LPI Level 3 Exam (LPI 303: Security)

LPIC-3 Exam 303: Security

Exam Objectives Version: Version 2.0

Exam Code: 303-200

Exam A

QUESTION 1
In apache configuration which directives are used to restrict access based on host/domain name
and IP address?

A. Restrict and allow

B. Order, allow from and deny from
C. Deny and accept
D. Allow IP, deny IP, allow DOMAIN and deny DOMAIN
E. Order, deny and accept

QUESTION 2
Someone who whises to receive and encrypted file has provided a key UID and a key fingerprint for
verification to the data sender.

Assuming that this key is on a public keyserver, what command will fetch the public key from the
server ?

A. gpg findkeys UID

B. gpg recvkeys UID
C. gpg getkeys UID
D. gpg refreshkeys UID

QUESTION 3
Linux Extended Attributes include attributes classes.

Which of the following are included in the defined attributes classes ?

Select 3 correct answers.

A. default
B. system
C. owner
D. trusted
E. user

QUESTION 4
Which of the following is NOT and valid scan technique with nmap ?

A. Window
B. SYN
C. ACK
D. Connect()
E. RST

QUESTION 5
Which of the following are common techniques for securing a sendmail server ?

Select 3 correct answers

A. Maintain user accounts in an LDAP directory

B. Enable TLS
C. Disable VRFY
D. Run sendmail in a chroot'd enviroment
E. Disable USRLKUP

QUESTION 6
What does the following iptables rule accomplish:

iptables A INPUT s !127.0.0.0/8 p tcp dport 111 j DROP

A. Drops all packets from the LAN destined for port 111.
B. Drops all packets originating from the local machine unless they are destined for port 111.
C. Drops all packets destined for port 111 which originate from the local machine.
D. Drops all packets destined for port 111 unless they are from the local machine.

QUESTION 7
What is the purpose of tripwire?

A. To act as a honeypot and attract attackers.

B. To enforce mandatory access control policies to confine users to the minimum amount of privilege
required.
C. To monitor a server for breakin attempts and, if desired, ban the IP address.
D. To identify changes to critical system file and directories.

QUESTION 8
You wish to revoke write access for all groups and named users on a file.

Which command will make a correct ACL changes?

A. setfacl x group:*:rx,user:*:rx afile

B. setfacl x mask::rx afile
C. setfacl m mask::rx afile
D. setfacl m group:*:rx,user:*:rx afile.

QUESTION 9
Which of the following are common techniques for securing Nagios ?

Select 3 correct answers.

A. Require authentication for access to the CGI scripts

B. Run Nagios in a chroot jail
C. Compile Nagios with the enabletls option
D. Do not run as the root user
E. Disable external commands

QUESTION 10
Which GPG command us used to create a revocation certificate in case a GPG key ever needs to be
called?

A. gpg genrevoke name

B. gpg editkey name followed with the revoke command
C. gpg revoke name
D. gpg createrevoke name
QUESTION 11
An administrator can prevent dictionary based attacks against an OpenSSH server by forcing
keybased authentication with which 2 parameters in sshd_config ?

A. PasswordAuthentication
B. HostKey
C. PrivatekeyAuthentication
D. Serverkey

QUESTION 12
Which statements are true of the following Wireshark capture filter:

(tcp[2:2] > 1500 and tcp[2:2] < 1550) or (tcp[4:2] > 1500 and tcp[4:2] < 1550)

Select 2 correct answers.

A. Every packet being checked has a 2 byte offset.

B. Traffic on ports 15001550 is being captured.
C. Traffic on ports 15011549 is being captured.
D. Only two bytes are being checked in each packet.
E. Up to four byted are being check in each packet.

QUESTION 13
Which of the following statements are advantages that Mandatory Access Control has over
Discretionary Access Control models?

Select 2 correct answers.

A. MAC policies are easier to configure than use of DAC.

B. MAC adds the concept of privileged remote users which is not avaiable with simple DAC.
C. MAC policies increase the ability of the root user to correct errors.
D. MAC lets the kernel help decide if an object, such as a device or process, can access another object.
E. Trust is placed in the administrators and not in individual users.

QUESTION 14
Which of the following are valid OpenVPN authentications modes?

Choose 2 correct answers.

A. S/Key
B. Kerberos
C. Static Key
D. Password
E. TLS

QUESTION 15
Which of the following is NOT included in a Snort rule headers?

A. Protocol
B. Action
C. Source IP address
D. Packet byte offset
E. Source port
QUESTION 16
Which of the following export options, when specified in /etc/exports, will tell the server to use the
NFSv4 Pseudofilesystem?

A. fsid=2
B. fsid=0
C. fsid=3
D. fsid=1

QUESTION 17
In the Puppet centralized configuration management tool, a manifest is:

A. A list of all target configuration

B. A configuration document that describes the target configuration and the steps required to achieve it.
C. A list of all files related to a configuration target.
D. A list of the important services on a target configuration.

QUESTION 18
Which syslog configuration line will send out logged messages to a remote syslog server?

A. *.* host:remotehost
B. *.* remote remotehost
C. *.* @remotehost
D. *.* host=remotehost

QUESTION 19
Which of the following are valid NFSv4 security types?

