Linux Security and File Systems

Questions and Answers

What option of mount.cifs specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information?

uid

Where should private keys be created and stored?

On a system where they will be used

What is the primary purpose of NSEC3 in DNSSEC?

To prevent zone enumeration

Which command is used to change the SELinux context for a user?

newrole

What is a key used for encryption that is different from the key used for decryption?

An asymmetric key

Which file is used to configure AIDE?

/etc/aide/aide.conf

Which of the following is an example of a behavioral-based HID technique?

Anomaly-based detection

Which command is used to set an extended attribute on a file in Linux?

setfattr

What is the purpose of ndpmon?

To monitor the network for neighbor discovery messages from new IPv6 hosts and routers

Which option in an Apache HTTPD configuration file enables OCSP stapling?

httpd-ssl.conf

What is an asymmetric key used for?

Encryption and decryption using different keys

Why should private keys have a sufficient length for the algorithm used for key generation?

To prevent brute-force attacks

Which of the following database names can be used within a Name Service Switch (NSS) configuration file?

group, shadow, passwd

Which parameter to openssl s_client specifies the host name to use for TLS Server Name Indication?

-servername

Which of the following lines in an OpenSSL configuration adds an X509v3 Subject Alternative Name extension for the host names example.org and www.example.org to a certificate?

subjectAltName = DNS: www.example.org, DNS:example.org

What is a buffer overflow?

A type of software vulnerability

Which tool can be used to manage the Linux Audit system?

auditd

What is the difference between a SetUID and SetGID bit?

SetUID allows a file to be executed with the permissions of the file owner, while SetGID allows a file to be executed with the permissions of the group owner

Which of the following sections are allowed within the Kerberos configuration file krb5.conf?

[realms]

What is the purpose of the Linux Audit system?

To detect intrusions and system changes

What is Linux Malware Detect?

A tool to detect malware on a Linux system

What is a Trojan?

A type of malware that disguises itself as legitimate software

What is a rogue access point?

An unauthorized access point that is set up to look like a legitimate one

Which command is used to generate DNSSEC keys?

dnssec-keygen

What is the purpose of file ownership in Linux systems?

To restrict access to files only to their owner

What is a DoS attack?

An attack that floods a network or server with traffic to make it unavailable

What is a trust anchor?

A root certificate that is trusted by a particular CA

What is the purpose of getfacl?

To view the access control list of a file

What is a man-in-the-middle attack?

An attack that intercepts communications between two parties to steal information

Which of the following commands adds a new user to FreeIPA?

ipa user-add usera --first User --last A

What is the purpose of rkhunter?

To detect rootkits and other security threats

What is a certificate chain?

A sequence of certificates used to verify the authenticity of a digital certificate

Which of the following commands changes the source IP address to 192.0.2.11 for all IPv4 packets which go through the network interface eth0?

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.0.2.11

What is the purpose of a Certificate Authority (CA)?

To issue and sign X.509 certificates

Which directive is used in an OpenVPN server configuration to send network configuration information to the client?

push

Which of the following DNS records are used in DNSSEC?

RRSIG

Which command is used to add users using SSSD’s local service?

sss_useradd

What is the primary purpose of a mechanism that allows a server to provide proof of its own identity to clients?

To verify the identity of the server to clients

Which command is used to install and configure a new FreeIPA server?

ipa-server-install

What is the purpose of a certificate signing request (CSR) in cryptography?

To request a digital certificate from a CA

What is the primary goal of cryptography?

To send secret messages

What type of activity does HID primarily monitor for?

Unauthorized access attempts

What is the benefit of using HID?

Real-time detection of security incidents

What is a ciphertext?

The encrypted message

What is the purpose of the auditctl command?

To define an audit rule

What is a rootkit?

A type of malware that disguises itself as legitimate software

What is the purpose of the ebtables command?

To display ebtable rules

What does the ulimit command control in a Linux system?

The maximum number of open file descriptors

What is the purpose of the SSLStrictSNIVHostCheck configuration option in Apache HTTPD?

To serve the virtual host only to clients that support SNI

What is the purpose of the SSLRequestClientCert directive in Apache HTTPD?

