Linux 15
Which ssh option should you enter at the command prompt to set up an SSH tunnel for X server traffic?
-X
Which chage option keeps a user from changing password every two weeks? -M 33 -a 33 -m 33 -W 33
-m 33
Which of the following is the associated device file for that terminal? /dev/tty5 /dev/null /dev/port /dev/lp0
/dev/tty5
AppArmor has been installed on your computer. Which of the following directories contain your AppArmor profiles? /etc/ /home/apparmor/ /home/apparmor/apparmor.d/ /etc/apparmor.d/ /etc/apparmor/apparmor.d/
/etc/apparmor.d/
You are modifying the tcpd control files of the xinetd super daemon. Of the two tcpd control files, what is the full path and filename of the file that is applied first?
/etc/hosts.allow
What is the full path and filename of the file you should create to disable user login on a Linux system?
/etc/nologin
Which configuration file should you edit to enable Pluggable Authentication Modules (PAM) to check for a file named /etc/nologin? /etc/nologin /etc/pam.d/nologin /etc/login /etc/pam.d/login
/etc/pam.d/login
A number of remote users call to say that they cannot connect via SSH today. When you look at the processes, you see that the daemon is not running. Which command would you use to solve this problem? inetd ssh /etc/rc.d/init.d/sshd start ssh start /etc/inetd/ssh start
/etc/rc.d/init.d/sshd start
The root user attempted to log in to the system using tty and was denied access. The pam_securetty module uses a configuration file to determine which virtual terminals (tty#) that root is allowed to log in from. Which of the following files would the root user check to see which terminals are permitted? /etc/pam.d/password-auth pam_securetty /etc/securetty pam_ldap.conf
/etc/securetty
What is the full path and filename of the file you should edit to limit the amount of concurrent logins for a specific user?
/etc/security/limits.conf
Where does the client store SSH keys that are used to establish an SSH session? (Select TWO). /etc/ssh/sshd_config ~/.ssh/known_hosts ~/.ssh/config /etc/ssh/ssh_known_hosts
/etc/ssh/ssh_known_hosts ~/.ssh/known_hosts
What is the full path and filename of the file you should edit to configure the SSH daemon on the server system?
/etc/ssh/sshd_config
You need to configure which commands are allowed to be used with the sudo command. What is the full path and filename of the file you should edit?
/etc/sudoers
Sam, a system administrator, is implementing measures to harden the Linux systems on the network. Sam wants to modify kernel parameters at runtime to protect the system from syn flood attacks using the sysctl command. Which file would Sam modify to implement the following changes? # TCP SYN Flood Protection net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 3 a. /etc/sysctl.conf b. /etc/sysconfig/kernel c. /proc/sys d. /etc/sysconfig/iptables
/etc/sysctl.conf
Management wants a compilation of specific data to occur every night. The only way to accomplish this task is to copy files throughout all network hosts to one server via TFTP. Which of the following files MUST be edited to enable xinetd to manage TFTP on the Linux server? /etc/tftpd /etc/services /etc/xinetd.d/tftp /etc/tftpd.conf
/etc/xinetd.d/tftp
The gshant user is attempting to connect to a remote SSH server; however, you need to override the default SSH configurations for the client system when he establishes an SSH session. Which of the following files should you edit? /etc/ssh/ssh_known_hosts /etc/ssh/sshd_config /home/gshant/.ssh/config /etc/ssh/ssh_config
/home/gshant/.ssh/config
As the network administrator, one of your responsibilities is to analyze and troubleshoot SELinux context violations. In which directory are the SELinux violations recorded? /var/log /var/log/audit /var/log/secure /var/log/firewalld
/var/log/audit
You want to allow any host from westsim.com to have access to your system. Which of the following line items would you add to the /etc/hosts.allow file to accomplish this task? ALLOW: .westsim.com ALL: .westsim.com ANY: .westsim.com ALLOW: .westsim.com = YES
ALL: .westsim.com
You want to allow any host from westsim.com to have access to your system except a system called testsvr.westsim.com. Which of the following line items would you add to the /etc/hosts.allow file to accomplish this task? ANY: .westsim.com EXCEPT testsvr.westsim.com ALLOW: .westsim.com, testsvr.westsim.com = NO ALLOW: .westsim.com ALL EXCEPT testsvr.westsim.com ALL: .westsim.com EXCEPT testsvr.westsim.com
ALL: .westsim.com EXCEPT testsvr.westsim.com
What does the netstat -a command show? All listening sockets All connected hosts All network users All listening and non-listening sockets
All listening and non-listening sockets
You would like to use SSH port tunneling to work on a remote system. You also need to ensure that all data that you send to the remote system is encrypted. Which SSH configuration option, in the /etc/ssh/sshd_config file, needs to be set yet to yes? AllowSSHForwarding AllowSSHTunneling AllowTCPForwarding AllowTCPTunneling
AllowTCPForwarding
What is the purpose of the find / type f -perm -o=x -ls command? Audit files in the root directory that have execute permissions for the owner. Audit files in the root directory that have execute permissions for group owners. Audit files in the root directory that have execute permissions for others.
