Deck 10: Security

A) auditctl -N firewall -r r: /etc/firewall/rules -r w:     etc/firewall/rules
B) auditctl -A -f /etc/firewall/rules -o r -o w -l firewall
C) auditctl -w /etc/firewall/rules -p rw -k firewall
D) auditctl --read /etc/firewall/rules --write /etc/firewall/rules     --label firewall
E) echo "n: firewall  r:/etc/firewall/rules: w:/     etc/firewall/rules:" | auditctl ~

A) !/var/run/.*
B) append: /var/log/*
C) /usr=all
D) #/bin/
E) /etc p+i+u+g

A) Kerberos authentication
B) SSH hostkey authentication
C) Winbind authentication
D) SSL certificate authentication

A) Security Access Control (SAC)
B) Group Access Control (GAC)
C) User Access Control (UAC)
D) Discretionary Access Control (DAC)
E) Mandatory Access Control (MAC)

A) DHCP Server
B) Kerberos KDC
C) Intrusion Detection System
D) Public Key Infrastructure
E) Directory Server

A) host
B) shadow
C) service
D) passwd
E) group

A) chage --maxdays none usera
B) chage --maxdays 99 usera
C) chage --maxdays -1 usera
D) chage --lastday none usera
E) chage --lastday 0 usera

A) Control rules
B) File system rules
C) Network connection rules
D) Console rules
E) System call rules

A) setfacl -x group: * : rx, user:*: rx afile
B) setfacl -x mask: : rx afile
C) setfacl ~m mask: : rx afile
D) setfacl ~m group: * : rx, user :*: rx afile

A) ACL
B) GRANT
C) GROUP
D) OWNER
E) SID

A) AppArmor is implemented in user space only. SELinux is a Linux Kernel Module.
B) AppArmor is less complex and easier to configure than SELinux.
C) AppArmor neither requires nor allows any specific configuration. SELinux must always be manually configured.
D) SELinux stores information in extended file attributes. AppArmor does not maintain file specific information and states.
E) The SELinux configuration is loaded at boot time and cannot be changed later on. AppArmor provides user space tools to change its behavior.

A) [plugins]
B) [crypto]
C) [domain]
D) [capaths]
E) [realms]

A) SELinux permissions override standard Linux permissions.
B) Standard Linux permissions override SELinux permissions.
C) SELinux permissions are verified before standard Linux permissions.
D) SELinux permissions are verified after standard Linux permissions.

A) getfattr prints a warning and exits with a values of 0.
B) getfattr prints a warning and exits with a value of 1.
C) No output is produced and getfattr exits with a value of 0.
D) No outputs is produced and getfattr exits with a value of 1.

A) default
B) system
C) owner
D) trusted
E) user

A) It displays statistics from the running Snort process.
B) It returns the status of all configured network devices.
C) It reports whether the Snort process is still running and processing packets.
D) It displays the status of all Snort processes.
E) It reads syslog files containing Snort information and generates port scan statistics.

A) openssl req -key private/keypair.pem -out req/csr.pem
B) openssl req - new -key private/keypair.pem -out req/csr.pem
C) openssl gencsr -key private/keypair.pem -out req/csr.pem
D) openssl gencsr -new- key private/keypair.pem -out req/csr.pem

A) -tlsname
B) -servername
C) -sniname
D) -vhost
E) -host

A) example.com
B) dane.www.example.com
C) soa.example.com
D) www.example.com
E) _443_tcp.www.example.com

A) subjectAltName = DNS: www.example.org, DNS:example.org
B) extension= SAN: www.example.org, SAN:example.org
C) subjectAltName: www.example.org, subjectAltName: example.org
D) commonName = subjectAltName= www.example.org,     subjectAltName = example.org
E) subject= CN= www.example.org, CN=example.org

A) iptables ~t nat ~A POSTROUTING ~o eth0 ~j SNAT --to~source 192.0.2.11
B) iptables ~t nat ~A PREROUTING ~i eth0 ~j SNAT --to~source 192.0.2.11
C) iptables ~t nat ~A POSTROUTING ~i eth0 ~j DNAT --to~source 192.0.2.11
D) iptables ~t mangle ~A POSTROUTING ~i eth0 ~j SNAT -to~source 192.0.2.11
E) iptables ~t mangle ~A POSTROUTING ~0 eth0 ~j SNAT -to~source 192.0.2.11

A) /dev/sys/
B) /sys/
C) /proc/sys/
D) /sysctl/

A) For every file in an eCryptfs directory there exists a corresponding file that contains the encrypted content.
B) The content of all files in an eCryptfs directory is stored in an archive file similar to a tar file with an additional index to improve performance.
C) After unmounting an eCryptfs directory, the directory hierarchy and the original file names are still visible, although, it is not possible to view the contents of the files.
D) When a user changes his login password, the contents of his eCryptfs home directory has to be re-encrypted using his new login password.
E) eCryptfs cannot be used to encrypt only directories that are the home directory of a regular Linux user.