To request a client certificate but not require it

What is true about a Root CA certificate?

It is a self-signed certificate

What is the best practice for implementing HID?

Configure HID to alert security personnel of potential security incidents

How are SELinux permissions related to standard Linux permissions?

SELinux permissions are verified after standard Linux permissions

What command is used to set the owner and group of a file in Linux?

chown

What is the purpose of an access control list in Linux?

To specify fine-grained permissions for users and groups

What is the purpose of the OCSP stapling mechanism?

To provide proof of the revocation status of its own SSL/TLS certificate

What is the purpose of the openvas-nvt-sync command?

To update NVTs from the OpenVAS NVT feed

What is the purpose of a DNSKEY record in DNSSEC?

To sign a DNS zone

What is the purpose of AIDE?

To detect intrusions and system changes

What is phishing?

A type of social engineering attack

What is an X.509 Certificate?

A digital document that verifies the identity of a website

Which DNS record is used to map an IP address to a hostname?

PTR

What is the purpose of DNS over TLS and DNS over HTTPS?

To provide secure communication between DNS clients and servers

What is the purpose of a Certificate Revocation List (CRL)?

A list of X.509 certificates that have been revoked by a particular CA

Which of the following statements is true about chroot environments?

The chroot path needs to contain all data required by the programs running in the chroot environment

What is social engineering?

A type of attack that exploits human psychology to gain access to sensitive information

Which of the following information, within a DNSSEC-signed zone, is signed by the key signing key?

The zone signing key of the zone

What happens when you run the command cryptsetup luksOpen /dev/sda1 crypt-vol?

It maps the LUKS device to the name 'crypt-vol'.

What is true about eCryptfs?

eCryptfs cannot be used to encrypt only directories that are the home directory of a regular Linux user.

How does TSIG authenticate name servers?

Using a secret key shared between the servers.

Which components are part of FreeIPA?

Kerberos KDC, Directory Server, and Public Key Infrastructure

Which utility is used to generate keys for DNSSEC?

dnssec-keygen

What is the purpose of the pam_cracklib PAM module?

To check new passwords against dictionary words and enforce complexity

What makes the contents of the eCryptfs encrypted directory ~/Private available to the user?

ecryptfs-mount-private

What is the purpose of IP sets in Linux?

To group together IP addresses referenced by netfilter rules

Which of the following is an example of a HID tool?

Security information and event management (SIEM) system

What does the X509 certificate contain?

Basic Constraints with CA:TRUE, pathlen:0

What is the purpose of an extended attribute in Linux?

To store additional metadata about a file

Which command is used to configure rkhunter?

./etc/rkhunter.conf

What is true about AppArmor and SELinux?

AppArmor is less complex and easier to configure than SELinux.

Which command disables the automatic password expiry for the user usera?

chage --maxdays -1 usera

What is the purpose of the iptables command?

To accept all TCP traffic on port 20 and 21 for the IP address 10.142.232.1

Which access control model is established by using SELinux?

Mandatory Access Control (MAC)

Which option of the openvpn command should be used to ensure that ephemeral keys are not written to the swap space?

--mlock

Which of the following namespaces are used in Linux Extended File Attributes?

trusted, user, system

What is the purpose of TSIG in DNS?

To sign DNS messages for secure communication

What is the purpose of privilege escalation?

An attack that exploits a vulnerability to gain elevated privileges

Study Notes

Mounting and Access Control

• The uid option in mount.cifs specifies the user that appears as the local owner of files on a mounted CIFS share when the server does not provide ownership information.
• The setfacl command is used to set access control lists (ACLs) on files.

Security and Encryption

• Private keys should be created on the systems where they will be used and should never leave them.
• Private keys should have a sufficient length for the algorithm used for key generation.
• A buffer overflow is a type of software vulnerability.
• A symmetric key is a key used for encryption and decryption that is the same.
• An asymmetric key is a key used for encryption that is different from the key used for decryption.

DNS and DNSSEC

• NSEC3 is used to prevent zone enumeration in DNSSEC.
• TSIG is used to sign DNS messages for secure communication.
• DNSSEC validation is performed on behalf of clients by a recursive name server.

