Unix Security Essentials

Questions and Answers

What is the purpose of the /etc/nologin file?

• To prevent login of the user root (correct)
• To store password security settings
• To disable unnecessary network services
• To display daemons that access network ports

What is the command used to change the age of a user's password?

• chage (correct)
• passwd
• nologin
• chkconfig

What is the purpose of the xinetd superdaemon?

• To run SSH services on demand (correct)
• To store passwords and password security settings
• To handle daytime services
• To disable network services

What is the command used to set whether a service would start at boot time or not?

chkconfig (C)

What can be used in place of a user's shell to prevent them from logging in?

nologin command (B)

What is the purpose of the TCP wrappers?

To act as a simple firewall (D)

What is the command used to display daemons that access network ports?

netstat (B)

What file stores passwords and password security settings?

/etc/passwd (A)

What is the file extension of the revocation certificate file?

.asc (D)

What is the command used to display the contents of the revocation_file.asc file?

cat revocation_file.asc (C)

What is the purpose of the revocation certificate?

To revoke a public key (D)

What is the format of the revocation certificate file?

ASCII (B)

What is the command used to control various aspects of services and sockets on a computer using systemd?

systemctl (B)

What is the name of the directory where the revocation_file.asc file is located?

~/.gnupg (A)

What is the command used to display more information about various sockets in use on the system?

ss (B)

What is the message at the beginning of the revocation certificate?

This is a revocation certificate (C)

What is the command used to enable or disable a system to start at boot time on Debian-based distributions?

update-rc.d (A)

What is the command used to set the expiration date of an account to never?

chage -E -1 emma (D)

What is the license under which the content is provided?

CC BY-NC-ND 4.0 (A)

What is the command used to disable the CUPS printing service permanently?

systemctl disable cups.service --now (D)

What is the command used to check if the appropriate port is not active anymore after disabling the CUPS printing service?

ss -l | grep ':ipp ' (A), netstat -l | grep ':ipp ' (D)

What is the command used to check if nginx supports TCP wrappers?

ldd /usr/sbin/nginx | grep 'libwrap' (A)

What is the superdaemon that can control access to a network service on demand?

xinetd (B)

What is the purpose of importing the revocation certificate file to your keyring?

To revoke a private key (A)

What command is used to list the keys in the keyring?

gpg --list-keys (C)

What is the result of running gpg --import revocation_file.asc?

A private key is revoked (D)

What must be done with the revoked key?

It must be made available to any party that has public keys associated with it (B)

What is the purpose of importing a public key into a keyring?

To encrypt a file using the public key (A)

What is the output of the gpg --list-keys command?

A list of public keys in the keyring (B)

What is the result of running gpg --import carol.pub.key?

A public key is imported into the keyring (A)

What is the purpose of using GPG to encrypt a file?

To securely transmit the file to another party (A)

What is the primary function of gpg-agent?

To manage private keys for GPG (B)

What is the option to run gpg-agent in daemon mode?

--daemon (B)

What type of cryptography is used by GnuPG?

Public key cryptography (A)

What is the purpose of the trust database in GPG?

To manage key trust relationships (B)

What is the command to display the help options for gpg-agent?

gpg-agent --help (A), gpg-agent -h (B)

What is the purpose of the directory for revocation certificates in GPG?

To store revoked certificates (B)

What is the main component of public key cryptography used in GnuPG?

Public key and private key (B)

What is the license under which GnuPG is distributed?

GPLv3+ (D)

Flashcards are hidden until you start studying

Study Notes

Setting Up Host Security

• The file /etc/nologin prevents the login of the user root.
• The existence of the /etc/nologin file does not prevent passwordless logins with SSH keys.
• If the file /etc/nologin contains the line "login currently is not possible only", it does not affect the login of ordinary users.

User Management

• Passwords are stored in the file /etc/passwd, along with some password security settings, such as expiration time.
• The command chage is used to change the age of a user's password.
• The command passwd is used to create or change a user's password.

Network Services

• The superdaemon xinetd can control access to a network service on demand, leaving the service inactive until it is actually called upon to perform some task.
• The command netstat is a classic utility that displays daemons that access network ports on a system and their usage.
• The command ss is the modern equivalent to netstat, but also displays more information about various sockets in use on the system.

Security Measures

• TCP wrappers can be used as a simple firewall.
• The command chkconfig is used to set whether a service would start at boot time or not.
• The command update-rc.d is a classic command that enables or disables a system to start at boot time on Debian-based distributions.

Data Encryption

• GPG (GNU Privacy Guard) is used to encrypt, decrypt, sign, and verify files.
• To effectively revoke a private key, a revocation certificate needs to be merged with the key, which is done by importing the revocation certificate file to the keyring using gpg --import revocation_file.asc.
• The command gpg-agent is the daemon that manages private keys for GPG.

gpg-agent

• gpg-agent is started on demand by GPG.
• gpg-agent can be run in daemon mode (background) or server mode (foreground) using the options --daemon and --server, respectively.