A) It is a self-signed certificate.
B) It does not include the private key of the CA.
C) It must contain a host name as the common name.
D) It has an infinite lifetime and never expires.
E) It must contain an X509v3 Authority extension.

A) useradd usera --directory ipa --gecos "User A"
B) idap- useradd -H Idaps://ipa-server CN=UserA --attribs     "Firstname: User: Lastname: A"
C) ipa-admin create user --account usera --fname User --iname A
D) ipa user-add usera --first User --last A
E) ipa-user- add usera --name "User A"

A) ipa trust-add --type ad addom --admin Administrator --password
B) ipa-ad -add-trust --account ADDOM\Administrator--query-password
C) net ad ipajoin addom -U Administrator -p
D) trustmanager add --domain ad: //addom --user Administrator -w
E) ipa ad join addom -U Administrator -w

A) Private keys should be created on the systems where they will be used and should never leave them.
B) Private keys should be uploaded to public key servers.
C) Private keys should be included in X509 certificates.
D) Private keys should have a sufficient length for the algorithm used for key generation.
E) Private keys should always be stored as plain text files without any encryption.

A) ASIG
B) NSEC
C) NSEC3
D) NSSIG
E) RRSIG

A) Both servers mutually verify their X509 certificates.
B) Both servers use a secret key that is shared between the servers.
C) Both servers verify appropriate DANE records for the labels of the NS records used to delegate the transferred zone.
D) Both servers use DNSSEC to mutually verify that they are authoritative for the transferred zone.

A) The clients connecting to the virtual host must provide a client certificate that was issued by the same CA that issued the server's certificate.
B) The virtual host is served only to clients that support SNI.
C) All of the names of the virtual host must be within the same DNS zone.
D) The virtual host is used as a fallback default for all clients that do not support SNI.
E) Despite its configuration, the virtual host is served only on the common name and Subject Alternative Names of the server certificates.

A) This certificate belongs to a certification authority.
B) This certificate may be used to sign certificates of subordinate certification authorities.
C) This certificate may never be used to sign any other certificates.
D) This certificate may be used to sign certificates that are not also a certification authority.
E) This certificate will not be accepted by programs that do not understand the listed extension.

A) cryptsetup luksDelKey /dev/sda 1 0
B) cryptsetup luksDelkey /dev/sda 1 1
C) cryptsetup luksDelKey / dev /mapper/crypt- vol 1
D) cryptsetup luksDelKey / dev /mapper/crypt- vol 0

A) Symbolic links to data outside the chroot path are followed, making files and directories accessible
B) Hard links to files outside the chroot path are not followed, to increase security
C) The chroot path needs to contain all data required by the programs running in the chroot environment
D) Programs are not able to set a chroot path by using a function call, they have to use the command chroot
E) When using the command chroot, the started command is running in its own namespace and cannot communicate with other processes

A) sss_adduser
B) sss_useradd
C) sss_add
D) sss-addlocaluser
E) sss_local_adduser

A) OUTPUT
B) MASQUERADE
C) PROCESSING
D) POSTROUTING
E) PREROUTING

A) -- tls-timeout 5
B) -- tls- timeout 500
C) -- tls- timer 5
D) -- tls- timer 500

A) spd
B) addspd
C) newspd
D) spdnew
E) spdadd

A) Xmas Scan
B) Zero Scan
C) FIN Scan
D) IP Scan
E) UDP SYN Scan

A) They group together IP addresses that are assigned to the same network interfaces.
B) They group together IP addresses and networks that can be referenced by the network routing table.
C) They group together IP addresses that can be referenced by netfilter rules.
D) They group together IP and MAC addresses used by the neighbors on the local network.
E) They group together IP addresses and user names that can be referenced from /etc/hosts.allow and /etc/hosts.deny

A) ntop --set-admin-password=testing123
B) ntop --set-password=testing123
C) ntop --reset-password=testing123
D) ntop --set-new-password=testing123

A) port range 10000:tcp-15000:tcp
B) port-range tcp 10000-15000
C) tcp portrange 10000-15000
D) portrange 10000/tcp-15000/tcp
E) portrange 10000-15000 and tcp

A) It monitors the network for neighbor discovery messages from new IPv6 hosts and routers.
B) It monitors remote hosts by periodically sending echo requests to them.
C) It monitors the availability of a network link by querying network interfaces.
D) It monitors the network for IPv4 nodes that have not yet migrated to IPv6.
E) It monitors log files for failed login attempts in order to block traffic from offending network nodes.