System Security and Auditing

• The Linux Audit system is used to detect intrusions and system changes.
• ausearch is a command used to search and filter the audit log.
• setfattr is a command used to set extended attributes on files.
• getfattr is a command used to get extended attributes of files.

Network Security

• A honeypot is a network security tool designed to lure attackers into a trap.
• An IP set is a group of IP addresses and networks that can be referenced by netfilter rules.
• A man-in-the-middle attack is an attack that intercepts communications between two parties to steal information.

Certificates and Authentication

• A trust anchor is a root certificate that is trusted by a particular Certificate Authority (CA).
• A certificate chain is a sequence of certificates used to verify the authenticity of a digital certificate.
• OpenVPN uses ephemeral keys that are not written to the swap space.

Access Control and Security

• Mandatory Access Control (MAC) is established by using SELinux.
• The chattr command is used to set extended attributes on files.
• The getfacl command is used to view the access control list of a file.### Linux Security and Administration
• SELinux permissions are verified after standard Linux permissions
• The chown command is used to set the owner and group of a file in Linux
• Wireshark capture filters include port range 10000:tcp-15000:tcp and tcp portrange 10000-15000
• The openvas-nvt-sync command is used to update NVTs from the OpenVAS NVT feed
• The execute permission bit allows a file to be executed

Automated Scans

• Host scans can be automated on a Linux system using cron
• OpenSCAP is not used to automate host scans

Access Control

• An access control list in Linux specifies fine-grained permissions for users and groups
• The purpose of an access control list is to specify permissions for users and groups

NFS Authentication

• Kerberos authentication was added to NFS in version 4

OCSP Stapling

• OCSP stapling is a mechanism that allows a server to provide proof of the revocation status of its own SSL/TLS certificate

FreeIPA Server

• The ipa-server-install command installs and configures a new FreeIPA server, including all sub-components, and creates a new FreeIPA domain

OpenSSL

• The openssl req command is used to generate a certificate signing request (CSR) using an existing private key

Cryptography

• Cryptography is the art of sending secret messages
• A ciphertext is the encrypted message
• A plaintext is the original message before encryption

HID (Host-based Intrusion Detection)

• HID monitors for unauthorized access attempts
• HID tools include security information and event management (SIEM) systems

Rootkits

• A rootkit is a type of malware that disguises itself as legitimate software
• chkrootkit is a tool used to check for rootkits on a Linux system

ebtables

• The ebtables command is used to display all ebtable rules contained in the table filter, including their packet and byte counters

Snort-stat

• snort-stat reads syslog files containing Snort information and generates port scan statistics

LUKS Devices

• cryptsetup luksDelKey is used to delete a key from a LUKS device
• cryptsetup luksOpen is used to open a LUKS device

eCryptfs

• eCryptfs is a stacked cryptographic filesystem for Linux
• eCryptfs does not store the contents of all files in an archive file similar to a tar file with an additional index to improve performance

Password Expiry

• chage is used to change the password expiry information for a user
• chage --maxdays none disables password expiry for a user

TSIG

• TSIG authenticates name servers in order to perform secured zone transfers using a secret key that is shared between the servers

FreeIPA Components

• FreeIPA components include Kerberos KDC, Directory Server, and Public Key Infrastructure
• DHCP Server is not a component of FreeIPA

DNSSEC

• dnssec-keygen is used to generate keys for DNSSEC
• DNSSEC is used to provide authentication and integrity of DNS data
• TSIG authenticates name servers in order to perform secured zone transfers using a shared secret key

X.509 Certificates

• An X.509 certificate contains information about the identity of a website
• A Certificate Revocation List (CRL) is a list of X.509 certificates that have been revoked by a particular CA

HID Tools

• HID tools include security information and event management (SIEM) systems
• Antivirus software is not a type of HID tool

AppArmor and SELinux

• AppArmor and SELinux are both Linux security modules
• SELinux is a Linux kernel module, whereas AppArmor is implemented in user space only
• SELinux stores information in extended file attributes, whereas AppArmor does not maintain file-specific information and states