Previous Page
Next Page

Appendix B: Final Test

The following questions will help you measure your understanding of the material presented in this book. Read all the choices carefully, because there might be more than one correct answer. Choose, and in some cases explain, all correct answers for each question. It's in your best interest to retake this test until you can answer all questions correctly before taking Sun's exam. The answers are provided in Appendix C.

1.

In the Solaris cryptographic framework, which of the following best explains providers?

  1. Applications, end users, or kernel operations

  2. User-level plug-ins, kernel-level plug-ins, and hardware plug-ins

  3. Cryptographic plug-ins that consumers use

  4. All of the above

    B and C. Providers are cryptographic plug-ins that consumers use. According to Sun. the framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.     A is wrong because consumers, not providers, can be applications, end users, or kernel operations.

2.

Which of these databases contains role information?

  1. prof_attr

  2. exec_attr

  3. user_attr

  4. passwd

  5. shadow

  6. All of the above

    C, D, and E. Role information can be found in the passwd, shadow, and user_attr databases. The user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.     A and B are wrong because the rights profile name and authorizations can be found in the prof_attr database, while the rights profile name and commands with specific security attributes are stored in the exec_attr database.

3.

How would you set the minimum free disk space for an audit file before a warning is sent?

   To set the minimum free disk space for an audit file before a warning is sent, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage.

4.

Which of these techniques is used to actively detect and display superuser access attempts on the console?

  1. By commenting out the CONSOLE=/dev/console entry in the /etc/default/login file

  2. By uncommenting the CONSOLE=/dev/console entry in the /etc/default/su file

  3. By uncommenting the CONSOLE=/dev/console entry in the /etc/default/login file

  4. By commenting out the CONSOLE=/dev/console entry in the /etc/default/su file

  5. All of the above

    B. To actively detect and display superuser access attempts on the console in real time, uncomment the CONSOLE=/dev/console entry in the /etc/default/su file.     A is wrong because you will enable remote superuser login access. C is wrong because by uncommenting the CONSOLE=/dev/console entry in the /etc/default/login file you will disable remote superuser login access. D is wrong because that will simply turn off the detection and display of superuser access attempts directly on the console.

5.

Why is a process life cycle–based approach to information security management appropriate?

  1. Because it is the only existing approach

  2. Because it is a good practice

  3. Because it takes into account changing environment

  4. Because it is business-oriented

  5. All of the above

    B, C, and D. A process life cycle based approach to information security management is appropriate because it takes into account changing information systems environments, it is business-oriented, and is considered a good practice.     A is incorrect because the process life cycle-based approach is not the only existing approach to information security management.

6.

What is the rationale behind nondisclosure of software version numbers and other details of systems used?

  1. Making attackers spend more time and effort

  2. To avoid easy identification of bugs and vulnerabilities of deployed software

  3. To avoid or minimize script kiddie attacks

  4. To comply with principles of minimization and least privilege

  5. All of the above

    E. All of the answers are correct. It is important to protect software version numbers and other details of your systems in order to make attackers spend more time and effort on an attack, to avoid easy identification of bugs and vulnerabilities of deployed software, to avoid or minimize script kiddie attacks, and to comply with principles of minimization and least privilege.

7.

When executable stacks with permissions set to read/write/execute are allowed, programs by default will be vulnerable to buffer overflow attacks.

  1. True

  2. False

    B. False. When default executable stacks with permissions set to read, write, and execute are allowed, programs may be inherently vulnerable to buffer overflow attacks.     A is incorrect because by default programs are not inherently vulnerable to stack smashing. This is especially true when the latest patches have been applied.

8.

Which of the following is a form of denial of service acting as a system process that replicates itself until it exceeds the maximum number of allowable processes?

  1. Trojan horse

  2. Worm

  3. Logic bomb

  4. Fork bomb

  5. Rootkit

  6. All of the above

    D. A fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes.     A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system to system. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system.

9.

Which of the following are benefits of Role-Based Access Control (RBAC)?

  1. Privilege commands can execute with administrative capabilities usually reserved for administrators.

  2. System administrators can delegate privileged commands to non-root users without giving them full superuser access.

  3. Rights profiles, privileges, and authorizations can be assigned directly to users.

  4. Users can be assigned only the exact privileges and permissions necessary for performing a job.

  5. All of the above

    B and D. RBAC allows system administrators to delegate privileged commands to non-root users without giving them full superuser access to the system. Similarly, users can be assigned only the exact privileges and permissions necessary for performing a job.     A is wrong because, although it's true that privilege commands execute with administrative capabilities usually reserved for administrators, that statement does not describe a benefit to RBAC. C is wrong because Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.

10.

What is the purpose of audit trail and logs?

  1. They record events as they happen.

  2. Audit trail can be used in court proceedings but logs cannot.

  3. They serve to establish accountability.

  4. They may be used in place of deterrent controls.

  5. All of the above

    C. The purpose of audit trails and logs is to provide accountability in information systems.     A is correct but is not the best answer; choices B and D are wrong. The issue of whether audit trails and logs can be used in court proceedings would depend on the particular jurisdiction and is outside the scope of this book; audit trail and logs are detective controls but may function as deterrent controls as well when their existence is known to potential attackers.

11.

Security life cycle includes which of the following?

  1. Preventive controls

  2. Detection

  3. Controls that deter potential attackers

  4. Incident response

  5. All of the above

    E. All answers are correct. The security life cycle process consists of prevention, detection, response, and deterrence.

12.

Which of these tools can be used to check the integrity of system files?

