Authentication and Unix Users

Questions and Answers

What happens once a process changes its user ID from root (ID 0) to another user ID?

It can continue running with the new user ID. (correct)

It loses access to all files.

It can revert back to root ID.

It becomes a regular process without elevated privileges.

A user account grants administrative privileges by default.

False

Name one important file that contains user password information.

/etc/shadow

The ______ protocol is a challenge-response authentication method used to verify user identities.

NTLM

Match the following authentication protocols with their description:

NIS = Network Information Service for central user management LDAP = Lightweight Directory Access Protocol for accessing directory information Kerberos = Network authentication protocol using tickets NTLM = Challenge-response authentication protocol used by Windows

What does the term 'pass the hash' refer to?

An attack that involves obtaining the password hash

Kerberos is the only authentication protocol supported in larger Windows networks.

False

What is the primary function of Pluggable Authentication Modules (PAM)?

Centralize authentication and make functionality available through a library.

The activity of user authentication in PAM includes mechanisms like passwords, tokens, and ______.

fingerprints

Match the PAM activities with their descriptions:

auth = Determining whether a user is allowed to log in account = The process of authenticating a user

What flag is used to indicate the highest privilege level in a protection ring model?

Ring 0

Ring 3 allows direct interaction with the physical hardware.

False

What is the process called that determines if an entity is allowed access to a resource?

Authorization

A system call is a request from user space to the OS to perform a certain ___.

operation

Match the following PAM control flags with their descriptions:

requisite = If the module fails, immediately return failure and stop required = If the module fails, continue but return failure at the end sufficient = If the module passes, return pass and stop optional = Pass/fail result is ignored for non-authentication tasks

Which of the following is NOT a type of system call?

User authentication

To execute a ring 0 instruction from ring 3, a SIGILL (illegal instruction) occurs.

True

Name two examples of operations that can be performed by system calls.

Process control and file management

What is a primary characteristic of viruses?

They can spread by infecting other files.

Trojans are self-replicating malware programs.

False

What is the term for malware that runs at the kernel level to hide its presence?

rootkit

A malware type known for encrypting data and demanding ransom is called ______.

ransomware

Match the following types of malware with their descriptions:

Virus = Infects a host program Worm = Standalone program that spreads without a host Trojan = Offers hidden malicious functionality Rootkit = Hides traces of malware on a system

What is the primary responsibility of the Trusted Code Base (TCB)?

To protect user processes from each other

Which of the following methods do worms primarily use to spread?

Both A and C

Loadable kernel modules can execute sequentially and perform automatic cleanup.

False

Signature-based detection of malware is effective at detecting zero-day malware.

False

What is the main advantage of using loadable kernel modules?

They allow modifications to the OS kernel at runtime without rebooting.

What is one possible countermeasure to combat rootkits?

Cryptographically sign all kernel modules and drivers

In Unix, persistent data on background storage is organized in ______.

files

The primary function of ______ is to disable the usual functioning of a computer until a demanded payment is made.

ransomware

Match the following file-related syscalls with their functions:

open() = Open a file and return file handler read() = Read bytes from a file handle into a buffer write() = Write bytes from a buffer to the file handle close() = Close the file handle

What is a significant drawback of antivirus software?

False positives can disrupt system functionality.

Which of the following statements is true regarding file descriptors?

They provide an index into a file descriptor table maintained by the kernel.

Behavior-based malware detection is fully reliable for newly developed malware.

False

Access Control allows unrestricted access to resources.

False

What type of malware is characterized by modifying its appearance to avoid detection?

polymorphic malware

What is the purpose of the access() syscall?

To check access rights based on the real user ID.

The ______ hierarchy organizes files in Unix.

tree

Bootkits are installed in the ______ of the hard drive to ensure re-infection at each reboot.

MBR

Match the malware detection techniques with their descriptions:

Signature-based detection = Identifies known malware patterns Behavior-based detection = Analyzes behaviors or heuristics Static detection = Checks for known packers Dynamic detection = Runs malware in a sandbox environment

Which of the following file descriptors represents standard output?

1

The file system in Unix operates in user space.

False

What do loadable kernel modules allow the kernel to do?

Communicate with hardware without prior knowledge of how it works.

Match the following concepts with their meanings:

Trusted Code Base = Code running in kernel space and processes with root permissions Access Control = Selective restriction of access to resources File Descriptor = Index into a file descriptor table Loadable Kernel Module = A module that can modify the OS kernel at runtime

Which command is used to manually load a kernel module into the kernel?

insmod

Everything in Unix is represented as a file.

