Network Monitoring Techniques

Questions and Answers

What is the purpose of the command used to set an extended attribute on a file in Linux?

• To get the attributes of a file
• To revoke ACL-based write access for groups and named users on a file
• To set ACL-based permissions on a file
• To set an extended attribute on a file (correct)

What type of key is used for both encryption and decryption that is generated in a pair?

• Public key
• Private key
• Symmetric key
• Asymmetric key (correct)

What is an example of a behavioral-based HID technique?

• Signature-based detection
• Heuristic-based detection
• Anomaly-based detection (correct)
• Rule-based detection

Which command is used to revoke ACL-based write access for groups and named users on a file?

setfacl ~m mask: : rx afile (A)

What is the purpose of monitoring remote hosts by periodically sending echo requests to them?

To monitor the availability of remote hosts (A)

Which of the following is NOT a database name that can be used within a Name Service Switch (NSS) configuration file?

network (A)

What is the correct option in an Apache HTTPD configuration file to enable OCSP stapling?

SSLUseStapling (C)

What is the purpose of the setfacl command in Linux?

To set ACL-based permissions on a file (B)

What is the command used to determine whether the given solution is correct?

ausearch (B)

Which package management tools can be used to verify the integrity of installed files on a Linux system?

RPM and DPKG (A)

What is a honeypot?

A network security tool designed to lure attackers into a trap (C)

Which of the following is used to perform DNSSEC validation on behalf of clients?

Recursive name server (B)

Which command establishes a trust between a FreeIPA domain and an Active Directory domain?

ipa trust-add --type ad addom --admin Administrator --password (B)

What is the command used to set the administrator password for ntop to testing 123?

ntop --set-admin-password=testing123 (C)

What is a symmetric key?

A key used for both encryption and decryption that is the same (D)

What is privilege escalation?

A type of attack that allows an attacker to gain elevated access (B)

What is the primary purpose of Linux Malware Detect?

To detect malware on a Linux system (A)

What is a rogue access point?

An unauthorized access point that is set up to look like a legitimate one (C)

What is the command, included in BIND, that generates DNSSEC keys?

dnssec-keygen (D)

What is a Trojan?

A type of malware that disguises itself as legitimate software (D)

Which of the following is a valid client configuration for FreeRADIUS?

client private-network-1 { ip = 192.0.2.0/24 secret = testing123-1 } (D)

Which DNS record types can the command dnssec-signzone add to a zone?

NSEC, NSEC3, RRSIG (B)

What is the purpose of file ownership in Linux systems?

To restrict access to files only to their owner (D)

Which of the following is NOT a purpose of managing system log files?

To automate host scans (A)

What does the SSLStrictSNIVHostCheck configuration option do in an Apache HTTPD virtual host?

Serves the virtual host only to clients that support SNI (C)

Which of the following statements is true about a Root CA's certificate?

It is a self-signed certificate (A)

What is a best practice for implementing HID?

Configuring HID to alert security personnel of potential security incidents (C)

What is the purpose of the SSLVerifyClient directive in Apache HTTPD?

To require a client certificate for authentication (A)

What is a characteristic of a Root CA's certificate?

It is a self-signed certificate (A), It includes the private key of the CA (B), It is issued by a lower-level CA (C)

What is NOT a recommended approach for implementing HID?

Disabling HID when not actively monitoring for security incidents (B)

Which parameter to openssl s_client specifies the host name to use for TLS Server Name Indication?

-servername (B)

Which of the following lines in an OpenSSL configuration adds an X.509v3 Subject Alternative Name extension for the host names example.org and www.example.org to a certificate?

subjectAltName = DNS: www.example.org, DNS:example.org (D)

What is a buffer overflow?

A type of software vulnerability (B)

Which tool can be used to manage the Linux Audit system?

auditd (D)

What is the difference between a SetUID and SetGID bit?

SetUID allows a file to be executed with the permissions of the file owner, while SetGID allows a file to be executed with the permissions of the group owner (D)

Which of the following expressions are valid AIDE rules?