  1. MD5

  2. The Solaris Fingerprint Database

  3. sfpDB

  4. SHA1

  5. System files checks

  6. All of the above

    F. All answers are correct. A message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. The MD5 (for shorter message digests) and the Secure Hashing Algorithm (SHA1, for larger message digests) are among the most popular message digest algorithms. The Solaris Fingerprint Database (sfpDB) is a free tool from Sun that allows you to check the integrity of system files online through cryptographic checksums stored in the database. System files checks is an ASET task used as a file comparison check from a master file that is created when the task is first executed.

13.

Explain the meaning of a "right" as it pertains to Role-Based Access Control (RBAC).

   A right is a named collection, consisting of commands, authorizations to use specific applications (or to perform specific functions within an application), and other, previously created, rights, whose use can be granted or denied to an administrator.

14.

List and explain the providers supported by the Solaris cryptographic framework.

   Providers are cryptographic plug-ins that applications, end users, or kernel operations- which are all termed `consumers`-use. The Solaris cryptographic framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.

15.

Fingerprints can be used for:

  1. What you have authentication

  2. What you are authentication

  3. Biological identification

  4. Keeping things simple

  5. All of the above

    B. Fingerprints can be used for what you are, or biometric, authentication.     A is wrong because what you have authentication refers to token-based authentication mechanisms. C is wrong because there is no such term as biological identification in information security. D is wrong because the use of fingerprints does not simplify authentication or identification since it requires additional configuration and tuning.

16.

Which of the following can be used to check the integrity of the system's files?

  1. Access control lists (ACLs)

  2. Device policy

  3. Device allocation

  4. Basic Audit Reporting Tool (BART)

  5. All of the above

    D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files.     A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices.

17.

Half-open connections are commonly initiated by an attacker in which of these types of attacks?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    D. During a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. This is referred to as a half-open connection, because during a normal connection between a client and a server, the connection is considered to be `open` after the handshake process. When the server has not received an ACK from the client, the connection is considered to be half-open.     A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack in which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

18.

Which of the following is a self-replicating program that will copy itself from system-to-system?

  1. Trojan horse

  2. Worm

  3. Logic bomb

  4. Fork bomb

  5. Rootkit

  6. All of the above

    B. A worm is a self-replicating program that will copy itself from system to system, sometimes using up all available resources on a target or installing a backdoor on the system.     A is incorrect because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is incorrect because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent.

19.

Which command can be used to create roles and associates a role with an authorization or a profile from the command line?

  1. ppriv

  2. smc &

  3. usermod

  4. roleadd

  5. All of the above

    D. The roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.     A is wrong because to check the privileges available to your current shell's process, you would use the ppriv   -v pid $$  command. B is wrong because in order to start the management console you would issue the /usr/sbin/smc & command. C is wrong because the usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role.

20.

In the Solaris cryptographic framework, which of the following best explains consumers?

  1. Applications, end users, or kernel operations

  2. User-level plug-ins, kernel-level plug-ins, and hardware plug-ins

  3. Cryptographic plug-ins that consumers use

  4. All of the above

    A. Consumers can be applications, end users, or kernel operations.     B and C are wrong because providers are cryptographic plug-ins that consumers use. According to Sun, the framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.

21.

Which of the following can be assigned to a role or user as a collection of administrative functions and can contain authorizations and privilege commands or rights profiles?

  1. Authorization

  2. Privilege

  3. Privileged application

  4. Rights profile

  5. Role

  6. All of the above

    D. A rights profile can be assigned to a role or user as a collection of administrative functions. Rights profiles can contain authorizations, privilege commands, or other rights profiles.     A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. B is wrong because a privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel. C is wrong because a privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command. E is wrong because a role is a predefined identity that can run privileged applications.

22.

Which of these is a code that is inserted into programming code that is designed to execute under specific circumstances?

  1. Trojan horse

  2. Worm

  3. Logic bomb

  4. Fork bomb

  5. Rootkit

  6. All of the above

    C. A logic bomb is code that is inserted into programming code designed to execute under specific circumstances.     A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system-to-system. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system.

23.

Which of these is an ASET task that is used to verify the integrity of user accounts, their passwords, and their groups?

  1. System files permissions tuning

  2. System files checks

  3. User and group checks

  4. System configuration files check

  5. Environment variables check

  6. EEPROM check

  7. Firewall setup

  8. All of the above

    C. The user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. The primary check is made from the passwd and group files, and the passwords in local , and NIS, and NIS+ files.     A is wrong because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level a list of directories that contains files to check is automatically defined; however, this list can be modified. D is incorrect because during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and then reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile , /.login , and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

24.

Assuming the syslog kern facility is set to notice level, when you disallow executable stacks, programs that attempt to execute code on their stack will likely do which of these?

  1. Execute the program with privileges.

  2. Display a warning message with the name of the program, its process ID, and the UID of the user who ran the program.

  3. Monitor executable stacks.

  4. Log a message by syslog.

  5. All of the above

    B and D. When you disallow executable stacks, programs that attempt to execute code on their stack will abort with a core dump. At that time, a warning message will be displayed with the name of the program, its process ID, and the UID of the user who ran the program. In addition, the message can be logged by syslog when the syslog kern facility is set to notice level.     A is incorrect because when a program attempts to execute code on its stack when you disallow executable stacks, the program will abort. C is incorrect because whether or not you are monitoring executable stacks has nothing to do with the results of a program that attempts to execute code on its stack.

25.