A. RSA
B. SSL
C. SPKM
D. Kerberos
E. LIPKEY

QUESTION 20
An administrator has created a mapping with the following command:

cryptsetup luksOpen /dev/sda1 cryptvol

He hat set 3 different keys. Which command below will delete the first key?

A. cryptsetup luksDelKey /dev/sda1 0

B. cryptsetup luksDelKey /dev/sda1 1
C. cryptsetup luksDelKey /dev/mapper/cryptvol 1
D. cryptsetup luksDelKey /dev/mapper/cryptvol 0

QUESTION 21
What is the purpose of snort inline?

A. To run the snort daemon without forking child processes.

B. To have iptables use snort rules to filter packets.
C. To have snort log suspicious activity only, without performing any actions.
D. To run the snort daemon as a nonroot user.

QUESTION 22
Which LUKS action, when supplied to the cryptsetup command, will initialize a LUKS partition and
set the initial key?

Provide only the action name.

A. luksFormat
B. luksUnformat
C. FormatLuks
D. UnformatLuks

QUESTION 23
What command is used to create and maintain a Basic Authentification password file for apache?

Specify only the command, with no path or arguments.

A. htpasswd
B. htpassworld
C. htpsw
D. passwdht

QUESTION 24
You are certain that your kernel has been compiled with ACL support, however, when you try to set
an ACL on a file, you get the following output:

% setfacl m user:hugh:r afile.txt

setfacl: afile.txt: Operation not supported

What is the most likely reason for this problem?

A. There is an error in the command line parameters.

B. There is no user on the system named hugh.
C. The partition has not been mounted with the acl option.
D. The file afile.txt doesn't exist.

QUESTION 25
SELinux has just been installed on a Linux system and the administrator wants to use SELinux in
permissive in order to audit the various service on the system.

What command will switch SELinux into permissive mode?

A. setenforce 0
B. /etc/init.d/selinux stop
C. selinux passive
D. /etc/init.d/selinux startpassive

QUESTION 26
How does AppArmor configure its access control settings?

A. AppArmor does not require any configuration.

B. AppArmor inspects the Linux system to determine which applications are installed and configures itself.
This configuration can then be modified manually.
C. AppArmor relies on precompiled policies. These policies are updated with new releases or can be
downloaded periodically.
D. A profile is assigned per application that specifies the system resources available to the application.

QUESTION 27
The system administrator wishes tu use John the Ripper to confirm that the passwords in a file
called passwords are not weak.

John has finished but the terminal window running the program has closed.

What command can be used to list any cracked passwords for this file?

A. john list passwords

B. john list
C. john show
D. john show passwords

QUESTION 28
What OpenSSL command will generate a selfsigned test certificate?

A. openssl req x509 key privkey.pem out cacert.pem days 365.

B. openssl sign key privkey.pem out cacert.pem days 365.
C. openssl req key privkey.pem out cacert.pem days 365.
D. openssl sign new x509 key privkey.pem out cacert.pem days 365.

QUESTION 29
What is the default UDP port for OpenVPN traffic?

A. 1194
B. 8080
C. 21
D. 1564

QUESTION 30
DNS servers are vulnerable to which of the following attacks?

Select 3 correct answers.

A. Cache Poisoning
B. Fork Bomb Attack
C. PasswordBased Attack
D. ManintheMiddle
E. Smurf Attack

QUESTION 31
What does ntop use for data collection?

A. Network packets
B. Log files
C. Frame relay
D. SNMP

QUESTION 32
Postfix daemons can be chroot'd by setting the chroot flag in _________________.

Supply only the filename, without a path.

A. master.cf
B. master.fc
C. master.tw
D. master.gz

QUESTION 33
In Nessus, what does the acronym NASL stand for?

A. Nessus Attack Scripting Language

B. Nessus Attack Hosting Language
C. Nessus Scripting Language Attack
D. Nessus Attack Level Language

QUESTION 34
What does the following iptables rule accomplish:

iptables A INPUT d 10.142.232.1 p tcp dport 20:21 j ACCEPT

A. Forwards all traffic not on port 20 or 21 to the host 10.142.232.1

B. Drops all traffic coming from the host 10.142.232.1 destined for port 20 or 21
C. Accepts all traffic from the host 10.142.232.1 destined for port 20 or 21
D. Forwards all traffic on port 20 or 21 to the host 10.142.232.1

QUESTION 35
Which of the following methods can be used to deactivate a rule in Snort?

Select 2 correct answers.

A. Place a # in front of the rule and restart snort.

B. Write a pass rule in local.rule and restart snort with the o option.
C. Delete the rule and snort will automatically rereads its rules files within five minutes.
D. Add the rule to /etc/snort/rules.deactivated and it will take effect immediately.

QUESTION 36
Which of the following lines in the OpenVPN server.conf file will supply a DNS server for DHCP
clients to use?

A. push "dhcpoption DNS 10.142.232.4"

B. push "dhcp DNS 10.142.232.4"
C. push "option DNS 10.142.232.4"
D. push "dhcpoption DNS 10.142.232.4"

QUESTION 37
What is an SO rule in the context of Snort?
A. A loadable snort module
B. A rule which can be written in the Perl programming language
C. A simple object
D. A snort overflow

QUESTION 38
Which of the following are valid Nagios objects?

