Linux+ Chapter 15

During key authentication, what is ran after the system decrypts the random number?

MD5 checksum

What is used to verify that the public/private key pair is valid?

MD5 checksum

Command to display only the SELinux errors from the audit.log?

cat /var/log/audit/audit.log | grep type=AVC

Command to append the public.key file to authorized_keys file on server?

cat public.key >> ~/.ssh/authorized_keys

Command to change the maximum number of days between password changes to 30 for user nsills?

chage -M 30 nsills

Command to change the number of warning days before a password change is required to 30 for user nsills?

chage -W 30 nsills

Command to change minimum number of days that are allowed between password changes to 30 for user nsills?

chage -m 30 nsills

Command to change the security context of an object?

chcon

Command to view installed services on init system

chkconfig

You would like to make it harder for malicious users to gain access to sensitive information. Which of the following techniques can be used to remap the root directory to include only certain directories and files?

chroot jail SSH

What command can you use to view the wtmp log file?

last

Command to list of all the users on the system is displayed and when they last logged in

lastlog

Command to list the available booleans for SELinux?

getsebool -a

What is the full path and filename of the file you should edit to limit the amount of concurrent logins for a specific user?

/etc/security/limits.conf

What aa-unconfined option displays all of the processes from the /proc filesystem with TCP or UDP ports that are not protected by AppArmor profiles?

--paranoid

netstat option for displaying just listening sockets

-l

AppArmor profiles are stored in what directory?

/etc/apparmor.d/

What file must you edit to change the SELinux mode permanently?

/etc/selinux/config

Location of sshd configuration file

/etc/ssh/sshd_config

Each word of an SELinux security context is separated by what?

:

Which parameter allows TCP traffic to be sent from the SSH daemon when set to yes?

AllowTcpForwarding

Which PAM module verifies the user's identity by requesting and checking a password or other secret. They may also pass authentication information on to other systems like a keyring.

Authentication module

What section in the /etc/sudoers file specifies a set of commands that users can execute using the sudo command?

Cmnd_Alias

Which system is maintained by the US government and is a reference for publicly known security vulnerabilities?

Common Vulnerabilities and Exposures (CVE)

In which AppArmor mode are the loaded profiles NOT enforced, but policy violation attempts are stored in a log file?

Complain

What are the two modes of AppArmor?

Enforce Complain

What section in the /etc/sudoers file specifies a list of computers on which sudo users can perform commands?

Host_Alias

Which protocol is based on tickets that allow nodes communicating over a non-secure network to prove their identity?

Kerberos

In which protocol does the user authenticates to an LDAP server to access directory information about users, computers, and services in a network?

LDAP

You work for a growing small business where the executives are traveling and working remotely. Which of the following would offer the BEST protection for sensitive data on their laptops?

LUKS disk encryption

What is a open-source disk encryption software that requires a user to enter a password to access data on a disk?

Linux Unified Key Setup (LUKS)

What separates the tasks of authentication into four independent management groups: account management, authentication management, password management, and session management?

PAM

What does PAM stand for?

Pluggable Authentication Modules

Name for the remote authentication dial-in user service, that provides centralized authentication?

RADIUS

SSH1 only supports what encryption standard?

RSA

What are the two VPN protocols?

SSL TLS

What is the standard technology used for keeping an internet connection secure?

Secure Sockets Layer (SSL)

What is the name of the method that SELinux uses to classify resources?

Security Context

T/F - DTLS has built-in recovery functions requires additional memory.

True

T/F xinetd uses separate configuration files for each managed service while inetd does not

True

What is the default IPsec mode?

Tunnel

Which type of ports does DTSL protocol use?

UDP

When configuring the SSH daemon using the /etc/ssh/sshd_config file, which options can be set to either prevent or allow unrestricted access to all GUI features on the client?

X11Forwarding ForwardX11Trusted

Must you reboot your system after editing the /etc/selinux/config file?