Which type of attack occurs when a broadcasted ping request is sent to every system on the target's network?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    E. A Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.     A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack by which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack the attacker sends a flood of connection requests but does not respond to any of the replies.

26.

A backdoor can be a legitimate remote access portal to perform debugging and troubleshooting tasks.

  1. True

  2. False

    A. True. A popular form of permissible backdoor that can potentially be exploitable is a program setup by a programmer to provide remote access to the system to perform debugging and troubleshooting tasks.

27.

Which of the following can be used to restrict and prevent access to peripheral devices?

  1. AUE_MODDEVPLCY event

  2. Device policy

  3. Running the bsmconv script

  4. Device allocation

  5. Issuing the update_drv -a -p policy device-driver command

  6. All of the above

    C and D. The bsmconv script is used to enable the auditing service, which also enables device allocation, which is enforced during user allocation to require user authorization to access a peripheral device such as a CD-ROM or printer.     A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default, and is used to audit changes in device policy. B is incorrect because device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system. E is wrong because to modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p   policy device-driver  command.

28.

Which of the following can be used to restrict and prevent access to devices integral to the system?

  1. AUE_MODDEVPLCY event

  2. Device policy

  3. Running the bsmconv script

  4. Device allocation

  5. Issuing the update_drv -a -p policy device-driver command

  6. All of the above

    B and E. Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. To modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p   policy device-driver  command.     A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default, which is used to audit changes in device policy. C is incorrect because the bsmconv script is used to enable the auditing service, which also enables device allocation. D is wrong because device allocation is enforced during user allocation to require user authorization to access a peripheral device such as a CD-ROM or printer.

29.

Which of the following can be used to merge audit files into a single output source to create an audit trail?

  1. audit -s

  2. auditconfig -conf

  3. bsmconv

  4. bsmrecord

  5. auditreduce

  6. All of the above

    E. The auditreduce command can be used to merge audit files into a single output source to create an audit trail.     A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord command can be used to display record formats.

30.

To perform system maintenance, you must bring system resources down to minimum levels. Which of these techniques can be used to disable user logins?

  1. Bring the system down to single-user mode.

  2. Issue the shutdown -g 120 -y command.

  3. Issue the init S command.

  4. Create a /etc/nologin file.

  5. Disable user accounts individually with the Solaris Management Console.

  6. All of the above

    F. All answers are correct. Disabling user logins can be accomplished by creating a /etc/nologin file, bringing the system down to single-user mode (by issuing the init S or shutdown command with the default init state), and disabling user accounts individually with the Solaris Management Console (SMC) interface.

31.

Which of the following statements are true?

  1. Certification is the technical evaluation of systems.

  2. Certification is done by an organization's management.

  3. Accreditation is the formal acceptance of the system and its risks.

  4. Certification requires accreditation.

  5. All of the above

    A and C. Certification is the technical evaluation of systems, and it is granted by independent and qualified third parties. Certification does not require accreditation. Certification is a basis for accreditation, but the responsibility for the accredited system lies mainly with the management of the organization which accredits the system.     B is incorrect because certification is not done by an organization's management. D is incorrect because certification does not require accreditation.

32.

How can you protect systems against brute-force attacks?

  1. Use strong authentication.

  2. Make the amount of time and computations required unaffordable.

  3. Use longer passwords and keys.

  4. Use Role-Based Access Control.

  5. All of the above

    B and C. The defense against brute-force attacks is to make the amount of time and computations required to conduct an exhaustive search impossible to afford by using a sufficiently large set-that is, longer passwords and keys.     A and D are incorrect. The use of strong authentication alone would not guarantee protection against brute-force attacks, and Role-Based Access Control does not address the risk of brute-force attacks.

33.

What is the benefit of cost-benefit analysis?

  1. Cost-benefit analysis is necessary because organizations cannot reduce all risks to zero.

  2. Cost-benefit analysis increases an organization's return on investment.

  3. Cost-benefit analysis prevents denial of service attacks.

  4. Cost-benefit analysis is a good governance practice.

  5. All of the above

    A, B, and D. Cost-benefit analysis is necessary because organizations cannot reduce all risks to zero, it increases an organization's return on investment, and it is a good governance practice.     C is wrong because cost-benefit analysis is not related to, and does not prevent, denial of service attacks.

34.

What is a trusted system?

  1. A trusted system is another name for a high-security system.

  2. A trusted system is a system that can break a security policy if compromised.

  3. Trusted system refers to operating systems like Trusted Solaris.

  4. Trusted systems are more rigorously designed and tested.

  5. All of the above

    B and D. A trusted system or component has the power to break a security policy. This may seem like an oxymoron-how do you trust a component that can break your security policy? Although it is a good engineering practice to have as few trusted components as possible (remember the principles of least privilege and minimization), it is impossible to eliminate them altogether. Because of this, trusted systems are subject to more testing and verification than non-trusted systems.     A and C are incorrect because a high security system is not necessarily a trusted system, and trusted systems do not refer to operating systems only.

35.

Continuous authentication protects against:

  1. Hacking

  2. Script kiddies

  3. Hijacking attacks

  4. Sniffing

  5. All of the above

    C. Continuous authentication protects against hijacking attacks but does not protect against sniffing unless all traffic is encrypted.    Answers A and B are too general. D is incorrect because continuous authentication does not protect against sniffing unless all traffic is encrypted.

36.

By commenting out extraneous inetd services, the operating system will disable the service from being available and potentially vulnerable to an attack.