Select 3 correct answers.

A. Contacts
B. Commands
C. Host Groups
D. Notification Groups
E. Programs

QUESTION 39
The command 'nmap sS O 10.142.232.10' produces the following output:

PORT STATE SERVICE

631/tcp open ipp
3306/tcp open mysql

Which of the following statements are true ?

Select 2 correct answers.

A. A simple scan was launched.

B. The scan was executed by the root user.
C. Output will be send to a file instead of stdout.
D. A stealth SYN scan was launched.
E. There are no other services running on the machine.

QUESTION 40
Which OpenSSL command is used to inspect the information stored in a certificate?

A. x509
B. show
C. info
D. req

QUESTION 41
Which of the following commands will create a new, signed tw.pol file?

A. twadmin createpolfile e S mykey.key /etc/tripwire/twpol.txt

B. twadmin createcfgfile S mykey.key /etc/tripwire/twpol.txt
C. twadmin createpolfile S mykey.key /etc/tripwire/twpol.txt
D. twadmin createcfgfile e S mykey.key /etc/tripwire/twpol.txt

QUESTION 42
By default, when verifying a signed file or a file with a detached signature, which keyring is used to
search for a public keys?
A. ~/.gnupg/trustdb.gpg
B. ~/.gnupg/secring.gpg
C. ~/.gnupg/trustedkeys.gpg
D. ~/.gnupg/pubring.gpg

QUESTION 43
What does the following iptables rule accomplish:

iptables A INPUT s 208.77.188.166 d 10.142.232.1 p tcp dport 22 j ACCEPT

A. Accepts traffic on port 22 only from the host 208.77.188.166 and 10.142.232.1
B. Forwards all requests from the host 10.142.232.1 on port 22 the internal host 208.77.188.166
C. Forwards all requests from the host 208.77.188.166 on port 22 the internal host 10.142.232.1
D. Drops traffic on port 22 only from the host 208.77.188.166 and 10.142.232.1

QUESTION 44
Which utility is used for retrieving, setting, and removing NFSv4 ACLs?

A. nfs4acl or /usr/sbin/nfs4acl
Exam B

QUESTION 1
Which PAM module checks new passwords against dictionary words and enforces complexity?

Specially the module name only without any path.

A. pam_cracklib

QUESTION 2
Which command installs and configures a new FreeIPA server, including all sub-components, and
creates a new FreeIPA domain?

Specially ONLY the command without any path or parameters.

A. ipa-server-install

QUESTION 3
Which of the following sections are allowed within the Kerberos configuration file krb5.conf?

Choose THREE correct answers.

A. [plugins]
B. [crypto]
C. [domain]
D. [capaths]
E. [realms]

QUESTION 4
Which of the following components are part of FreeIPA?

Choose THREE correct answers.

A. DHCP Server
B. Kerberos KDC
C. Intrusion Detection System
D. Public Key Infrastructure
E. Directory Server

QUESTION 5
Which of the following commands disables the automatic password expiry for the user usera?

A. chage --maxdays none usera

B. chage --maxdays 99 usera
C. chage --maxdays -1 usera
D. chage --lastday none usera
E. chage --lastday 0 usera

QUESTION 6
Given a proper network and name resolution setup, which of the following commands establishes a
trust between a FreeIPA domain and an Active Directory domain?

A. ipa trust-add --type ad addom --admin Administrator --password

B. ipa-ad add-trust --account ADDOM\Administrator--query-password
C. net ad ipajoin addom U Administrator -p
D. trustmanager add -domain ad: //addom --user Administrator w
E. ipa ad join addom -U Administrator -w

QUESTION 7
In which path is the data, which can be altered by the sysctl command, accessible?

A. /dev/sys/
B. /sys/
C. /proc/sys/
D. /sysctl/

QUESTION 8
Which of the following statements is true about chroot environments?

A. Symbolic links to data outside the chroot path are followed, making files and directories accessible.
B. Hard links to files outside the chroot path are not followed, to increase security.
C. The chroot path needs to contain all data required by the programs running in the chroot environment.
D. Programs are not able to set a chroot path by using a function call, they have to use the command
chroot.
E. When using the command chroot, the started command is running in its own namespace and cannot
communicate with other processes.

QUESTION 9
Which of the following commands adds a new user usera to FreeIPA?

A. useradd usera --directory ipa --gecos "User A"

B. idap- useradd H Idaps://ipa-server CN=UserA --attribs
"Firstname: User: Lastname: A"
C. ipa-admin create user --account usera -fname User --iname A
D. ipa user-add usera --first User --last A
E. ipa-user- add usera --name "User A"

QUESTION 10
Which command included in the Linux Audit system provides searching and filtering of the audit
log?

A. ausearch

QUESTION 11
Which of the following commands adds users using SSSD's local service?

A. sss_adduser
B. sss_useradd
C. sss_add
D. sss-addlocaluser
E. sss_local_adduser

QUESTION 12
Which of the following DNS record types can the command dnssec-signzone add to a zone?
Choose THREE correct answers.