!/var/run/.* (C)

Which command included in the Linux Audit system provides searching and filtering of the audit log?

ausearch (C)

What is the purpose of the command included in the Linux Audit system that provides searching and filtering of the audit log?

To search and filter the audit log (D)

What is the purpose of monitoring remote hosts by periodically sending echo requests to them?

To monitor remote hosts for availability (A)

What type of key is used for encryption and decryption that is generated in a pair?

Asymmetric key (B)

Which of the following is an example of a behavioral-based HID technique?

Anomaly-based detection (C)

Which command is used to set an extended attribute on a file in Linux?

setfattr (C)

Which option in an Apache HTTPD configuration file enables OCSP stapling?

SSLStapling (D)

Which of the following database names can be used within a Name Service Switch (NSS) configuration file?

host (A), service (C), shadow (D)

What is the purpose of the setfacl command in Linux?

To set ACL-based permissions on files (C)

Which of the following commands revokes ACL-based write access for groups and named users on a file?

setfacl ~m mask: : rx (B)

What is the purpose of the command iptables -t mangle -A POSTROUTING -o eth0 -j SNAT –to-source 192.0.2.11?

To set up source Network Address Translation (NAT) (B)

Which of the following statements is used in a parameter file for setkey to create a new SPD entry?

spdadd (C)

Which DNS record type is used in DNSSEC?

RRSIG (C)

What is the purpose of a Certificate Authority (CA)?

To issue and sign X.509 certificates (C)

Which directive is used in an OpenVPN server configuration to send network configuration information to the client?

push (A)

Which sections are allowed within the Kerberos configuration file krb5.conf?

[plugins], [capaths], [realms] (D)

What is the purpose of the Linux Audit system?

To track and record system events (A)

Which command adds users using SSSD's local service?

sss_useradd (A)

Which tool can be used to check for rootkits on a Linux system?

chkrootkit (C)

What happens when the command getfattr afile is run while the file afile has no extended attributes set?

No output is produced and getfattr exits with a value of 0 (A)

Given a LUKS device mapped using the command cryptsetup luksOpen /dev/sda1 crypt-vol, which of the following commands deletes only the first key?

cryptsetup luksDelKey /dev/sda 1 1 (A)

Which of the following statements is true regarding eCryptfs?

eCryptfs cannot be used to encrypt only directories that are the home directory of a regular Linux user. (A)

Which of the following commands disables the automatic password expiry for the user usera?

chage --maxdays -1 usera (A)

What is the role of the cryptsetup luksOpen command?

To map a LUKS device to a file system (A)

What is the purpose of the getfattr command?

To get an extended attribute from a file (D)

Which command is used to delete a key from a LUKS device?

cryptsetup luksDelKey (C)

Which command defines an audit rule that monitors read and write operations to the file /etc/firewall/rules and associates the rule with the name firewall?

auditctl –w /etc/firewall/rules –p rw –k firewall (A)

A rootkit is a type of virus.

False (B)

What is plaintext?

The original message before encryption

The protocol commonly used to transmit X.509 certificates is ___________________.

LDAP

Match the following commands with their purposes:

auditctl = defines an audit rule snort-stat = displays statistics from the running Snort process ebtables = displays all ebtable rules contained in the table filter including their packet and byte counters

The ebtables command displays all ebtable rules contained in the table filter including their packet and byte counters.

True (A)

What is the purpose of the program snort-stat?

It displays statistics from the running Snort process (A)

The ___________________ protocol is commonly used to transmit X.509 certificates.

LDAP

What is the purpose of NSEC3 in DNSSEC?

To prevent zone enumeration (A)

The command newrole is used to run a new shell for a user changing the SELinux context.

True (A)

What is the purpose of ndpmon?

To monitor the network for neighbor discovery messages from new IPv6 hosts and routers.

The file ______________ is used to configure AIDE.