Audit files in the root directory that have execute permissions for others.
What is the purpose of the find / type f -perm -u=s -ls command? Audit files in the root directory that have execute permissions for group owners. Audit files in the root directory that have execute permissions for the owner. Audit files in the root directory that have execute permissions for others. Audit files in the root directory that have the SUID bit set.
Audit files in the root directory that have the SUID bit set.
Which of the following would enable the rsync service to be managed by the xinetd super daemon? Create a link to the rsync init script in the /etc/xinetd.d directory. Create the rsync file in /etc/xinetd.d Add XINETD = true to the rsync init script. Type xinetd rsync on.
Create the rsync file in /etc/xinetd.d
Which of the following provides security for datagram-based applications by allowing them a communication method designed to prevent eavesdropping, tampering, and message forgery? DTLS IPSec Transport mode NAT
DTLS
You manage a Linux server that occasionally needs to provide ftp services at irregular intervals. To save on resources, you want to have the ftp server service running only when it is needed, and stopped the rest of the time. Which of the following solutions would satisfy these requirements and require the LEAST amount of effort? Manually start and stop the ftp service at regular intervals. Create a link to the ftp services init script in the /etc/rc3.d directory. Write a shell script that starts the ftp server at random times. Enable the ftp service to be managed by the xinetd service.
Enable the ftp service to be managed by the xinetd service.
You want to limit Telnet access to three specific users. Which of the following strategies will BEST accomplish this goal? Set a limit for Telnet in the /etc/inetd.conf file. Create invalid remote shells for all but the three users allowed access. Enter the three users' IP addresses in the /etc/usertty file. Enter IP address entries for the three users in the /etc/hosts.allow file.
Enter IP address entries for the three users in the /etc/hosts.allow file.
Which of the following are multifactor authentication supported by Linux? (Select THREE.) a. Mantrap b. Kerberos c. TACACS+ d. Fingerprint e. LDAP f. One-time password (OTP) g. Iris pattern
Fingerprint Iris pattern One-time password (OTP)
Carlos, a system administrator, needs to set up a VPN tunnel from a branch office to the main office. Data security is a high priority. Which of the following will allow the IP packets to be encrypted and encapsulated in a new IP header that is sent through the VPN tunnel? NAT VNC IPSec DTLS
IPSec
You work for a growing small business where the executives are traveling and working remotely. Which of the following would offer the BEST protection for sensitive data on their laptops? Enable bootloader passwords Bitlocker encryption Multifactor authentication LUKS disk encryption
LUKS disk encryption
What effect does the ulimit -t 600 command have on a Linux system? Limits CPU time for a process to 10 minutes. Limits the concurrent processes a user can run to 10. Limits CPU time for a process to 600 minutes. Limits the maximum number of processes to 600.
Limits CPU time for a process to 10 minutes.