A. ASIG
B. NSEC
C. NSEC3
D. NSSIG
E. RRSIG

QUESTION 13
What effect does the configuration SSLStrictSNIVHostCheck on have on an Apache HTTPD virtual
host?

A. The clients connecting to the virtual host must provide a client certificate that was issued by the same
CA that issued the server's certificate.
B. The virtual host is served only to clients that support SNI.
C. All of the names of the virtual host must be within the same DNS zone.
D. The virtual host is used as a fallback default for all clients that do not support SNI.
E. Despite its configuration, the virtual host is served only on the common name and Subject Alternative
Names of the server certificates.

QUESTION 14
How does TSIG authenticate name servers in order to perform secured zone transfers?

A. Both servers mutually verify their X509 certificates.

B. Both servers use a secret key that is shared between the servers.
C. Both servers verify appropriate DANE records for the labels of the NS records used to delegate the
transferred zone.
D. Both servers use DNSSEC to mutually verify that they are authoritative for the transferred zone.

QUESTION 15
Which of the following statements are true regarding the certificate of a Root CA?

Choose THREE correct answers.

A. It is a self-signed certificate.
B. It does not include the private key of the CA.
C. It must contain a host name as the common name.
D. It has an infinite lifetime and never expires.
E. It must contain an X509v3 Authority extension.

QUESTION 16
Which of the following parameters to openssl s_client specifies the host name to use for TLS
Server Name Indication?

A. -tlsname
B. -servername
C. -sniname
D. -vhost
E. -host

QUESTION 17
An X509 certificate contains the following information:

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

Which of the following statements are true regarding the certificate?

Choose THREE correct answers.

A. This certificate belongs to a certification authority.

B. This certificate may be used to sign certificates of subordinate certification authorities.
C. This certificate may never be used to sign any other certificates.
D. This certificate may be used to sign certificates that are not also a certification authority.
E. This certificate will not be accepted by programs that do not understand the listed extension.

QUESTION 18
A LUKS device was mapped using the command:

cryptsetup luksOpen/dev/sdal crypt-vol

Given that this device has three different keys, which of the following commands deletes only the
first key?

A. cryptsetup luksDelKey /dev/sda 1 0

B. cryptsetup luksDelkey /dev/sda 1 1
C. cryptsetup luksDelKey / dev /mapper/crypt- vol 1
D. cryptsetup luksDelKey / dev /mapper/crypt- vol 0

QUESTION 19
Which of the following lines in an OpenSSL configuration adds an X 509v3 Subject Alternative
Name extension for the host names example.org and www.example.org to a certificate?

A. subjectAltName = DNS: www.example.org, DNS:example.org

B. extension= SAN: www.example.org, SAN:example.org
C. subjectAltName: www.example.org, subjectAltName: example.org
D. commonName = subjectAltName= www.example.org,
subjectAltName = example.org
E. subject= CN= www.example.org, CN=example.org

QUESTION 20
Which option in an Apache HTTPD configuration file enables OCSP stapling?

Specify ONLY the option name without any values or parameters.

A. httpd-ssl.conf

QUESTION 21
Which of the following statements is true regarding eCryptfs?

A. For every file in an eCryptfs directory there exists a corresponding file that contains the encrypted
content.
B. The content of all files in an eCryptfs directory is stored in an archive file similar to a tar file with an
additional index to improve performance.
C. After unmounting an eCryptfs directory, the directory hierarchy and the original file names are still
visible, although, it is not possible to view the contents of the files.
D. When a user changes his login password, the contents of his eCryptfs home directory has to be re-
encrypted using his new login password.
E. eCryptfs cannot be used to encrypt only directories that are the home directory of a regular Linux user.

QUESTION 22
Which of the following keywords are built-in chairs for the iptables nat table? (Choose THREE
correct answers.)

A. OUTPUT
B. MASQUERADE
C. PROCESSING
D. POSTROUTING
E. PREROUTING

QUESTION 23
Which of the following methods can be used to deactivate a rule in Snort?

Choose TWO correct answers.

A. By placing a # in front of the rule and restarting Snort.

B. By placing a pass rule in local.rules and restarting Snort.
C. By deleting the rule and waiting for Snort to reload its rules files automatically.
D. By adding a pass rule to /etc/snort/rules.deactivated and waiting for Snort to reload its rules files
automatically.

QUESTION 24
What is the purpose of IP sets?

A. They group together IP addresses that are assigned to the same network interfaces.
B. They group together IP addresses and networks that can be referenced by the network routing table.
C. They group together IP addresses that can be referenced by netfilter rules.
D. They group together IP and MAC addresses used by the neighbors on the local network.
E. They group together IP addresses and user names that can be referenced from /etc/hosts.allow and /
etc/hosts.deny

QUESTION 25
Which of the following statements describes the purpose of ndpmon?

A. It monitors the network for neighbor discovery messages from new IPv6 hosts and routers.
B. It monitors remote hosts by periodically sending echo requests to them.
C. It monitors the availability of a network link by querying network interfaces.
D. It monitors the network for IPv4 nodes that have not yet migrated to IPv6.
E. It monitors log files for failed login attempts in order to block traffic from offending network nodes.

QUESTION 26
Which of the following terms refer to existing scan techniques with nmap?