Yes

What is the best command for troubleshooting an AppArmor profile?

aa-complain

What should you enter at the command prompt to display both listening and non-listening sockets on your Linux system?

netstat -a

Two commands to view list of open IP ports

nmap netstat

What should you enter at the command prompt to scan for open TCP ports on your Linux system?

nmap -sT

Command to view open TCP ports on 1.1.1.1

nmap -sT 1.1.1.1

What is a pair of virtual character devices that provide a bidirectional communication channel? (One end of the channel is called the master; the other end is called the slave.)

pseudo-terminal (pty)

What command restores SELinux security contexts back to their default values?

restorecon

Command to see if SELinux is installed

sestatus

Unnecessary network services might provide attackers with an entry point for an attack. To view a list of services, or units, installed or running on a systemd-based system, what could you enter at the command prompt?

systemctl list-units

What daemon provides a way for services to be loaded when they're requested by a network host, but then be unloaded when they're not needed anymore?

xinetd

Command to install semanage on a Centos 7 machine?

yum install -y setroubleshoot-server

You are limiting the total amount of memory a user can take up when they use the X Windows System. What limit keyword should you use?

rss

Command to securely copy the rtracy user's public RSA key to the server 10.0.0.228 using the ksanders user?

scp /home/rtracy/.ssh/id_rsa.pub [email protected]

What is the troubleshooting command to view SELinux errors?

sealert

Name for the SELinux GUI troubleshooting tool?

semanage

What do you enter in a service's configuration file in /etc/xinetd.d to enable TCP wrapper?

server = /usr/sbin/tcpd

Command to switch SELinux to permissive mode temporarily?

setenforce 0

Command to switch SELinux to enforced mode temporarily?

setenforce 1

Command to turn SELinux boolean on or off

setsebool

Command to permanently turn the boolean "boolean2" to off

setsebool -P boolean2 off

Command to temporarily turn the boolean "boolean2" to off

setsebool boolean2 off

Allows access to a shell on a remote computer. It is identical to the ssh command. This is supported only for backwards compatibility

slogin

Command to login to computer "hs1" using username bjones

ssh -l bjones hs1

You are configuring public key authentication on your client system. Which command enables the passphrase agent?

ssh-agent bash

Commands to eliminate the need to enter the SSH passphrase every time you establish an RSA SSH connection with the remote server

ssh-agent bash ssh-add ~/.ssh/id_rsa

Command to generate RSA client key pair?

ssh-keygen -t rsa

Which version of SSH supports the Rivest, Shamir Adleman (RSA), and Digital Signature Algorithm (DSA) encryption standards?

ssh2

Which public key is sent from the SSH server to the SSH client when they are in the process of establishing a session with the SSH2 DSA protocol?

ssh_host_dsa_key.pub

Which public key is sent from the SSH server to the SSH client when they are in the process of establishing a session with the SSH1 protocol?

ssh_host_key.pub

Which public key is sent from the SSH server to the SSH client when they are in the process of establishing a session with the SSH2 RSA protocol?

ssh_host_rsa_key.pub

You are currently logged in using the badams account. You want to view the contents of the /etc/inittab file, but you are not allowed to with the badams account. Which command could you use to view the file?

su -c "cat /etc/inittab" -l

What command switches to the root user and executes the ls command on the user rgurate's home directory?

su -c "ls /home/rgurate"

This command is equivalent to running sudo -e

sudoedit

Which command first creates a temporary copy of the desired file. Changes are then made to that file. When done, the changes made to the temporary files are copied back to their original location, and the temporary versions are removed?

sudoedit

What type of encryption uses only one key to encrypt and decrypt data?

symmetric

What command is used to modify kernel parameters at runtime?

sysctl

Command to list services on systemd

systemctl -a

Command to view installed services using systemd

systemctl list-unit-files

What should you enter at the command prompt to check the TCP wrapper configuration on your system?

tcpdchk

Command to show all currently logged in users

w

Command to find the daemon's executable path for tcpd?

which tcpd

What two commands lets you see who is currently logged in to the system?

who finger

Which log file contains a list of all the users who have ever authenticated to the system?

wtmp

What is the YUM/apt-get equivalent for OpenSUSE?

zypper

On the SSH server, what file must be appended with the client's public key?

~/.ssh/authorized_keys

When setting up an RSA or DSA key-pair, where must you copy the client public key to on the server side?

~/.ssh/authorized_keys

When creating an RSA key pair, where is the private key stored?

~/.ssh/id_rsa

When creating an RSA key pair, where is the public key stored?

~/.ssh/id_rsa.pub

The ssh client is configured using what two files?

~/.ssh/ssh_config /etc/ssh/ssh_config

Which file do you edit to enable SSH tunneling on the client?

/etc/ssh/ssh_config

What has all the hardware, software, and people necessary to support the creation and distribution of digital certificates?

Public Key Infrastructure (PKI)

What encryption standard is based on factoring large numbers into their prime values?

RSA

What uses a remote SSH connection to create an encrypted tunnel from a remote machine to your SSH client?