Within the /etc/security/limits.conf file, you notice the following entry: @guests hard maxlogins 3 What effect does this line have on the Linux system? Limits the total amount of memory used by the guest group to 3 MB Limits concurrent logins from the same user to three. Limits the number of maximum logins from the guest group to three. Limits the maximum file size that the guest group can create to 3GB.
Limits the number of maximum logins from the guest group to three.
You are the only Linux administrator for a very small company. You are constantly asked to fix one problem or another as they occur. Which of the following is the BEST way to log into the system each morning? Log in as the user who has the most problems each day so you can more quickly fix the problems. Log in as a superuser in order to be able to troubleshoot problems. Log in as the root user so you can solve problems as they occur. Log in as a regular user and then use su as needed to solve problems.
Log in as a regular user and then use su as needed to solve problems.
What is the name of the hash function used to verify the public key for an SSH connection?
MD5
You want to enable public key authentication on the server. Which option in the /etc/ssh/sshd_config file needs to be set? RSAAuthentication yes #PubkeyAuthentication yes #RSAAuthentication yes PubkeyAuthentication yes
PubkeyAuthentication yes
Which of the following technologies can used to set up passwordless SSH logins by distributing a server SSH certificate? Public key infrastructure (PKI) Kerberos LDAP chroot jail SSH
Public key infrastructure (PKI)
Which of the following is a key difference between VPN tunnel and transport modes? Tunnel mode provides lower overhead. Only tunnel mode is provided by IPSec. With transport mode, only the payload of the IP packet is encrypted, and the original IP headers are left intact. Transport mode only provides unencrypted data because the connection is secure.
With transport mode, only the payload of the IP packet is encrypted, and the original IP headers are left intact.
When configuring the SSH daemon using the /etc/ssh/sshd_config file, which options can be set to either prevent or allow unrestricted access to all GUI features on the client? (Select TWO). ForwardX11Trusted AllowXServerForwarding X11Forwarding XServerForwarding TrustX11
X11Forwarding ForwardX11Trusted
You are running AppArmor on your system. Which of the following commands will show all of the processes from the /proc filesystem with TCP or UDP ports that are not protected by AppArmor profiles? aa-unconfined --with-ss aa-unconfined --paranoid aa-unconfined aa-unconfined --with-netstat
aa-unconfined --paranoid
Login blocking is enabled using the Pluggable Authentication Modules (PAM) module. What line needs to be in the /etc/pam.d/login file to configure PAM to check and see if a file named /etc/nologin exists?
auth requisite pam_nologin.so
Which is the most correct description for 3DES? 3DES is a third-generation version of DES, the Data Encryption Standard cipher. 3DES means running the DES algorithm three times for maximum encryption. 3DES is derived from Microsoft's Windows Encrypted File System (EFS). 3DES is a very secure mode of the DES algorithm encryption method that encrypts data three times using a 168-bit key.
3DES is a very secure mode of the DES algorithm encryption method that encrypts data three times using a 168-bit key.
Which of the following virtual private networks (VPNs) utilizes digital certificates to ensure that only the intended recipients can view and use the data sent? SSL/TLS IPSec Transport IPSec Tunnel DTLS
SSL/TLS
For Linux systems where physical access could be compromised, which of the following best practices should be implemented to prevent a user from booting into single user mode with root access? Separate sensitive data from the operation system. Set a bootloader password. Disable Ctrl+Alt+Delete. Set a UEFI/BIOS password.
Set a bootloader password.
What is the effect of the following command? chage -M 60 -W 10 jsmith Sets the password for jsmithto expire after 60 days and gives a warning 10 days before it expires. Forces jsmithto keep the password 60 days before changing it and gives a warning 10 days before changing it. Sets the password for jsmithto expire after 6 days and gives a warning 10 days before it expires. Deletes the jsmithuser account after 60 days and gives a warning 10 days before it expires. Sets the password for jsmithto expire after 6 days and gives a warning 10 days before it expires.
Sets the password for jsmithto expire after 60 days and gives a warning 10 days before it expires.