Choose TWO correct answers.

A. Xmas Scan
B. Zero Scan
C. FIN Scan
D. IP Scan
E. UDP SYN Scan

QUESTION 27
Which directive is used in an OpenVPN server configuration in order to send network configuration
information to the client?

A. push

QUESTION 28
Which of the following statements are valid wireshark capture filters?

Choose TWO correct answers.

A. port range 10000:tcp-15000:tcp

B. port-range tcp 10000-15000
C. tcp portrange 10000-15000
D. portrange 10000/tcp-15000/tcp
E. portrange 10000-15000 and tcp

QUESTION 29
Which option of the openvpn command should be used to ensure that ephemeral keys are not
written to the swap space?

A. --mlock
B. --no-swap
C. --root-swap
D. --keys-no-swap

QUESTION 30
When a user logs into a system using SSH, what is the format of SELinux security context which
will assign the user_r role and the user_t domain to their login session?

A. user_r:user_t system_r:sshd_t
B. sshd_t:system_r user_t:user_r
C. system_r:sshd_t user_r:user_t
D. user_t:user_r sshd_t:system_r

QUESTION 31
A user that is allowed to use the su command under SELinux is also allowed to switch from the
user role to the sysadmin role.

What command will run a new shell for the user in the new context?

Specify the command only, with no path, option or arguments.

A. newrole
B. badrole
C. oldrole
D. arole

QUESTION 32
What does the following iptables rule accomplish:

iptables A INPUT s 208.77.188.166 j DROP

A. Forwards all incoming traffic to the host 208.77.188.166

B. Accepts all traffic from 208.77.188.166
C. Nothing, there is a syntax error
D. Drops all traffic from 208.77.188.166

QUESTION 33
How are SELinux permissions related to standart Linux permissions?

A. SELinux permissions override standart Linux permissions.

B. Standart Linux permissions override SELinux permissions.
C. SELinux permissions are verified before standart permissions.
D. SELinux permissions are verified after standart Linux permissions.

QUESTION 34
A user is attempting to connect to a remote host via SSH and following message is displayed:

Host key verification failed.

Which of the following options could resolve the problem?

Select 2 correct answers.

A. Add the o StrictHostKeyChecking=no option to the command.

B. Enable the PasswordAuthentication parameter to the remote host.
C. Generate new SSH host keys on the remote host.
D. Generate new private key which is compatible with the server's host key.
E. Update the remote host's SSH host key in the list of know hosts.

QUESTION 35
SELinux is a Linux feature that:

A. monitors system file access by unprivileged users and warns them they are trying to gain access to files
beyonf their permission levels set in the Mandatory Access Control policies.
B. provides only Mandatory Access Control policies. Additional access control models such as Rolebased
access control require additional tools to implement.
C. enforces Mandatory Access Control policies that can restrict user space programs and system servers
to the minimum amount of privileges required to operate correctly.
D. ensure that system files referenced in the Mandatory Access Control policies are not modified and alerts
administrators when changes occur.

QUESTION 36
Which of the following rule directives will email [email protected] and [email protected] when
the Mail Configuration rule is violated?

A. (
rulename = "Mail Configuration",
severity = $(SIG_HI),
emailto = [email protected],
emailto = [email protected]
)
B. (
 rulename = "Mail Configuration",
severity = $(SIG_HI),
emailto = [email protected],[email protected]
)
C. (
rulename = "Mail Configuration",
severity = $(SIG_HI),
emailto = [email protected];[email protected]
)
D. (
rulename = "Mail Configuration",
severity = $(SIG_HI),
emailto = [email protected],
emailcc = [email protected]
)

QUESTION 37
Specifying the _____________ parameter in sshd_config will allow the administrator to
systematically provide access to certain user accounts by name.

A. AllowUsers
B. AddUsers
C. DenyUsers
D. BlockUsers

QUESTION 38
Which command will list all of the extended attributes on the file afile.txt with the values?

A. getfattr all afile.txt

B. getfattr afile.txt
C. getfattr list afile.txt
D. getfattr dump afile.txt

QUESTION 39
A user is attempting to connect to a remote server via SSH and receives the following message:

The authenticity of host 'mail.example.com (208.77.188.166)' can't be established.

RSA key fingerprint is 92:32:55:e9:c4:20:ae:1b:2c:d7:91:40:90:89:1c:ad.
Are you sure you want to continue connecting (yes/no)?

What does this indicate?

A. The RSA key fingerprint was found in the SpamCop database, indicating that the remote host is a
known spammer.
B. The user's SSH client was unable to connect to the remote host's authentication agent for verification.
C. The user's SSH client is incompatible with the server's RSA key.
D. The server's SSH host key cannot be found in the list of known hosts.

QUESTION 40
Which command is used to add an additional name, email address and comment to an existing
private key?

A. gpg editkey name followed with the adduid command

B. gpg addsubkey
C. gpg addalias name
D. gpg genalias name

QUESTION 41
An administrator has just configured vsftp and notice that she cannot follow symbolic links when
connected to the FTP server.

What is the most likely reason for this?