True

What does the Biba model primarily protect?

Integrity

In the Biba model, a subject is allowed to read objects below its integrity level.

False

What security context format is used in type enforcement?

user:role:type(:level)

The __________ allows multiple isolated user-space instances to run on a single host OS.

OS-level virtualization

Match the following virtualization methods to their descriptions:

Software full virtualization = Requires no modification of the guest OS. Paravirtualization = Requires modification of the guest OS. Hardware full virtualization = Utilizes hardware assistance for virtualization. Emulation = Translates guest instructions into host-readable instructions.

Which of the following is a disadvantage of using LSM (Linux Security Modules)?

Can be abused to bypass kernel security

The chroot command changes the working directory for a process.

False

Identify the two types of mounts in the context of namespaces.

Shared mount and slave mount

Application isolation in Android is enforced through __________ and __________.

VMs; Sandboxing

Which component of the Android Application Framework provides user interfaces?

Activities

Unprivileged containers map container user root to host’s user root.

False

What is the purpose of the Android Security Framework's permission framework?

To control application access to sensitive resources

In type enforcement, access must be explicitly granted by __________.

allow rules

Which of the following is NOT a characteristic of OS-level virtualization?

Each container has its own kernel.

Study Notes

Authentication

• Authentication is the process of verifying the identity of an entity.
• Operating systems manage access to resources.
• Authentication ensures that the entity is who they claim to be.
• Typical authentication methods include:
  • Something you know (passwords, challenge-responses)
  • Something you are (biometrics like fingerprints)
  • Something you have (tokens, smartcards)
• Multifactor authentication combines multiple methods.
• Authentication failures can lead to impersonation.

Unix Users

• Root accounts are superusers with user ID 0.
• Root processes handle system boot, user authentication, administration, and network services.
• Root accesses and modifies permission on all files.
• Root processes can impersonate any other user, changing their User IDs.
• This process cannot be reversed.

Authentication Over Networks

• Large networks centralize user information.
• Users can log in to any machine.
• Various protocols exist (example: challenge-response).
• Centralized login servers can be vulnerable to failure.

Pluggable Authentication Modules (PAM)

• PAM allows programs to use a central authentication mechanism (rather than each program handling authentication independently).
• This centralization improves security and reduces complexity.
• PAM is a library that provides a common interface for multiple programs to access the same authentication system.

Authorization

• Authorization determines if entity X is permitted to access resource Y.

• Operating systems need to control access to resources.

• Different privilege levels (rings) control access (ring 0 being the highest privilege).

• Non-privileged code must request an operation from the Operating System if it needs to access privileged resources.

• Privileged code can directly access resources.

• System calls are used for transitions between ring 3 and ring 0.

File Systems in Unix

• Data on storage devices is structured logically as files.
• Files include names and information like access and modification times.
• Files are organized in a directory hierarchy.
• The file system maps logical information to physical storage on a device.
• System calls are used to access and manipulate files.

Access Control

• Access control (AC) is the selective restriction of resource access.
• Mechanisms authorize subjects to perform operations on objects.
• A protection system defines the access control specification.
• Reference monitors enforce the specification.
• Protection systems can be discretionary or mandatory.
  • Mandatory control restricts access modification.
  • Discretionary control allows users to manage their own access.

Protection model: matching

• Processes need to match the file's owner, a group ID within the group of the file or use other permissions.

Setuid

• Setuid allows a program to be run with the permissions of the file owner, which can permit operations that the user shouldn't normally be allowed.
• A program that is designed to have the permissions of the user who owns the program's executable needs very careful design.

Memory

• Processes use virtual addresses, not physical memory addresses.
• This process is managed by a Memory Management Unit (MMU).
• Virtual memory addresses are mapped to physical addresses by MMU, using a Page Table. This mapping is cached in the Translation Lookaside Buffer (TLB).
• Memory is segmented into fixed-size pages.
• Processes use virtual addresses, and the abstraction of the OS memory system simplifies accessing the memory system.
• Memory access control prevents improper access attempts.

Malware Detection

• Antivirus techniques and strategies will be discussed.
• Methods like signature-based detection (looking for known malicious patterns) and behavior-based detection (monitoring unusual activities) are used.

Description

Explore the essential concepts of authentication, focusing on the role of Unix users and superuser privileges. This quiz covers methods like passwords and biometrics, as well as the importance of multifactor authentication in network scenarios. Test your knowledge on user identity verification and system administration.