/etc/aide/aide.conf

What is the option of mount.cifs that specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information?

uid=arg (D)

Match the following practices with their importance for the security of private keys:

Private keys should be created on the systems where they will be used and should never leave them = Important Private keys should be uploaded to public key servers = Not important Private keys should have a sufficient length for the algorithm used for key generation = Important Private keys should always be stored as plain text files without any encryption = Not important

What is the purpose of a Certificate Authority (CA)?

To issue and manage digital certificates (C)

The command ipa-server-install installs and configures a new FreeIPA server, including all sub-components, and creates a new FreeIPA domain.

True (A)

What is the correct openssl command to generate a certificate signing request (CSR) using an existing private key?

openssl req –new -key private/keypair.pem –out req/csr.pem

Cryptography is the art of sending ______________ messages.

secret

What type of activity does HID monitor for?

Unauthorized access attempts (D)

Match the following terms with their definitions:

Ciphertext = The encrypted message HID = Host-based Intrusion Detection CSR = Certificate Signing Request CA = Certificate Authority

HID provides automatic removal of detected threats.

False (B)

What is the purpose of a Certificate Revocation List (CRL)?

A mechanism that allows a server to provide proof of the revocation status of all certificates issued by a particular Certificate Authority

What is an attack that floods a network or server with traffic to make it unavailable?

Denial of Service (DoS) attack (B)

When OpenVPN sends a control packet to its peer, it expects an acknowledgement in 5 seconds by default.

False (B)

What is the purpose of rkhunter?

To detect rootkits and other security threats

The _______ permission bit allows a user to delete a file.

Write

Which of the following commands changes the source IP address to 192.0.2.11 for all IPv4 packets which go through the network interface eth0?

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.0.2.11 (D)

Match the following security threats with their descriptions:

Rootkit = A malicious software that hides itself in a system Certificate chain = A sequence of certificates used to verify the authenticity of a digital certificate Rogue access point = A wireless access point that is set up by an attacker to eavesdrop on wireless communications

A _______ is a chain of digital signatures used to verify the authenticity of a certificate.

Certificate chain

Rkhunter is used to manage system log files.

False (B)

What is the purpose of an extended attribute in Linux?

To store additional metadata about a file (B)

The pam_cracklib module checks new passwords against dictionary words and enforces complexity.

True (A)

What is the purpose of TSIG in DNS?

To sign DNS messages for secure communication

The purpose of IP sets is to group together IP addresses that can be referenced by ____________________.

netfilter rules

Which of the following is an attack that targets a specific user or organization?

None of the above (D)

Match the following file with its configuration purpose:

rkhunter = configuration file /etc/rkhunter.conf = used to configure rkhunter /etc/audit/auditd.conf = used to configure auditd /etc/aide/aide.conf = used to configure aide

The command iptables -A INPUT -d 10.142.232.1 -p tcp --dport 20:21 -j ACCEPT forwards all TCP traffic not on port 20 or 21 to the IP address 10.142.232.1.

False (B)

What is the purpose of the pam_cracklib module?

To check new passwords against dictionary words and enforce complexity.

Flashcards are hidden until you start studying

Study Notes

Network Monitoring and Security

• A monitoring tool can be used to monitor remote hosts by periodically sending echo requests to them.
• It can also monitor the availability of a network link by querying network interfaces.

Cryptography and Keys

• An asymmetric key is a key used for both encryption and decryption that is generated in a pair.
• A symmetric key is a key used for encryption and decryption that is the same.

Host-Based Intrusion Detection (HID)

• A behavioral-based HID technique is an example of anomaly-based detection.
• HID can be used to monitor log files for failed login attempts in order to block traffic from offending network nodes.

Linux and File Management

• The setfacl command is used to set or modify ACL (Access Control List) permissions on a file.
• The setfattr command is used to set an extended attribute on a file in Linux.

Apache HTTPD and SSL

• The httpd-ssl.conf file is not the correct solution for enabling OCSP stapling in an Apache HTTPD configuration file.
• The SSLStrictSNIVHostCheck configuration option makes Apache HTTPD require a client certificate for authentication.

Database and NSS

• The shadow, passwd, and group databases can be used within a Name Service Switch (NSS) configuration file.