Remote Port Forwarding

Command to view SELinux security context for the file /etc/file2

ls -Z /etc/file2

Name for when a packet datagram is too large to fit within the maximum transmission unit (MTU)

message fragmentation

In the audit logs, what indicates an SELinux error?

type=AVC

Command to limit user access to system resources at the shell prompt

ulimit

What do you enter at the command prompt to prevent the shell from using too much of the system's resources?

ulimit

Command to update packages on Debian system

apt-get dist-upgrade

What type of encryption uses two keys that are mathematically related. Both keys together form a key pair

asymmetric

What can you enable to monitor log files and audit access to system files, directories, and resources?

auditd

What line needs to be in the /etc/pam.d/login file to configure PAM to check and see if a file named /etc/nologin exists?

auth requisite pam_nologin.so

Items that can be tuned (configured without adjusting profiles) using AppArmor are stored in what directory?

/etc/apparmor.d/tunables

What file do you create to block all logins?

/etc/nologin

Functionality of the nologin file is configured in which directory?

/etc/pam.d/login

Configuration file for pam_limits

/etc/security/limits.conf

File that specifies where the server will look for authorized SSH keys

/etc/ssh/sshd_config

What is the text file containing sysctl values to be read in and set by sysctl at boot time?

/etc/sysctl.conf

Command to see what mode SELinux is using?

getenforce

You want to allow any host from westsim.com to have access to your system. Which of the following line items would you add to the /etc/hosts.allow file to accomplish this task?

ALL: .westsim.com

What uses a local SSH connection to create an encrypted tunnel to a remote machine?

Local Port Forwarding

Command to change the AppArmor mode for firefox to Complain mode

aa-complain firefox

Command to disable AppArmor monitoring of a program

aa-disable

Command to run after editing AppArmor modes for the program firefox

aa-enforce firefox

What command lists the loaded AppArmor modules and tells you which ones are running in Enforce mode and which ones are running in Complain mode?

aa-status

What command displays a list of processes with TCP or UDP ports that don't have AppArmor profiles loaded?

aa-unconfined

Ubuntu command to install AppArmor utilities

apt install AppArmor-utils

What limit keyword limits the size of core dump files? The value uses kilobytes.

core

What limit keyword limits the amount of ram an application can use? The value uses kilobytes.

data

Removing unnecessary software increases the security of your Linux system. If your system uses RPM for package management, what can you enter at the command prompt to look for unnecessary software that might be installed on your system?

dnf list installed

ulimit option that ets a limit on the maximum number of open file descriptors, so it effectively sets the limit on the number of files the user can have open

-n

chcon command option to change just the role of an object's SELinux security context?

-r

netstat option for listing routing table

-r

netstat option for displaying summary information for each protocol enabled on the system

-s

chcon command option to change just the type of an object's SELinux security context?

-t

ulimit option that sets a limit on the maximum amount of CPU time, in seconds, that a process can use.

-t

chcon command option to change just the user of an object's SELinux security context?

-u

ulimit option that sets a limit on the maximum number of processes that are available to a particular user.

-u

What ssh option is used to set up an ssh tunnel?

-x

ulimit option that is used to set a soft resource limit

-S

ls command option to view SELinux Security Context for a file?

-Z

netstat option for listing all listening and non-listening sockets

-a

ulimit option that displays all the current resource limits that have been set

-a

ulimit option that sets a limit on the maximum size of core files, and this is done in blocks

-c

Which ssh option runs SSH in the background after the password prompt?

-f

ulimit option that sets a limit on the maximum size in blocks of files that are created by the shell

-f

Which ssh option overrides configuration file settings and creates a tunnel (if needed)?

-g

netstat option for displaying statistics for your network interfaces

-i

ssh command option to specify username

-l

ulimit option that sets a limit on the maximum resident size of a process in RAM, and it's also specified in KB

-m

aa-unconfined option to run with netstat instead of ss

--with-netstat

What is the default option for the aa-unconfined command?

--with-ss

ulimit option that is used to set a hard resource limit

-H

Which ssh option specifies the port numbers and server address?

-L

Which ssh option ensures that SSH does not execute a remote command?

-N

xinetd configuration file location

/etc/xinetd.conf

Location of individual services' configuration files used by xinetd

/etc/xinetd.d/

The gshant user is attempting to connect to a remote SSH server; however, you need to override the default SSH configurations for the client system when he establishes an SSH session. Which file should you edit?

/home/gshant/.ssh/config

The parameters available for sysctl are listed where?

/proc/sys

Directory for SELinux audit log files

/var/log/audit/

What is a very secure mode of the DES algorithm encryption method that encrypts data three times using a 168-bit key?