  1. True

  2. False

    A. True. To disable a service that is defined in inetd, you simply comment it out in the /etc/ inetd.conf file by inserting a hash character in the very first character position before the service. To activate the change, simply restart the process or reboot the operating system.     B is incorrect because unless the service is enabled in inetd, the port and service will not be listening for connection attempts.

37.

Which of these can be used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system?

  1. Trojan horse

  2. Loadable Kernel Module

  3. Logic bomb

  4. Fork bomb

  5. Rootkit

  6. All of the above

    B and E. A rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent.     A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes.

38.

Explain the meaning of a "role" as it pertains to Role-Based Access Control (RBAC).

   A role is a special user account used to grant rights. Users can assume only those roles they have been granted permission to assume. Once a user takes on a role, the user relinquishes his or her own user identity and takes on the properties, including the rights, of that role. With RBAC each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.

39.

In the Solaris cryptographic framework, which of the following commands can be used to generate random keys?

  1. dd

  2. digest

  3. encrypt

  4. mac

  5. All of the above

    C and D. Random keys can be generated using the encrypt and mac commands.     A is wrong because you can generate the symmetric key with the dd command. B is wrong because you can issue the digest command to compute a message digest for one or more files.

40.

What command displays the mechanism policy for the installed providers?

   The cryptoadm list -p command displays the mechanism policy for the installed providers. It also displays the provider feature policy. If a provider is specified, the command will display the name of the provider with the mechanism policy enforced on it only.

41.

Which of the following can be used to display audit record formats?

  1. audit -s

  2. auditconfig -conf

  3. bsmconv

  4. bsmrecord

  5. auditreduce

  6. All of the above

    D. The bsmrecord command can be used to display record formats.     A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.

42.

Which of the following commands would you issue to view device policies for all devices or just for specific devices?

  1. list_devices

  2. getdevpolicy

  3. allocate device-name

  4. All of the above

    B. To view device policies for all devices or specific ones, you would use the getdevpolicy command.     A is wrong because list_devices is used to display information about allocatable devices. C is wrong because a user with the appropriate rights and authorization can allocate a device by issuing the allocate   device-name  command.

43.

What type of control is intended to offset deficiencies of other controls?

  1. Preventive

  2. Defensive

  3. Compensating

  4. Recovery

  5. All of the above

    C. Compensating controls offset deficiencies of other controls.    There is no such term as defensive controls in information security, so that rules out B . Choices A and D are incorrect because preventive controls aim to prevent security violations and recovery controls are not intended to offset deficiencies of other controls.

44.

If A trusts B, and B trusts C, then:

  1. A trusts C.

  2. A does not automatically trust C.

  3. C trusts A.

  4. The trust relationship is symmetric and bidirectional.

  5. All of the above

    B. This answser is correct because even if A trusts B, and B trusts C, it does not mean that A automatically trusts C.     A and C are wrong because trust is not transitive: if A trusts B, and B trusts C, it does not mean that A automatically trusts C, or vice versa. D is wrong because trust is not symmetric: if A trusts B, it doesn't mean that B trusts A.

45.

Why is detection an important part of the security process?

  1. Because it shows which preventive controls work and which don't.

  2. Because it serves as a quality/reliability control.

  3. Because no usable preventive control is perfect.

  4. Detection is not necessary in low-security environments.

  5. All of the above

    A, B, and C. Detection is important because it shows whether or not preventive controls work, because it serves as a quality and reliability control, and because no usable preventive control is perfect.     D is incorrect because the security level of the environment has no bearing on the need for detective controls.

46.

The switch user (su) program usage (by default) is monitored.

  1. True

  2. False

    A. True. The su program usage, by default, is already monitored through the /etc/default/su file as SULOG=/var/adm/sulog , and the syslog logging facility will determine whether or not to log all su attempts with the SYSLOG=YES entry.

47.

Which configuration file specifies the primary and secondary audit directories?

  1. Audit_control

  2. Audit_startup

  3. Audit_warn

  4. Audit_user

  5. All of the above

    A. The primary and secondary audit directories are specified in the audit_control file.     B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates mail to an e-mail alias called audit_warn . D is wrong because the audit_user file defines specific users and classes of events that should always or never be audited for each user.

48.

Which of the following can be executed to disable the auditing service?

  1. audit -s

  2. auditconfig -conf

  3. The bsmconv script

  4. bsmrecord

  5. auditreduce

  6. All of the above

    C. Run the bsmconv script to enable and disable the auditing service.     A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.

49.

Which of the following can be used to report file-level changes that have occurred on the system?

  1. Access control lists (ACLs)

  2. Device policy

  3. Device allocation

  4. Basic Audit Reporting Tool (BART)

  5. All of the above

    D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files by reporting file-level changes that have occurred on the system.     A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices.

50.

To prevent and defend against DoS attacks, Sun recommends which of the following mechanisms?

  1. Using egress filtering

  2. Installing recommended patches from SunSolve

  3. Disabling unnecessary service ports

  4. Using TCP wrappers

  5. Network monitoring and deploying a firewall

  6. All of the above

    F. All of the answers are correct. To prevent DoS attacks against the Solaris operating system, Sun advocates disabling executable stacks, disabling extraneous IP ports, using egress filtering, monitoring the network, using firewalls, and implementing a patch update program.

51.

Which of these is an ASET task that automatically sets system file permissions according to the security level you choose?