A system was installed by an employee that is no longer with the company, and that employee used a non-standard root password that was not documented. Which mode must you boot the system into to reset the lost root password? Single user mode tty1 tty7 Multiuser graphical mode
Single user mode
What is the purpose of the -N option in the following command? ssh -f -N -L 2345:mail.mydomain.com:110 [email protected] To run SSH in the background after the password prompt. To ensure that SSH does not execute a remote command. To specify the default port for non-secure protocol. To specify the port numbers and server name.
To ensure that SSH does not execute a remote command.
Which of the following is the main purpose of the xinetd service? To listen for internet traffic on the external network interface. To listen for http requests. To act as a firewall for your Linux system. To receive client requests for network services and start and stop them on demand.
To receive client requests for network services and start and stop them on demand.
Maria, a user, is working remotely from a hotel while traveling for business. Maria needs to access some sales resources on the company's network. Which of the following would allow Maria to securely access the resources she needs? VPN IP Header NAT Telnet
VPN
Your computer is using AppArmor. Which of the following commands is BEST to use for troubleshooting an AppArmor profile? aa-unconfined aa-disable aa-complain aa-enforce
aa-complain
You have just started protecting your computer while running Firefox using AppArmor. After a short time, employees start to complain that some of the features they use frequently are no longer functioning. After a quick check, you discover that these features should be working and decide not to protect Firefox anymore. Which of the following is the BEST command to quickly stop protecting Firefox? aa-unconfined aa-disable /etc/apparmor.d/usr.bin.firefox systemctl stop apparmor aa-complain /etc/apparmor.d/usr.bin.firefox
aa-disable /etc/apparmor.d/usr.bin.firefox
What chage command should you enter at the command prompt to set the password for jsmith to expire after 60 days and give a warning 10 days before it expires?
chage -M 60 -W 10 jsmith
You would like to make it harder for malicious users to gain access to sensitive information. Which of the following techniques can be used to remap the root directory to include only certain directories and files? PKI One-time password SSH certificate chroot jail SSH
chroot jail SSH
Removing unnecessary software increases the security of your Linux system. If your system uses RPM for package management, what can you enter at the command prompt to look for unnecessary software that might be installed on your system?
dnf list installed
You are limiting the total amount of memory a user can take up when they use the X Windows System. Which of the following limit keywords should you use? rss cpu nproc data
rss
You have used su to switch to the root user account to do system administration tasks. Now you want to revert back to your regular user account. Which command should you use? exit break logoff off
exit
Your site is dependent upon the use of the rlogin utility for remote access. For security reasons, you want to prevent the hosts in the marketing department from accessing the payroll server, but allow all others to do so. Which of the following files should you use to create this restriction? hostname hosts.deny hosts.allow hosts
hosts.deny
Which keys are generated when you execute the ssh-keygen command with no options? (Select TWO.) id_rsa.pub id_dsa id_rsa id_dsa.pub
id_rsa.pub id_rsa
What should you enter at the command prompt to display both listening and non-listening sockets on your Linux system?
netstat -a
You need to increase the security of your Linux system by finding and closing open ports. Which of the following commands should you use to locate open ports? netstat nmap traceroute nslookup
nmap
What should you enter at the command prompt to scan for open TCP ports on your Linux system?
nmap -sT
You want to change the port that SSH listens on. You are going to edit the /etc/ssh/sshd_config file. Which line, when added to the file, will change the listening port to 1066? listen_port 1066 port 1066 listen 1066 ssh_port 1066
port 1066
Which of the following is a pair of virtual character devices that provide a bidirectional communication channel? (One end of the channel is called the master; the other end is called the slave.) /dev/console pseudo-terminal (pty) /dev/null virtual terminal (tty)
pseudo-terminal (pty)
Which of the following is the BEST command for viewing SELinux errors? semanage getenforce getsebool sealert
sealert
You are a network administrator for your company. A user calls to complain that his Firefox browser is not working as it did the day before. Knowing that you recently updated the SELinux profile for Firefox, you suspect the change you made is causing the issue. You want to troubleshoot the issue by switching the profile to permissive mode. Which of the following is the BEST command to use in this situation? getenforce setsebool setenforce sestatus
setenforce
You were recently asked to manage the SELinux implementation at your company. Since you are still coming up to speed on this technology, you have not yet mastered the process of creating or making major changes to SELinux policies. However, an employee has just called you complaining that they don't seem to be able to accomplish a task with a particular application. After scanning through the SELinux policy for that application, you notice that there is a method that can be used to enable the desired function. Which of the following is the BEST command for enabling that feature without editing the policy? setenforce sestatus getenforce setsebool ls -Z application_name
setsebool
Which daemon, or service, provides port tunneling to encrypt non-secure protocols such as email and X server traffic?