3DES

Which PAM module checks that the specified account is a valid authentication target under current conditions? This may include conditions like account expiration, time of day, and that the user has access to the requested service.

Account modules

What is a Mandatory Access Control method used to protect your Linux systems from untrusted or unsecure processes?

AppArmor

After creating a keypair on the client side, what must you do next?

Copy the public key to SSH server

What is a is a United States Government encryption standard often used for digital signing? Supports SHA-1 and SHA-2

DSA

Which protocol adds a simple retransmitter timer when dealing with lost packets?

DTLS

What is based on the TLS protocol and provides security for datagram-based applications by allowing them to communicate using a method designed to prevent eavesdropping, tampering, or message forgery?

Datagram Transport Layer Security (DTLS)

If SSH2 is being used, the server and the client use what key exchange system?

Diffie-Hellman

In which AppArmor mode, do the settings in the profiles prevent applications from taking restricted actions?

Enforce

Which SELinux mode denies access based on SELinux policy rules?

Enforcing

What are the two modes of SELinux?

Enforcing Permissive

In IPsec Tunnel mode, which part of the IP packet is encrypted?

Everything, new IP header is added after encrpytion

Which SELinux policy prevents unauthorized users from accessing protected data and applications?

Multi-Level Security (MLS)

Which SELinux policy applies access controls to certain processes?

Targeted

What are the two SELinux policies?

Targeted Multi-Level Security (MLS)

Which PAM module is responsible for updating passwords and are generally coupled to modules employed in the authentication step. They may also be used to enforce strong passwords.

Password module

In what SELinux mode is the SELinux policy not enforced? This means that SELinux does not block or deny anything from happening

Permissive

What section in the /etc/sudoers file specifies a username that is used when running commands with sudo. Usually, this is just root?

Runas_Alias

What allows you to restrict access to variables, such as which users and applications can access which resources?

SELinux

Which PAM module defines actions that are performed at the beginning and end of sessions. A session starts after the user has successfully authenticated.

Session module

What must you change in the /etc/ssh/ssh_config file to allow ssh tunneling on the client?

Set ForwardX11 to yes

For Linux systems where physical access could be compromised, which of the following best practices should be implemented to prevent a user from booting into single user mode with root access?

Set a bootloader password.

What is the default SELinux policy?

Targeted policy

Name for the terminal access controller access-control system plus protocol that is similar to RADIUS?

TACAS+

What protocol compensates for message fragmentation?

TCP

Which protocol resends lost packets?

TCP

Which type of ports does TLS protocol use?

TCP

What section in the /etc/sudoers file specifies a set of users who are allowed to execute a specific set of commands using the sudo command?

User_Alias

For the fuser command, what character indicates that it's in the executable that's being run?

e

For the fuser command, what character would indicate that the file is open and being written to?

f

Command to find all files on system with the SGID bit

find / -type f -perm -g=s -ls

Command to find all files on system with the write permission for others

find / -type f -perm -o=w -ls

Command to find all files on system with the SUID bit

find / -type f -perm -u=s -ls

Command to allow TCP port 80 through firewalld

firewall -cmd --permanent -zone=public --add-port=80/tcp

Command to allow http through firewalld

firewall -cmd --permanent -zone=public --add-service=http

What limit keyword limits maximum file size? The value uses kilobytes.

fsize

What command will find out who is either running a command on your system, or who has a file open on your system?

fuser

Command to view open UDP ports on 1.1.1.1

nmap -sU 1.1.1.1

What limit keyword limits the number of concurrently open data files?

nofile

What limit keyword limits the number of concurrent processes a user can have?

nproc

You can lock a user's account for failed password attempts using the what module?

pam_faillock

You can limit user access to system resources using a pluggable authentication module called what?

pam_limits

Which command puts a limit on the number of login attempts on a user's account?

pam_tally2

In IPsec Transport mode, which part of the IP packet is encrypted?

payload only

Command to force logout the user ksanders

pkill -KILL -u ksanders

You want to change the port that SSH listens on. You are going to edit the /etc/ssh/sshd_config file. Which line, when added to the file, will change the listening port to 1066?

port 1066

What limit keyword sets process priority limits? The value range is from -20 (highest priority) to 19 (lowest priority) with 0 being the default.

priority

Command to view the security context for all of the active processes

ps -eZ

Command to view the SELinux active processes for ibus?

ps -eZ | grep ibus

What command limits CPU time for a process to 10 minutes?

ulimit -t 600