  1. System files permissions tuning

  2. System files checks

  3. User and group checks

  4. System configuration files checks

  5. Environment variables checks

  6. EEPROM check

  7. Firewall setup

  8. All of the above

    A. The system files permissions tuning task automatically sets system file permissions according to the security level you choose. At the high level setting, permissions are assigned to restrict access; at the medium level, permissions are tightened just enough for most normal operating environments; and at the low level setting, permissions are set for open sharing.     B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level a list of directories that contains files to check is automatically defined; however, this list can be modified. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile , /.login , and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

52.

What is the principle of least privilege?

   The principle of least privilege asserts that a user should not be granted any more privileges or permissions than those necessary for performing a specific job.

53.

Which of the following are shared objects that provide services by using PKCS #11 libraries?

  1. Hardware plug-ins

  2. Kernel-level plug-ins

  3. User-level plug-ins

  4. All of the above

    C. User-level plug-ins are shared objects that provide services by using PKCS #11 libraries.     A is wrong because hardware plug-ins are device drivers and their associated hardware accelerators. B is wrong because kernel-level plug-ins provide for implementations of algorithms in software.

54.

What commands would you issue to disable temporarily and then later restore the use of a kernel software provider?

   To disable a kernel software provider, issue the cryptoadm disable   provider  command; to restore an inactive software provider, issue the cryptoadm refresh command.

55.

What is strong authentication?

  1. Strong authentication uses long passwords.

  2. Strong authentication requires smart cards.

  3. Strong authentication requires the use of at least two different authentication methods.

  4. Biometrics provides strong authentication.

  5. All of the above

    C. At least two different authentication methods are necessary for strong authentication.    Long passwords do not provide strong authentication on their own, so answer A is not correct. Strong authentication does not necessarily require the use of smart cards, as stated in B . And C is wrong because biometrics does not necessarily provide strong authentication on its own.

56.

What is the purpose of authentication?

  1. To obtain proof of claimed identity

  2. To implement access control

  3. To establish accountability

  4. To allow use of different authorizations

  5. All of the above

    E. All of the answers are correct. Authentication is needed to obtain proof of claimed identity, to implement access control, to establish accountability, and to allow for different users with different authorizations.

57.

User trust is

  1. Guaranteed by trusted systems

  2. Defined in security policy

  3. Gained and maintained by definition and enforcement of good security policies and their professional implementation

  4. Transitive and bidirectional

  5. All of the above

    C. User trust refers to users' expectations of reasonable security of systems, which in practical terms is the responsibility of security administrators who enforce security policy set by the management. User trust may also refer to expectations of reasonable operation of systems (hardware and software), which is closely linked to the issue of assurance. User trust is gained and maintained by definition of sound security policies and their professional implementation and enforcement.     A, B, and D are incorrect because user trust is not guaranteed by trusted systems, it is not defined in security policy, and it is not transitive and bi-directional.

58.

What is the purpose of deterrent controls?

  1. To back up detective controls

  2. To prevent attacks from happening

  3. To discourage attackers

  4. To compensate for preventive controls

  5. All of the above

    C. Deterrent controls are created to discourage potential attackers. Deterrent controls may potentially be confused with preventive controls, and although both types of controls aim to preclude security violations from happening, they try to do so at different times.     A and B are incorrect because deterrent controls are not a backup for detective controls and they do not necessarily prevent attacks from happening. D is incorrect because, while preventive security controls try to prevent a breach of security after the adversary has decided to attack but before the attack has succeeded, deterrent controls try to discourage the attacker from attacking in the first place by demonstrating that the attack is not going to succeed and even if it does, it will be detected and dealt with.

59.

Which of the following techniques is used to identify user login status with regard to logins without assigned passwords?

  1. Issue the command logins

  2. Issue the command logins -x

  3. Issue the command logins -p

  4. Access the /var/adm/loginlog file with superuser privileges

  5. All of the above

    C. The logins command with the -p option is used to display which users do not have assigned passwords.     A is wrong because the logins command will display general information concerning all login accounts organized in ascending order by user ID. B is incorrect because the -x argument will display extended information regarding all login accounts. D is wrong because Solaris keeps track of each user login and records login attempts in the var/adm/loginlog file.

60.

When auditing is enabled, the contents of the etc/security/audit_startup file determine the _______________.

   Audit policy determines the characteristics of the audit records. When auditing is enabled, the contents of the etc/security/audit_startup file determine the audit policy .

61.

Which of the following can be executed to refresh the auditing service?

  1. audit -s

  2. auditconfig -conf

  3. bsmconv

  4. bsmrecord

  5. auditreduce

  6. All of the above

    B. After you start the auditing service in a production environment, there may be times when you'll need to tweak the configuration to audit more classes or perhaps audit specific users more closely. After making changes, you'll need to update the auditing service. This restarts the auditd daemon, which in effect will apply the new configuration changes to the service. To refresh the auditing service, issue the command auditconfig -conf .     A is wrong because that command is used to refresh the kernel. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.

62.

You can create a manifest of more than one file by separating the files with a comma.

  1. True

  2. False

    B. False. You can create a manifest of more than one file by separating the files with a space, not a comma.

63.

From within a terminal session, which command would you execute to view the system's current installed patches?

  1. grep filename

  2. showpatch -p

  3. showrev -p

  4. vi system

  5. All of the above

    C. To verify that a patch was successfully installed, issue the shorev command showrev -p , or to verify a specific individual patch, use showrev -p | grep   filename  , where  filename  is the name of the patch.     A is incorrect because grep   filename  is an option to the showrev command when verifying that a specific patch was successfully installed. B is incorrect because the command showpatch -p does not exist. D is incorrect because vi is the system's visual editor, which is used to create and modify text within files. Depending on where you executed the command vi system , the editor would either create a new file entitled system or open the current system file for editing.