A. The follow_symlinks=no option has been set in vsftpd.conf

B. vsftpd is running in a chroot enviroment
C. This installation of vsftp was not compiled with support for symbolic links
D. The user account she is connecting is not listed in /etc/security/ftpusers

QUESTION 42
What can proxymap be used for in a Postfix installation?

Select 2 correct answers.

A. Consolidating the number of open lookup tables.

B. Creating and querying Postfix alias databases.
C. Mapping mail user IDs to system accounts.
D. Overcoming chroot restrictions.
E. Creating and querying Postfix lookup tables.

QUESTION 43
Which directive must be set to 0 in a host or service definition to prevent Nagios from sending more
than one alert for a particular event?

Specify only the directive without any options or parameters.

A. notification_interval
B. notification_alternal
C. interval_notification
D. alterval_notification

QUESTION 44
Which of the following are builtin chains for the iptables nat table?

Select 3 correct answers.

A. OUTPUT
B. INPUT
C. PROCESSING
D. POSTROUTING
E. PREROUTING
Exam C

QUESTION 1
Which GPG command is used to sign a public key?

Select 2 correct answers.

A. gpg signpublickey UID.

B. gpg signkey UID.
C. gpg sign UID.
D. gpg editkey UID followed with the sign command.
E. gpg editkey UID followed with the confirm command.

QUESTION 2
Which command will set the user.author attribute on the file afile.txt?

A. setfacl user.author:"A.Author" afile.txt

B. setfacl n user.author v "A.Author" afile.txt
C. setfacl user.author="A.Author" afile.txt
D. setfacl a user.author="A.Author" afile.txt

QUESTION 3
There is a configuration file being managed by RCS.

Base on timestamps, it appears that someone has modified the file without checking it into RCS.

What command can be used to compare the configuration file with the latest committed version?

Specify the command only, no path or arguments information.

A. rcsdiff

QUESTION 4
An administrator is capturing traffic with Wireshark and is only seeing ARP traffic.

What is most likely cause of this?

A. The network interface on which the scan is running is not promiscuous mode.
B. The mschine is on a switched network and is therefore only seeing local and braodcast/multicast
packets.
C. The administrator did not enable the TCP and UDP option when starting the scan.
D. The network interface on which the scan is running has the ARP_ONLY flag set.

QUESTION 5
An SELinux security context is required to ensure that all files in /opt have the default context of
system_u:object_r:usr_t.

How should the corresponding configuration entry be formatted?

A. system_u:object_r:usr_t /opt/*
B. /opt/.* system_u:object_r:usr_t
C. /opt/* system_u:object_r:usr_t
D. system_u:object_r:usr_t: /opt/.*
E. system_u:object_r:usr_t /opt/.*
QUESTION 6
On a new Linux system, the root user is being asked to provide the root user password before
being able to use the su command.

What line in the /etc/ pam.d/su file will allow root to use su without supplying passwords?

A. auth required pam_norootpw.so

B. auth sufficient pam_norootpw.so
C. auth required pam_rootok.so
D. auth sufficient pam_rootok.so

QUESTION 7
What OpenSSL command will generate a certificate signing request (CSR) using the private key file
privkey.pem?

A. openssl req key privkey.pem out cert.csr

B. openssl req new key privkey.pem out cert.csr
C. openssl gencsr key privkey.pem out cert.csr
D. openssl gencsr new key privkey.pem out cert.csr

QUESTION 8
Which of the following can be done to secure BIND server?

Select 3 correct answers.

A. Run the BIND daemon as nonroot user.

B. Configure ACLs.
C. Require clients to authenticate a password before querying the server.
D. Run the BIND daemon in a chroot jail.
E. Encrypt DNS traffic using SSL/TLS.

QUESTION 9
The apache administrator has added the following lines to the configuration files:

<Directory />
AllowOverride None
</Directory>

What is the purpose of this directive?

A. It stops users fro serving HTML files from their home directories.
B. It prevents HTML files from being served out of the / directory.
C. It stops users from setting up .htaccess files unless specifically allowed in additional configuration.
D. It prevents CGI scripts from modifiying apache features dynamically.

QUESTION 10
Where is the global list of known SSH host keys located ?

Supply the full path and filename.

A. /etc/ssh/sshd_known_hosts
QUESTION 11
What command will list basic information about all targets avaiable to cryptmount?

Provide the command with any options or parameters.

A. cryptmount --list or /usr/bin/cryptmount -l or /usr/bin/cryptmount --list or cryptmount -l

QUESTION 12
What are the steps which must be followed to enable serverwide zone transfers between two BIND
9 servers securely using TSIG?

A. Generate a key, specify the public key in the named configuration on both servers, create a server
statement in the name configuration on both servers.
B. Generate a key, specify the private key in the named configuration on both servers, create a server
statement in the named configuration on both servers.
C. Generate a key, specify the private key in the named configuration on one server and the public key in
the named configuration on the other, create a remote statement in the named configuration on both
servers.
D. Generate a key, specify the private key in the named configuration on one server and the public key in
the named configuration on the other, create a server statement in the named configuration in both
servers.

QUESTION 13
An administrator has successfully configured a cryptographic volume for dmcrypt, and added the
following line to /etc/fstab:

/dev/mapper/cryptvol /media/crypt auto defaults 0 0

Upon booting the system, the error message "mount: special device /dev/mapper/cryptvol does not
exist" is displayed.