OpenSSL and Certificates

• The openssl s_client command can be used to specify the host name to use for TLS Server Name Indication (SNI).
• The subjectAltName parameter is used to add an X509v3 Subject Alternative Name extension to a certificate.

Security Threats and Vulnerabilities

• A buffer overflow is a type of software vulnerability.
• A Trojan is a type of malware that disguises itself as legitimate software.
• A rogue access point is an unauthorized access point that is set up to look like a legitimate one.

Linux Audit and AIDE

• The auditd command is used to manage the Linux Audit system.
• AIDE (Advanced Intrusion Detection Environment) is a tool used to detect malware on a Linux system.
• The ausearch command is used to provide searching and filtering of the audit log.

Package Management and Verification

• The RPM and DPKG package management tools can be used to verify the integrity of installed files on a Linux system.

Honeypot and DNS

• A honeypot is a network security tool designed to lure attackers into a trap.
• Recursive name servers are used to perform DNSSEC validation on behalf of clients.

FreeIPA and Active Directory

• The ipa trust-add command is used to establish a trust between a FreeIPA domain and an Active Directory domain.

ntop and Malware Detection

• The ntop command is used to set the administrator password for ntop.
• Linux Malware Detect is a tool used to detect malware on a Linux system.

Privilege Escalation and File Ownership

• Privilege escalation is the act of exploiting a bug or vulnerability to gain elevated access to a system or network.
• File ownership in Linux systems is used to restrict access to files, enable multiple users to access files simultaneously, and to ensure that files are backed up regularly.

Apache HTTPD and SSL/TLS

• The SSLVerifyClient configuration option is used to make Apache HTTPD require a client certificate for authentication.
• The dnssec-keygen command is used to generate DNSSEC keys.

DNS and DNSSEC

• The dnssec-signzone command is used to add DNSSEC records to a zone.
• The NSEC, NSEC3, and RRSIG DNS record types can be added to a zone using the dnssec-signzone command.

FreeRADIUS and Client Configuration

• The client configuration stanza is used to specify a client configuration for FreeRADIUS.
• The ipaddr and secret parameters are used to specify the IP address and password for a client configuration.

CA and Certificate Management

• A Root CA certificate is a self-signed certificate that does not include the private key of the CA.
• The Require valid-x509 configuration option is used to make Apache HTTPD require a client certificate for authentication.

HID and Security Best Practices

• A best practice for implementing HID is to configure it to alert security personnel of potential security incidents.
• HID should not be installed on every computer in the network, and should not be disabled when not actively monitoring for security incidents.

SELinux and Permissions

• SELinux permissions are related to standard Linux permissions in that they provide additional access controls for files and system resources.
• SELinux permissions can be used to restrict access to files and system resources, and to provide additional security features.

Network Monitoring

• ICMP echo requests are sent periodically to remote hosts to monitor their availability.
• Network links are monitored by querying network interfaces.

Cryptography

• Asymmetric keys are used for encryption and decryption, where one key is used for encryption and another key is used for decryption.
• These keys are generated in a pair.

Access Control

• SetUID allows a file to be executed with the permissions of the file owner.
• SetGID allows a file to be executed with the permissions of the group owner.

Database Configuration

• NSS (Name Service Switch) configuration files can contain database names such as shadow, passwd, and group.

OpenSSL

• The -servername parameter specifies the host name to use for TLS Server Name Indication.

Certificate Management

• A Certificate Authority (CA) issues and signs X.509 certificates.

Linux File System

• setfattr is used to set extended attributes on a file.
• getfattr is used to view the extended attributes of a file.

Linux Security

• Linux Audit system is used to monitor and track system events.
• auditd is the tool used to manage the Linux Audit system.

Denial of Service Attacks

• A buffer overflow is a type of software vulnerability.

System Hardening

• SELinux (Security-Enhanced Linux) is an access control model that enforces mandatory access control.

Network Scanning

• Nmap is used for network scanning, and techniques include Xmas Scan, Zero Scan, and FIN Scan.