64.

Which type of attack occurs when an attacker sends an oversized ICMP packet in an attempt to overflow the target system's buffer?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    B. Ping of Death is a malformed ICMP packet attack in which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer.     A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

65.

To harden your system and help protect against Trojan horse programs, Sun recommends that path variables do not contain which of these?

  1. A parameter indicated with a dot (.)

  2. A search path for root that contains the current directory

  3. A parameter indicated with a forward slash (/)

  4. A search path for superuser that contains the current directory

  5. All of the above

    A, B, and D. To harden your system and help protect against Trojan horse programs, Sun recommends that path variables do not contain a parameter indicated with a dot ( . ) that could cause the system to search for executables or libraries within that path, as well as a search path for root or superuser that contains the current directory.     C is wrong because a forward slash is legitimately used in the search path to indicate root and subdirectories.

66.

Which of these is used to produce a cyclical-redundancy-check (CRC) and block count for files that can help prevent backdoor attacks?

  1. ASET

  2. Message digest

  3. Checksum

  4. EEPROM check

  5. All of the above

    C. Checksum uses the sum command to produce a cyclical-redundancy-check (CRC) and block count for files that can help prevent backdoor attacks.     A is incorrect because ASET enables you to monitor and restrict access to system files and directories with automated administration governed by a preset security level (low, medium, or high). B is wrong because a message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. D is incorrect because the EEPROM check is an ASET task that inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with.

67.

Which of these are privileges in common with every process?

  1. E

  2. I

  3. D

  4. P

  5. G

  6. All of the above

    A, B, and D. Every process has four sets of privileges: the effective privilege set (E), which are privileges currently in use (note that processes can add permitted privileges to the set); the inheritable privilege set (I), which are privileges a process can inherit; the permitted privilege set (P), which are privileges available for use now; and the limit privilege set (L), which are outside privilege limits of which processes can shrink but never extend.     C and E are wrong because they do not represent any known existing privileges.

68.

Which of the following is inherently provided for by using cryptography?

  1. Authenticity

  2. Confidentiality

  3. Integrity

  4. RBAC

  5. Checksum

  6. All of the above

    A, B and C. Cryptography provides for the integrity, confidentiality, and authenticity of information.     D is wrong because RBAC is a system of controlling which users have access to resources based on the role of the user. E is wrong because checksum is a simple error-detection scheme.

69.

What command displays the list of installed providers?

   The cryptoadm list command displays the list of installed providers.

70.

In which of the following are two cryptographic keys used: one to encrypt a message and another to decrypt it?

  1. Asymmetric algorithm

  2. Public key

  3. Secret key

  4. Symmetric algorithm

  5. All of the above

    A and B. With asymmetric (public key) algorithms, two keys are used: one to encrypt a message and another to decrypt it.     C and D are wrong because in symmetric (secret key) algorithms, the same key is used for both encryption and decryption-anyone knowing the key can both encrypt and decrypt messages.

71.

Which command can be used to check the privileges available to your current shell's process?

  1. ppriv

  2. smc &

  3. usermod

  4. roleadd

  5. All of the above

    A. To check the privileges available to your current shell's process, you would use the ppriv   -v pid $$  command.     B is wrong because to start the management console, you would issue the /usr/sbin/smc & command. C is wrong because the usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role. D is wrong because the roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.

72.

Which of these is an ASET task that performs a file comparison check from a master file that is created when the task is first executed?

  1. System files permissions tuning

  2. System files checks

  3. User and group checks

  4. System configuration files checks

  5. Environment variables checks

  6. EEPROM check

  7. Firewall setup

  8. All of the above

    B. A system files check is a file comparison check from a master file that is created when the task is first executed. For each security level, a list of directories that contains files to check is automatically defined; however, this list can be modified.     A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because during the system configuration files check ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile , /.login , and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

73.

The principle of least privilege applies only to user accounts.

  1. True

  2. False

    B. False. The principle of least privilege does not only apply to user accounts but is a universally applicable principle.

74.

What is a threat?

  1. A threat is the absence of security mechanisms.

  2. A threat is the opposite of assurance.

  3. A threat is anything that can exploit vulnerabilities.

  4. Threats may be natural, physical, and logical.

  5. All of the above

    C and D. A threat is anyone or anything that can exploit a vulnerability. Threats to information systems may be grouped into natural, physical, and logical threats.     A and B are incorrect because the absence of security mechanisms is not a threat, and threat is not the opposite of assurance.

75.

Which of the following may protect against spoofing attacks?

  1. Encryption

  2. Cryptographic initiation

  3. Cryptographic authentication

  4. Secret addresses

  5. All of the above

    C. The most effective defense against spoofing is the use of cryptographic authentication and digital signatures.     A is incorrect because encryption does not necessarily protect against spoofing. There is no such term as cryptographic initiation ( B ), and secret addresses don't make sense ( D ).

76.

Why is incident response capability necessary?

  1. Because any organization may have a security incident.

  2. Because detection is useless without response.

  3. Because it is required by law.

  4. Because correct reaction to a security incident is important.

  5. All of the above

    A, B, and D. Depending on the jurisdiction and industry, incident response capability may be required but it is not required in all cases.     C is wrong because incident response capability is not required by law.

77.

Which of the following are part of Sun's required password policy?

  1. The password should be at least 8 characters long.

  2. The password must consist of between 6 and 15 letters, numbers, and special characters.

  3. The password must have at least 2 alphabetic characters and at least one numeric or special character within the first 6 characters.

