so the tape backup system skips it. What is a way you could do that?
A. chmod -s temp_file
B. setattr -d temp_file
C. chattr -d temp_file
D. attr -d temp_file
Answers
1. Correct answers and explanations: A and D. Answer A is correct because the addgroup command is used to create a new groups on some distributions. Answer D is correct because groupadd is used to create a new group on other distributions. It is more generally supported than addgroup but doesn't have as many options.
Incorrect answers and explanations: B and C. Answer B is incorrect because the -g option is used to specify a numeric GID not an alphanumeric name. Answer C is incorrect because newgroup isn't a valid Linux command.
2. Correct answer and explanation: C. Answer C is correct because sudo security is controlled by the /etc/sudoers file.
Incorrect answers and explanations: A, B, and D. Answer A is incorrect because /etc/users isn't a standard Linux file. Answer B is incorrect because /etc/shadow is used to store encrypted user passwords. Answer D is incorrect because /etc/passwd is used to store user account information but not sudo access rights.
3. Correct answers and explanations: B and C. Answer B is correct because the octal mode bits 660 equate to read (4) and write (2), totaling 6 for both user (first position) and group (second position), with no rights (0) for everyone else (third position). Answer C is correct because it sets rights for user (u) and group (g) to read (r) and write (w) and sets everyone else (o) to nothing by leaving the field blank. Note that the different groups of users need to be separated by a comma.
Incorrect answers and explanations: A and D. Answer A is incorrect because octal mode 440 would set owner and group rights to read only. Answer D is incorrect because the file owner is correctly abbreviated with a “u” (think user) and everyone else is represented by an “o” for “other,” not an “e.”
4. Correct answer and explanation: C. Answer C is the correct because in permissive mode, SELinux is engaged but doesn't block programs, only logs what it would block if it were set to “enabled.”
Incorrect answers and explanations: A, B, and D. Answer A is incorrect because in enabled mode, SELinux prevents programs that violate defined policies from running. Answers B and D are incorrect because allowed and test modes aren't valid SELinux running modes.
5. Correct answer and explanation: C. Answer C is correct because the chattr command is used to set file attributes in Linux, and the -d option is used to flag a file to be skipped by backup systems (d references dump, a basic backup program).
Incorrect answers and explanations: A, B, and D. Answer A is incorrect because chmod is used to change file permissions not attributes. Answers B and D are incorrect because setattr and attr are not valid Linux commands.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.