ssh
You need to connect to a remote system whose host name is abc.def.com and execute a shell script called daily-backup.sh that backs up some files. The username that has permissions to execute that script is bubba. Which command should you run to make the connection? netstat abc.def.com bubba ssh -l bubba abc.def.com ping abc.def.com:bubba ssh abc.def.com:bubba
ssh -l bubba abc.def.com
As you configure your client for public key authentication, you decide to generate the DSA key pair. You would like to configure the client to automatically provide the private key passphrase when needed so that you do not need to type the passphrase for every new SSH connection to a server. Which command should you use in conjunction with the ssh-agent bash command? (Enter the command and options as if you are at the command prompt.)
ssh-add ~/.ssh/id_dsa
You are configuring public key authentication on your client system. Which command enables the passphrase agent? ssh-keygen scp ssh-agent bash ssh-add
ssh-agent bash
Which version of SSH supports the Rivest, Shamir Adleman (RSA), and Digital Signature Algorithm (DSA) encryption standards?
ssh2
When using DSA to establish an SSH session, what is the name of the key that the SSH server will send to the client? (Enter the name of the key only.)
ssh_host_dsa_key.pub
Which of the following public keys is sent from the SSH server to the SSH client when they are in the process of establishing a session with the SSH1 protocol? ssh_key.pub ssh_host_rsa_key.pub ssh_host_dsa_key.pub ssh_host_key.pub
ssh_host_key.pub
You are currently logged in using the badams account. You want to view the contents of the /etc/inittab file, but you are not allowed to with the badams account. Which command could you use to view the file? su cat /etc/inittab sudo -f /etc/inittab cat sudo "cat /etc/inittab" su -c "cat /etc/inittab" -l
su -c "cat /etc/inittab" -l
You have logged in as a regular user when a frantic phone call comes in. The ABCD process must be started on the server now, but can only be run by root. Which command would you use to start this process? exit ABCD sudo ABCD ABCD /root su ABCD
sudo ABCD
Unnecessary network services might provide attackers with an entry point for an attack. To view a list of services, or units, installed or running on a systemd-based system, what could you enter at the command prompt?
systemctl list-unit-files
What should you enter at the command prompt to check the TCP wrapper configuration on your system?
tcpdchk
PAM is configured on your system to look for the presence of the nologin file in the /etc directory. If the nologin file exists, user login is disabled, and only the root user can log in. If your current working directory is root's home directory, which command would you enter to quickly create an empty nologin file in the /etc directory?
touch /etc/nologin
What do you enter at the command prompt to prevent the shell from using too much of the system's resources?
ulimit
What do you enter at the command prompt to edit the /etc/sudoers file?
visudo
You need to block all users from logging in to the Linux system while you resolve a serious issue. You first need to force all active users to logout. Which command should you enter to display a list of all active users?
w
Which of the following is the super daemon that is most commonly found in modern Linux distributions? inetd init xserver xinetd
xinetd
Which of the following is an advantage of xinetd over inetd? xinetd uses separate configuration files for each managed service. xinetd can listen on behalf of more than one service at a time. xinetd does not require an external program, such as tcpd, to restrict access to its services. xinetd is written in Java and is, therefore, more secure.
xinetd uses separate configuration files for each managed service.