  4. The first 8 characters of the password should not be the same as the previous password.

  5. All of the above

    B and C. Sun's policy mandates that passwords must be composed of between 6 and 15 letters, numbers, and special characters, and must have at least 2 alphabetic characters and at least 1 numeric or special character within the first 6 characters.     A and D are wrong because they are part of industry-recognized security recommendations for creating passwords and are not mandated by Sun's password policy.

78.

Which of these is a common run level used to go into single-user state for administrative functions?

  1. S

  2. 0

  3. 2

  4. 5

  5. 6

  6. All of the above

    A. By issuing init S you will go into single-user mode.     B is wrong because init 0 is used to go into firmware maintenance mode. C is wrong because init 2 is used to go into multi-user state where NFS is not running. D is wrong because init 5 is used to shut down the operating system altogether. E is incorrect because by issuing init 6 you will stop the operating system and reboot.

79.

How would you manually set the minimum free disk space for an audit file before a warning is sent?

   To set the minimum free disk space for an audit file before a warning is sent, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage. It's important to first save a backup of the original file before making changes. For example, to set the minimum free-space level for all audit file systems so that a warning is sent when 15 percent of the file system is available, edit the audit_control file and modify the following line item: minfree:   xx;  where  xx  is a percentage less than 100.

80.

Syslog audit files should be placed in the same locations as binary data?

  1. True

  2. False

    B. False. The syslog text logs can generate massive log files so be sure to monitor and archive them regularly. In addition, you should never store syslog audit files in the same location as binary data.

81.

What command would you execute to verify that you have the appropriate rights to forcibly deallocate a device?

   To verify that you have the appropriate rights to forcibly deallocate a device (for example, solaris.device.revoke ), you can issue the auths command.

82.

In which of these files would you find the list that specifies the ports used by the server processes as contact ports (also known as well-known ports)?

  1. /usr/sbin/in.telnetd

  2. /tmp/patch

  3. /etc/services

  4. /etc/inetd.conf

  5. All of the above

    C. The /etc/services file specifies the ports used by the server processes as contact ports, which are also known as well-known ports.     A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. D is incorrect because the inetd.conf file defines how the inetd daemon handles common Internet service requests.

83.

Which of the following does Sun recommend for hardening your system and helping to protect against Trojan horse programs?

  1. Removing unnecessary compilers

  2. Securing file and directory permissions

  3. Anti-virus software

  4. Monitoring path variables

  5. User awareness education

  6. All of the above

    F. All of the answers are correct. To harden your system and help protect against Trojan horse programs, Sun recommends user awareness education, installing and updating anti- virus software, removing unnecessary compilers, securing file and directory permissions, and monitoring path variables.

84.

Which of these is an ASET task that checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory?

  1. System files permissions tuning

  2. System files checks

  3. User and group checks

  4. System configuration files check

  5. Environment variables check

  6. EEPROM check

  7. Firewall setup

  8. All of the above

    D. During the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file.     A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile , /.login , and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

85.

To audit a role, which event(s) should be added to the flags line in the audit_control file?

   To audit a role, you should add the ua or the as event to the flags line in the audit_control file, and then start the auditing service.

86.

Explain the usage of a Message Authentication Code (MAC).

   Without altering the original file and to protect a digest, you can compute a message authentication code (MAC) of a file.

87.

The principle of isolating process spaces from each other is known as

  1. Virtualization

  2. Separation

  3. Defense in depth

  4. Compartmentalization

  5. All of the above

    D. Compartmentalization is the isolation of process spaces from each other in order to minimize the effect of a security violation in one compartment on another.    Answer A, virtualization, is a related concept but is not the correct answer. B is wrong because compartmentalization is the correct term. C is wrong because defense in depth is about using several types and/or layers of defense.

88.

What is the purpose of choke points?

  1. Choke points are used to isolate firewalls.

  2. Choke points protect confidentiality of information.

  3. Choke points may be used only on TCP/IP networks.

  4. Choke points are for control and monitoring of dataflows.

  5. All of the above

    D. Choke points are logical `narrow channels` that can be easily monitored and controlled.     A is wrong because choke points are not used to isolate firewalls. Choke points do not affect confidentiality of information, so B is wrong. And C is not the answer because choke points are not protocol-dependent.

89.

Vulnerabilities are weaknesses which can be exploited by

  1. Risks

  2. Threats

  3. Hackers

  4. Software bugs

  5. All of the above

    B and C. Vulnerabilities can be exploited by threats, and malicious hackers can pose a threat.     A and D are incorrect because risks and software bugs do not exploit vulnerabilities-risk is the possibility of an exploit and software bugs are vulnerabilities.

90.

Why is risk management important?

  1. Because it is impossible to eliminate all risks

  2. Because it is not cost effective to eliminate all risks

  3. Because it is a good governance practice

  4. Because it improves business performance

  5. All of the above

    F. All of the answers are correct. Risk is the likelihood and cost of a threat exploiting a vulnerability. Information security management is about risk management because in the absolute majority of cases it is either impossible or cost-ineffective to eliminate all risks. In these cases, risk management comes to the rescue and helps us to understand risks and decide what risks to minimize, what risks to transfer (insure against), and what risks to accept.

91.

Why should security awareness training be an ongoing concern?

  1. Because security risks and vulnerabilities change and evolve

  2. Because people need to refresh their knowledge periodically

  3. Because an organization's information systems change over time

  4. Because people may become complacent with time

  5. All of the above

    E. All of the answers are correct. To address all of these concerns, security awareness training should be held regularly.

