Security and File Systems

Questions and Answers

What option of mount.cifs specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information?

• username=arg
• uid=arg (correct)
• gid=arg
• owner=arg

Where should private keys be created?

• On a shared network drive
• On a public key server
• On an external storage device
• On a system where they will be used (correct)

What is the purpose of NSEC3 in DNSSEC?

• To provide information about DNSSEC key signing keys
• To authenticate a DNS server
• To sign a DNS zone
• To prevent zone enumeration (correct)

What command is used to run a new shell for a user changing the SELinux context?

newrole (C)

Which file is used to configure AIDE?

./etc/aide/aide.conf (B)

What is the purpose of ndpmon?

It monitors the network for neighbor discovery messages from new IPv6 hosts and routers. (C)

Why should private keys be included in X509 certificates?

Never, private keys should not be shared (C)

How should private keys be stored?

In encrypted files with a strong password (A)

What is the purpose of a trust anchor?

A root certificate that is trusted by a particular CA (B)

What is the primary goal of a DoS attack?

To make a network or server unavailable (B)

Which of the following commands is used to set the permissions of a file in Linux?

chmod (D)

What is the purpose of a TLSA record in DANE?

To sign a TLS server's public key (B)

Which of the following DNS records is used to publish X.509 certificate and certificate authority information?

CAA (D)

Which of the following types of rules can be specified within the Linux Audit system?

Control rules (D)

Which of the following keywords are built-in chains for the iptables nat table?

OUTPUT (B)

What type of resource can be controlled by the Bash built-in command ulimit?

File descriptors (D)

What is the primary function of ICMP echo requests?

To monitor remote hosts for availability (B)

What is an asymmetric key used for?

Only for encryption (A)

What type of detection is based on identifying abnormal behavior?

Anomaly-based detection (B)

Which command revokes ACL-based write access for groups and named users on a file?

setfacl ~m mask: : rx (D)

Which command is used to set an extended attribute on a file in Linux?

setfattr (C)

Which option in an Apache HTTPD configuration file enables OCSP stapling?

SSLUseStapling (A)

Which database name can be used within a Name Service Switch (NSS) configuration file?

host (C)

What is the purpose of ICMP in a network?

To monitor remote hosts for availability (C)

What is the purpose of the SSLStrictSNIVHostCheck configuration?

To serve virtual hosts only to clients that support SNI (A)

What is the effect of configuring SSLVerifyClient require in Apache HTTPD?

Clients are required to provide a client certificate for authentication (B)

What is a characteristic of a Root CA certificate?

It is a self-signed certificate (C)

What is a best practice for implementing HID?

Configuring HID to alert security personnel of potential security incidents (A)

How do SELinux permissions relate to standard Linux permissions?

They are related but distinct (C)

What is the purpose of the limit on the maximum size of written files?

To limit system resource usage (D)

What is the purpose of the SSLRequestClientCert directive?

To require client certificates for authentication (B)

What is the purpose of the Require valid-x509 directive?

To require client certificates for authentication (D)

What is the method used by TSIG to authenticate name servers for secured zone transfers?

Shared secret key between servers (D)

Which of the following is NOT a component of FreeIPA?

Intrusion Detection System (C)

What is the utility used to generate keys for DNSSEC?

dnssec-keygen (C)

Which command makes the contents of the eCryptfs encrypted directory ~/Private available to the user?

ecryptfs-mount-private (A)

What is an example of an HID tool?

Security information and event management (SIEM) system (D)

What can be concluded about an X509 certificate with the Basic Constraints extension?

It belongs to a certification authority (C)

What is the purpose of the TSIG protocol?

To authenticate name servers for zone transfers (B)

What is a characteristic of FreeIPA?

It is an open-source identity management system (B)

Flashcards are hidden until you start studying

Study Notes

Mounting CIFS Shares

• The uid option in mount.cifs specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information.

Private Key Security

• Private keys should not be created on systems where they will be used and should never leave them.
• Private keys should have a sufficient length for the algorithm used for key generation.
• Private keys should not be uploaded to public key servers.
• Private keys should not be included in X509 certificates.
• Private keys should not be stored as plain text files without any encryption.

DNSSEC

• NSEC3 is used to prevent zone enumeration in DNSSEC.
• The purpose of a TLSA record in DANE is to sign a TLS server's public key.
• TSIG authenticates name servers in order to perform secured zone transfers by using a secret key that is shared between the servers.

SELinux

• The newrole command is used to run a new shell for a user changing the SELinux context.
• SELinux permissions are related to standard Linux permissions.

AIDE

• The /etc/aide/aide.conf file is used to configure AIDE.

Behavioral-Based HID

• Anomaly-based detection is an example of a behavioral-based HID technique.

Asymmetric Keys

• An asymmetric key is a key used for both encryption and decryption that is generated in a pair.

Apache HTTPD

• The setfattr command is used to set an extended attribute on a file in Linux.
• The SSLVerifyClient require option makes Apache HTTPD require a client certificate for authentication.
• The SSLStrictSNIVHostCheck option makes the clients connecting to the virtual host provide a client certificate that was issued by the same CA that issued the server’s certificate.

DNS Records

• The CAA record is used to publish X.509 certificate and certificate authority information in DNS.

ulimit

• The ulimit command can be used to control the maximum size of written files, the maximum number of open file descriptors, and the maximum number of user processes.

Root CA

• The certificate of a Root CA is a self-signed certificate.
• The certificate of a Root CA does not include the private key of the CA.
• The certificate of a Root CA must contain an X509v3 Authority extension.

FreeIPA

• FreeIPA includes Kerberos KDC, Public Key Infrastructure, and Directory Server components.

DNSSEC Utilities

• The dnssec-keygen command is used to generate keys for DNSSEC.

eCryptfs

• The ecryptfs-mount-private command makes the contents of the eCryptfs encrypted directory ~/Private available to the user.

HID Tools

• A Security Information and Event Management (SIEM) system is an example of a HID tool.

X509 Certificates

• An X509 certificate contains information such as the X509v3 Basic Constraints, which specifies whether the certificate belongs to a certification authority and whether it may be used to sign certificates of subordinate certification authorities.