LAB 10

1. What is the main objective of an Incident Response Plan (IRP)?

A) To enhance user experience
B) To quickly and efficiently handle and mitigate incidents
C) To improve software development speed
D) To increase sales

2. Which phase of the IRP involves identifying critical assets?

A) Identification
B) Preparation
C) Eradication
D) Recovery

3. What is the role of a Linux System Administrator in an incident response team?

A) To develop marketing strategies
B) To ensure system stability and security
C) To manage HR policies
D) To handle financial transactions

4. Which command is used to check the disk space usage in Linux?

A) df
B) du
C) ls
D) cat

5. What is the importance of defining roles and responsibilities in an Incident Response Plan?
A) To ensure accountability and streamline the response process
B) To confuse the team
C) To increase bureaucracy
D) To delay the response

6.Which command is used to monitor system logs in real-time?

A) ls -l
B) cat /var/log/syslog
C) tail -f /var/log/syslog
D) grep -i error /var/log/syslog

7. What is the first step in the Incident Response lifecycle?

A) Containment
B) Recovery
C) Preparation
D) Identification

8. Why is regular training important for an incident response team?

A) To ensure team members know their roles and can respond effectively
B) To reduce team size
C) To increase costs
D) To complicate processes

9. Which Linux command is used to check the network configuration and status?
A) ifconfig
B) netstat
C) nslookup
D) route

10. What is the purpose of an incident response policy?

A) To provide guidelines for handling incidents
B) To create marketing campaigns
C) To recruit new employees
D) To develop software

11. What was the root cause of the ASF incident on April 9, 2010?
A) Natural disaster
B) Unauthorized access to their infrastructure
C) Hardware failure
D) Software bug

12. How did ASF detect the incident?

A) User complaint
B) Intrusion detection system alert
C) Manual system check
D) External notification

13. Which command can be used to view Apache server logs?

A) tail -f /var/log/apache2/access.log
B) cat /etc/apache2/apache2.conf
C) ps aux | grep apache
D) netstat -tuln

14. What was one key response action taken by ASF after detecting the incident?
A) Changing all passwords and SSH keys
B) Ignoring the incident
C) Upgrading hardware
D) Shutting down the internet

15. Why is it important to conduct post-incident reviews?

A) To learn from the incident and improve future response
B) To punish the responsible employees
C) To decrease budget
D) To ignore the lessons learned

16. What is one advantage of using a Live CD for incident response?

A) It runs a clean operating system independent of the compromised system
B) It requires installation on the compromised system
C) It increases the risk of data corruption
D) It slows down the response process

17. Which Linux Live CD is commonly used for forensic analysis?

A) Kali Linux
B) Ubuntu Desktop
C) CentOS
D) Fedora

18. How does a Live CD help in maintaining the integrity of the compromised system?
A) By ensuring no changes are made to the system during analysis
B) By modifying system files
C) By encrypting all data
D) By deleting logs

19. Which command is used to mount a filesystem read-only?

A) mount -o ro
B) umount
C) ls -l
D) rm -rf

20. Why might an investigator use a Live CD during an incident response?

A) To ensure a clean environment for analysis
B) To increase system load
C) To install new software
D) To defragment the hard drive

21. What is the first step when responding to a suspected system compromise?
A) Disconnect the system from the network
B) Reboot the system
C) Inform the media
D) Delete suspicious files

22. Which command lists all currently running processes in Linux?

A) ps aux
B) top
C) ls
D) cd

23. How can you check for unauthorized user accounts?

A) cat /etc/passwd
B) ls /home
C) df -h
D) free -m

24. Which tool scans for rootkits on a Linux system?

A) chkrootkit
B) top
C) df
D) tar

25. Why is preserving evidence crucial during incident response?

A) To analyze the attack and improve defenses
B) To destroy the evidence
C) To avoid legal consequences
D) To share it on social media

