Security and File Systems

Questions and Answers

What option of mount.cifs specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information?

uid=arg

Where should private keys be created?

On a system where they will be used

What is the purpose of NSEC3 in DNSSEC?

To prevent zone enumeration

What command is used to run a new shell for a user changing the SELinux context?

newrole

Which file is used to configure AIDE?

./etc/aide/aide.conf

What is the purpose of ndpmon?

It monitors the network for neighbor discovery messages from new IPv6 hosts and routers.

Why should private keys be included in X509 certificates?

Never, private keys should not be shared

How should private keys be stored?

In encrypted files with a strong password

What is the purpose of a trust anchor?

A root certificate that is trusted by a particular CA

What is the primary goal of a DoS attack?

To make a network or server unavailable

Which of the following commands is used to set the permissions of a file in Linux?

chmod

What is the purpose of a TLSA record in DANE?

To sign a TLS server's public key

Which of the following DNS records is used to publish X.509 certificate and certificate authority information?

CAA

Which of the following types of rules can be specified within the Linux Audit system?

Control rules

Which of the following keywords are built-in chains for the iptables nat table?

OUTPUT

What type of resource can be controlled by the Bash built-in command ulimit?

File descriptors

What is the primary function of ICMP echo requests?

To monitor remote hosts for availability

What is an asymmetric key used for?

Only for encryption

What type of detection is based on identifying abnormal behavior?

Anomaly-based detection

Which command revokes ACL-based write access for groups and named users on a file?

setfacl ~m mask: : rx

Which command is used to set an extended attribute on a file in Linux?

setfattr

Which option in an Apache HTTPD configuration file enables OCSP stapling?

SSLUseStapling

Which database name can be used within a Name Service Switch (NSS) configuration file?

host

What is the purpose of ICMP in a network?

To monitor remote hosts for availability

What is the purpose of the SSLStrictSNIVHostCheck configuration?

To serve virtual hosts only to clients that support SNI

What is the effect of configuring SSLVerifyClient require in Apache HTTPD?

Clients are required to provide a client certificate for authentication

What is a characteristic of a Root CA certificate?

It is a self-signed certificate

What is a best practice for implementing HID?

Configuring HID to alert security personnel of potential security incidents

How do SELinux permissions relate to standard Linux permissions?

They are related but distinct

What is the purpose of the limit on the maximum size of written files?

To limit system resource usage

What is the purpose of the SSLRequestClientCert directive?

To require client certificates for authentication

What is the purpose of the Require valid-x509 directive?

To require client certificates for authentication

What is the method used by TSIG to authenticate name servers for secured zone transfers?

Shared secret key between servers

Which of the following is NOT a component of FreeIPA?

Intrusion Detection System

What is the utility used to generate keys for DNSSEC?

dnssec-keygen

Which command makes the contents of the eCryptfs encrypted directory ~/Private available to the user?

ecryptfs-mount-private

What is an example of an HID tool?

Security information and event management (SIEM) system

What can be concluded about an X509 certificate with the Basic Constraints extension?

It belongs to a certification authority

What is the purpose of the TSIG protocol?

To authenticate name servers for zone transfers

What is a characteristic of FreeIPA?

It is an open-source identity management system

Study Notes

Mounting CIFS Shares

• The uid option in mount.cifs specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information.

Private Key Security

• Private keys should not be created on systems where they will be used and should never leave them.
• Private keys should have a sufficient length for the algorithm used for key generation.
• Private keys should not be uploaded to public key servers.
• Private keys should not be included in X509 certificates.
• Private keys should not be stored as plain text files without any encryption.

DNSSEC

• NSEC3 is used to prevent zone enumeration in DNSSEC.
• The purpose of a TLSA record in DANE is to sign a TLS server's public key.
• TSIG authenticates name servers in order to perform secured zone transfers by using a secret key that is shared between the servers.

SELinux

• The newrole command is used to run a new shell for a user changing the SELinux context.
• SELinux permissions are related to standard Linux permissions.

AIDE

• The /etc/aide/aide.conf file is used to configure AIDE.

Behavioral-Based HID

• Anomaly-based detection is an example of a behavioral-based HID technique.

Asymmetric Keys

• An asymmetric key is a key used for both encryption and decryption that is generated in a pair.

Apache HTTPD

• The setfattr command is used to set an extended attribute on a file in Linux.
• The SSLVerifyClient require option makes Apache HTTPD require a client certificate for authentication.
• The SSLStrictSNIVHostCheck option makes the clients connecting to the virtual host provide a client certificate that was issued by the same CA that issued the server’s certificate.

DNS Records

• The CAA record is used to publish X.509 certificate and certificate authority information in DNS.

ulimit

• The ulimit command can be used to control the maximum size of written files, the maximum number of open file descriptors, and the maximum number of user processes.

Root CA

• The certificate of a Root CA is a self-signed certificate.
• The certificate of a Root CA does not include the private key of the CA.
• The certificate of a Root CA must contain an X509v3 Authority extension.

FreeIPA

• FreeIPA includes Kerberos KDC, Public Key Infrastructure, and Directory Server components.

DNSSEC Utilities

• The dnssec-keygen command is used to generate keys for DNSSEC.

eCryptfs

• The ecryptfs-mount-private command makes the contents of the eCryptfs encrypted directory ~/Private available to the user.

HID Tools

• A Security Information and Event Management (SIEM) system is an example of a HID tool.

X509 Certificates

• An X509 certificate contains information such as the X509v3 Basic Constraints, which specifies whether the certificate belongs to a certification authority and whether it may be used to sign certificates of subordinate certification authorities.