Identity and Access Management

• FreeIPA is an identity management system.
• ipa user-add is the command used to add a new user to FreeIPA.

Man-in-the-Middle Attacks

• A man-in-the-middle attack intercepts communications between two parties to steal information.

OpenVPN

• openvpn is used to establish VPN connections.
• --mlock is an option used to ensure that ephemeral keys are not written to the swap space.

DNS Security

• DNSSEC uses RRSIG records to provide authentication and integrity.

Kerberos

• Kerberos is an authentication protocol used for secure authentication.

Linux Extended File Attributes

• Linux Extended File Attributes are organized in namespaces such as trusted, user, and security.

Snort Rules

• Snort is an intrusion detection system.
• Rules can be deactivated by placing a # in front of the rule and restarting Snort.

Certificate Management

• A Certificate Authority (CA) issues and signs X.509 certificates.

Linux System Security

• chkrootkit is a tool used to check for rootkits on a Linux system.

LUKS

• cryptsetup is used to manage LUKS devices.
• cryptsetup luksDelKey is used to delete a key from a LUKS device.

eCryptfs

• eCryptfs is a stacked cryptographic filesystem.
• eCryptfs can be used to encrypt directories that are the home directory of a regular Linux user.

LPIC-3 Security

• mount.cifs option uid=arg specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information.

Private Key Security

• Private keys should be created on the systems where they will be used and should never leave them.
• Private keys should have a sufficient length for the algorithm used for key generation.

DNSSEC

• NSEC3 prevents zone enumeration.

SELinux

• The command newrole is used to run a new shell for a user changing the SELinux context.

AIDE Configuration

• The file /etc/aide/aide.conf is used to configure AIDE.

ndpmon

• ndpmon monitors the network for neighbor discovery messages from new IPv6 hosts and routers.

PAM Module

• The PAM module pam_cracklib checks new passwords against dictionary words and enforces complexity.

TSIG

• TSIG signs DNS messages for secure communication.

IP Sets

• IP sets group together IP addresses that can be referenced by netfilter rules.

Extended Attributes

• Extended attributes in Linux store additional metadata about a file.

rkhunter Configuration

• The file /etc/rkhunter.conf is used to configure rkhunter.

TCP Packet Filtering

• The command iptables -A INPUT -d 10.142.232.1 -p tcp --dport 20:21 -j ACCEPT filters TCP packets.

getcifsacl

• The output of getcifsacl may include prefixes ACL, GROUP, and SID.

OpenVPN

• The option --tls-timeout 5 changes the timeout period for OpenVPN control packets.

File Permissions

• The Write permission bit allows a user to delete a file.

rkhunter

• rkhunter detects rootkits and other security threats.

Certificate Chain

• A certificate chain is a sequence of certificates used to verify the authenticity of a digital certificate.

IP Address Masquerading

• The command iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.0.2.11 changes the source IP address to 192.0.2.11 for all IPv4 packets that go through the network interface eth0.

FreeIPA Server

• The command ipa-server-install installs and configures a new FreeIPA server, including all sub-components, and creates a new FreeIPA domain.

OpenSSL

• The command openssl req -new -key private/keypair.pem -out req/csr.pem generates a certificate signing request (CSR) using the already existing private key.

Cryptography

• Cryptography is the art of sending secret messages.

HID

• HID monitors for unauthorized access attempts.

Ciphertext

• A ciphertext is the encrypted message.

Audit Rule

• The command auditctl -w /etc/firewall/rules -p rw -k firewall defines an audit rule that monitors read and write operations to the file /etc/firewall/rules and associates the rule with the name firewall.

Rootkit

• A rootkit is a type of malware that disguises itself as legitimate software.

ebtable Rules

• The command ebtables -t filter -L --Lc displays all ebtable rules contained in the table filter, including their packet and byte counters.

Plaintext

• A plaintext is the original message before encryption.

X.509 Certificate Transmission

• The protocol LDAP is commonly used to transmit X.509 certificates.

snort-stat

• The program snort-stat reads syslog files containing Snort information and generates port scan statistics.