What configuration file has the administrator forgotten to edit ?

Provide the full path and filename.

A. /etc/crypttab

QUESTION 14
Which of the following are valid deployment scenarios?

Select 3 correct answers.

A. Public Site
B. Switched Gateway
C. Simple Host
D. Border Gateway
E. Mirror Line

QUESTION 15
What is one of the primary claimed benefits of Smack over SELinux?

A. Smack implement Rule Set Based Access Control. SELinux doesn't support this model.
B. SELinux has export restictions placed on it by the NSA.
C. Configuration of Smack is much more simple.
D. Smack allows users to share files without administrator intervention.
QUESTION 16
What OpenSSL command will generate a private RSA key of 2048 bits and no passphrase?

A. openssl genrsa des3 out privkey.pem 2048

B. openssl genrsa out privkey.pem 2048
C. openssl genrsa nopass out privkey.pem 2048
D. openssl genrsa npass des3 out privkey.pem 2048

QUESTION 17
An administrator has just configured an OpenVPN client. Upon starting the service, the following
message is displayed:

TLS Error: TLS key negatiation failed to occur within 60 seconds

Which of the following statements is true?

A. The client was unable to establish a network connection with the server.
B. The client was able to establish a network connection wit the server, however TLS key negotiation
failed, resulting in a fallback to SSL.
C. The client was able to establish a network connection with the server, however TLS and SSL security
are not enabled.
D. The client was able to establish a network connection with the server, however TSL key negotiation took
longer than 60 seconds, indicating that there may be a problem with network performance.

QUESTION 18
Under which path is the SELinux pseudofilesystem found ?

A. /dev/selinux
B. /sys/delinux
C. /selinux
D. /var/selinux
E. /proc/selinux

QUESTION 19
Which option is required to syslogd in order for it to accept remote log message?

A. s
B. r
C. remote
D. l

QUESTION 20
Which of the following statements are true about Linux Extended Attributes on files?

Select 2 correct answers.

A. An attribute value may be empty.

B. Attribute storage counts towords disk quota use.
C. Attribute use is enabled by mounting a partition with the attr option.
D. An attribute is file, not inode, specify. This, a hard linked file in two locations could have different
attributes.
E. Attributes are not used by SELinux and other kernel security modules.
QUESTION 21
Which of the following parameters should be set in main.cf to enable TLS in Postfix?

A. smtpd_tls_cert_file, smtpd_tls_key_file, smtpd_tls_CAfile, smtpd_use_tls

B. smtpd_tls_key_file, smtpd_tls_CAfile, smtpd_use_tls, smtpd_pem_file
C. smtpd_tls_CAfile, smtpd_use_tls, smtpd_tls_pem_file, smtpd_tls_cert_file
D. smtpd_use_tls, emtpd_tls_pem_file, smtpd_tls_cert_file, smtpd_tls_key_file

QUESTION 22
An unprivileged user issued a command which produced the following log message:

avc: denied { getattr } for pid=984 exe=/usr/bin/vim path=/etc/shadow dev=03:01 ino=134343

scontext=hugh:user_r:user_t tcontext=system_u:object:shadow_t tclass=file

What does the message mean?

A. User hugh was not running in a security context that permitted reading the file.
B. User hugh only needs to switch to the object_r role in order to edit /etc/shadow.
C. The security context fur hugh is misconfigured and needs access to read any system file.
D. User hugh was not running in a security context that permitted writing to the file.

QUESTION 23
The local system administrator has created a configuration entry for apache version 2 that isn't
working.

What is wrong with the following configuration?

<Location /members>
AuthName Members
AuthType Basic
AuthUserFile /www/passwd
</Location>

A. The directive require validuser is missing.

B. Basic Authentification has been removed from Apache 2.x.
C. The format of the password file is not specified.
D. The AuthUserFile must be in the apache configuration directory.

QUESTION 24
When adding additional users to a file's extended ACL's, what is true abount the default behaviour
of the ACL mask for the file?

A. The mask is modified to be run union of all permissions of the file owner, owning group and all named
user and groups.
B. The mask is left unchanged.
C. if required, a warning is printed indicating that the mask is too restrictive for the permission being
granted.
D. The mask is modified to be the union of all permissions of the owning group and all named users and
groups.

QUESTION 25
The system administrator is keeping local configuration file changes in RCS.
What command will commit the file RCS revision control AND keep a local, unlocked copy of the
latest version of the file?

A. ci file
B. rcs commit file
C. rcs o file
D. ci u file

QUESTION 26
What is the syntax error in the following simple Puppet configuration file?

class test_class {
file { "/tmp/test.txt":
mode => 600,
owner => root,
group => root
}
}
# Define the node
node testclient {
isa test_class
}

A. Comments begin with // character and not a #.

B. The colon (:) after /tmp/test.txt should be a semicolon(;).
C. Class, node and file section require a semicolon (;) at the end of their definitions.
D. ISA should be include.

QUESTION 27
Which of the following statements is true when querying the extended attributes of a file that has no
extended attributes set?