26. Which command shows active network connections?

A) netstat -tuln
B) ping
C) ssh
D) chmod

27. How can system file integrity be verified?

A) Using a file integrity monitoring tool like Tripwire
B) By rebooting the system
C) By deleting all logs
D) By running a full system backup

28. What is the purpose of creating a forensic disk image?

A) To create an exact, bit-by-bit copy of the disk for analysis
B) To create a backup of the disk
C) To clone the disk for future use
D) To defragment the disk

29. Which command creates a disk image in Linux?

A) dd
B) cp
C) mv
D) grep

30. Why is having a response team ready before an incident beneficial?

A) To ensure a prompt and effective response
B) To increase downtime
C) To reduce employee salaries
D) To avoid reporting the incident

31. Which is NOT a best practice for security breach detection?

A) Regularly updating software and systems
B) Ignoring security alerts
C) Implementing intrusion detection systems
D) Conducting regular security training

32. What is the benefit of a centralized logging system?

A) It simplifies monitoring and analysis of logs
B) It slows down the system
C) It increases storage requirements
D) It complicates incident response

33. How can log authenticity be ensured?

A) By using a checksum or hash to verify integrity
B) By deleting old logs
C) By encrypting the log files
D) By storing logs on a remote server

34. What is the role of an Intrusion Detection System (IDS)?

A) To detect and alert on suspicious activity
B) To block all network traffic
C) To delete compromised files
D) To shut down the system

35. Which command checks the integrity of a file using SHA-256 hash?
A) sha256sum
B) md5sum
C) cat
D) grep

36. Why are regular vulnerability assessments important?

A) To identify and fix security weaknesses before they are exploited
B) To increase the number of incidents
C) To reduce system performance
D) To complicate system management

37. Which command is used to install Docker on a Linux system?

A) sudo apt-get install docker.io
B) sudo yum install docker
C) sudo pacman -S docker
D) All of the above

38. How do you start the Snort service in a Docker container?

A) docker run -d snort
B) docker start snort
C) systemctl start snort
D) service snort start

39. Which command is used to list all Docker containers?

A) docker ps -a
B) docker images
C) docker run -a
D) docker list

40. What is the primary function of Snort?

A) Web development
B) Intrusion detection and prevention
C) Database management
D) File compression

41. Which command is used to create an IPFire virtual machine using VirtualBox?
A) vboxmanage createvm --name IPFire
B) virtualbox createvm IPFire
C) vboxcreate --vm IPFire
D) createvm --name IPFire

42. What is IPFire primarily used for?

A) Web hosting
B) Network security and firewall
C) File storage
D) Email services

43. How do you import the IPFire ISO into VirtualBox?

A) Select the virtual machine, go to Settings -> Storage, and add the ISO file
B) Use the command line to import the ISO
C) Drag and drop the ISO into VirtualBox
D) None of the above

44. Which command is used to clone a GitHub repository for installing Nikto?
A) git clone https://github.com/sullo/nikto
B) git fetch https://github.com/sullo/nikto
C) git pull https://github.com/sullo/nikto
D) git copy https://github.com/sullo/nikto

45. What is the primary use of Nikto?

A) Web server vulnerability scanning
B) Network intrusion detection
C) System performance monitoring
D) Data backup

46. How do you run Nikto after installation?

A) nikto -h <hostname>
B) nikto_scan <hostname>
C) run_nikto <hostname>
D) nikto --scan <hostname>

47. Which file needs to be edited to configure Snort rules?

A) /etc/snort/snort.conf
B) /var/log/snort/rules.conf
C) /usr/local/snort/etc/rules.conf
D) /etc/snort/rules.d

48. What is the purpose of running Snort in IDS mode?

A) To monitor and analyze network traffic for suspicious activity
B) To block all incoming network traffic
C) To optimize network performance
D) To manage network devices

49. How do you check the status of a Docker container running Snort?
A) docker ps
B) docker status
C) docker check snort
D) docker run snort --status

50. What is the command to stop a running Docker container?

A) docker stop <container_id>
B) docker halt <container_id>
C) docker end <container_id>
D) docker terminate <container_id>