A. getfattr will print a warning and exit with a value of 0.

B. etfattr will print a warning and exit with a value of 1.
C. No output will be produced and getfattr will exit with a value of 0.
D. No output will be produced and getfattr will exit with a value of 1.

QUESTION 28
What is true about the permissions for the file afile give the following output from getfacl?

Select 2 correct answers.

% getfacl afile
# file: afile
# owner: matt
# group: support
user:: rwx
user:hugh:rw
group::r
group:staff:rx
mask::rwx
other::r

A. Anyone in the support group will be able to read and execute the file.
B. The user hugh will be able to read the contents of the file.
C. Anyone in the users group will be able to read the file.
D. The user matt will not be able to edit this file.
E. Anyone in the staff group will be able to read and execute the file.

QUESTION 29
You have downloaded a file named file.tgz along with a signature file named file.tgz.asc.

Which command can be used to verify that file.tgz hat not beeing tampered with since the file
creator created the signature?

Assume that you have already retrieved the public key of the file creator.

Select 3 correct answers.

A. gpg verify file.tgz.asc file.tgz

B. gpg verify file.tgz
C. gpg verify file.tgz.asc
D. gpgv verify file.tgz.asc
E. gpgv file.tgz.asc

QUESTION 30
What command will remove the dmcrypt mapping named cryptvol?

Provide the command with any options and parameters.

A. /sbin/cryptsetup remove crypt-vol or cryptsetup remove crypt-vol

QUESTION 31
In which of the following scenarios MUST an administrator use ethernet bridging instead of routing
when configuring an OpenVPN site?

Select 2 correct answers.

A. Some OpenVPN clients will be installed on laptops and must be able to connect from different locations.
B. NetBIOS traffic must be able to traverse the VPN without implementing a WINS server.
C. The IPv4 protocol is required.
D. It will be necessary to use an MTU setting other than the default.
E. The IPX protocol is required.

QUESTION 32
Which GPG command will publish a public key to a public key server?

A. gpg exportkeys UID

B. gpg publishkeys UID
C. gpg sendkeys UID
D. gpg pushkeys UID

QUESTION 33
Which of the following are valid dmcrypt modes?

Chosse 3 correct answers.

A. XTS
B. ESSIV
C. GMR
D. KWG
E. LRW
Correct Answer: ABE
Section: (none)
Explanation
Explanation/Reference:

QUESTION 34
The OpenSSL command can be used to test connections with various secure services.

What command will open a connection with a remote POP3S (POP3 over SSL) server?

A. openssl connect host pop.example.com:pop3s

B. openssl connect pop.example:pop3s
C. openssl s_client connect pop.example.com:pop3s
D. openssl s_client pop.example.com:pop3s

QUESTION 35
The system administartor wishes to use the pam_listfile.so module to restrict which user are
allowed to login via SSH.

Which line will configure this behaviour?

A. auth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeed

B. auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.deny onerr=succeed
C. auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.deny onerr=fail
D. auth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=fail

QUESTION 36
Which parameter in vsftp.conf will restrict users to their home directory?

Supply only the parameter name, with no option or values.

A. chroot_local_user

QUESTION 37
What is true about the permissions for the file afile give the following output from getfacl?

Select 2 correct answers.

% getfacl afile
# file: afile
# owner: matt
# group: support
user:: rwx
user:hugh:rw
group::r
group:staff:rx
mask::rwx
other::r

A. Anyone in the support group will be able to read and execute the file.
B. The user hugh will be able to read the contents of the file.
C. Anyone in the users group will be able to read the file.
D. The user matt will not be able to edit this file.
E. Anyone in the staff group will be able to read and execute the file.

QUESTION 38
Which of the following is NOT and valid scan technique with nmap ?

A. Window
B. SYN
C. ACK
D. Connect()
E. RST

QUESTION 39
You wish to revoke write access for all groups and named users on a file.

Which command will make a correct ACL changes?

A. setfacl x group:*:rx,user:*:rx afile

B. setfacl x mask::rx afile
C. setfacl m mask::rx afile
D. setfacl m group:*:rx,user:*:rx afile

QUESTION 40
With SELinux, what is the command that is used for changing the context of a file?

Specify the command only, with no path information or arguments.

A. chcon chsid setfattr

QUESTION 41
Postfix daemons can be chroot'd by setting the chroot flag in _________________.

Supply only the filename, without a path.

A. master.cf

QUESTION 42
What is an SO rule in the context of Snort?

A. A loadable snort module.

B. A rule which can be written in the Perl programming language.
C. A simple object.
D. A snort overflow.

QUESTION 43
When adding additional users to a file's extended ACL's, what is true abount the default behaviour
of the ACL mask for the file?

A. The mask is modified to be run union of all permissions of the file owner, owning group and all named
user and groups.
B. The mask is left unchanged.
C. if required, a warning is printed indicating that the mask is too restrictive for the permission being
 granted.
D. The mask is modified to be the union of all permissions of the owning group and all named users and
groups.

QUESTION 44
What is the difference between an SELinux domain an an SELinux type ?

A. A domain is a group of SELinux types.

B. A domain defines the range of access that an object has. A type is used to define an access level.
C. A domain is assigned to processes while a type is assigned to objects such as files and directories.
D. A domain is an alternative keyword for type.