92.

Which of the following security domains are covered by ISO 17799?

  1. Security policy

  2. Access control

  3. Physical security

  4. Solaris security

  5. All of the above

    A, B, and C. ISO 17799 is a Code of Practice for Information Security Management and does not cover any specific products or systems such as Solaris.     D is incorrect because ISO 17799 does not cover the Solaris operating environment specifically but is an information security management standard.

93.

Failed login attempts from terminal sessions are stored in which file?

  1. /etc/default/login

  2. /etc/nologin

  3. /etc/shadow

  4. var/adm/loginlog

  5. All of the above

    D. Solaris keeps track of each terminal session login attempts in the var/adm/loginlog file.     A is wrong because /etc/default/login involves syslog and monitoring all unsuccessful login attempts. B is wrong because /etc/nologin is used to disable user logins. C is incorrect because the /etc/shadow file can be accessed to determine which accounts are locked or disabled and which do not currently have assigned passwords.

94.

Surveys show that most organizations are at which level of the information security maturity model?

  1. Nonexistent

  2. Defined

  3. Detective

  4. Repeatable

  5. All of the above

    D. Most organizations are at the repeatable level of the information security maturity model.     C is inappropriate because it refers to a type of control. Other choices are wrong because surveys show that most organizations are at the repeatable level.

95.

Risk is a product of

  1. Threats – Vulnerabilities + Asset value

  2. Threats Vulnerabilities + Asset value

  3. Threats Vulnerabilities Asset value

  4. Threats + Vulnerabilities Asset value

  5. All of the above

    C. This simple formula conveniently shows the relationship between threats, vulnerabilities, and risk.     A, B, and D are incorrect because the correct formula is Threats   Vulnerabilities   Asset value = Risk.

96.

Documents that set high-level goals, requirements, and priorities are called:

  1. Guidelines

  2. Procedures

  3. Standards

  4. Policies

  5. All of the above

    D. Security policies are set by management and are high-level in nature. They specify what should and should not happen, without going into detail on how to reach these goals. Security policies should be sufficiently specific to convey their meaning and objectives unambiguously but at the same time be general enough not to require modification every month or after introduction of a new system or application in the organization.     A, B, and C are incorrect because guidelines are recommendations for consideration, procedures are detailed step-by-step instructions, and standards are general in nature.

97.

Which of the following techniques can be used to identify current user login status?

  1. Access the /etc/shadow file with superuser privileges

  2. Issue the command logins

  3. Issue the command init S

  4. Access the /var/adm/loginlog file with superuser privileges

  5. All of the above

    A and B. Identifying user login status-by issuing the logins command and viewing the /etc/shadow file-is important to determine which accounts are locked or disabled and which do not currently have assigned passwords.     C is wrong because the init S command is used to bring down the system to run level S (single-user mode). D is wrong because the /var/adm/loginlog file is used to log failed terminal session user login attempts.

98.

Which of these techniques can be used to capture unsuccessful login attempts?

  1. Edit the /etc/default/login file and uncomment the RETRIES entry

  2. Create a var/adm/loginlog file

  3. Edit the /etc/default/login file and uncomment the SYSLOG=YES and SYSLOG_FAILED_LOGINS=0 entries

  4. All of the above

    B and C. Capturing unsuccessful terminal session login attempts is accomplished by creating a var/adm/loginlog file. To monitor all failed login attempts, edit the /etc/default/login file and make sure that the SYSLOG=YES and SYSLOG_FAILED_LOGINS=0 entries are uncommented.     A is incorrect because by uncommenting the RETRIES entry in the /etc/default/login file and editing the SYSLOG_FAILED_LOGINS=   some number  , you'll force the system to close the login connection after some predefined number of unsuccessful login attempts.

99.

You can specify events that should be audited by using the bsmrecord command.

  1. True

  2. False

    A. True. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the  na  preceding the second flags argument specifies nonattributable events) should be audited for the entire system-that is, all users on the system. Incidentally, you can specify events by using the bsmrecord command.

100.

With regard to classes of events, the audit_event file is the event database that can be read to find out which events are part of classes you can audit. Which event numbers are reserved for the Solaris Kernel events?

  1. 1–2047

  2. 2048–32767

  3. 6144–32767

  4. 32768–65535

  5. All of the above

    A. The event numbers (with the exception of 0, which is reserved as an invalid event number) reserved for the Solaris Kernel events are 1 2047.     B is incorrect because 2048 32767 are reserved for the Solaris TCB programs. C is incorrect because 6144 32767 is used for SunOS 5.X user-level audit events. D is wrong because 32768  65535 are available for third-party TCB applications.

101.

Which of the following can be used to control access to devices on a Solaris system?

  1. Access control lists (ACLs)

  2. Device policy

  3. Device allocation

  4. Basic Audit Reporting Tool (BART)

  5. All of the above

    B and C. Controlling access to devices on a Solaris operating system is accomplished by two mechanisms: device policy and device allocation . Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. Device allocation, which is not enabled by default, is enforced during user allocation to require user authorization to access a peripheral device.     A is wrong because access control lists (ACLs) are mechanisms used to control access to files. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files.

102.

When viewing your system's current patches from a terminal session, the output will display which of the following useful information?

  1. A list of current installed patches

  2. Whether a patch obsoletes a previous patch

  3. Whether a patch is incompatible with other patches

  4. What packages are directly affected by a patch

  5. If there are any prerequisite patches for a current patch

  6. All of the above

    F. All of the answers are correct. Viewing your system's current patches using the showrev -p command will display all installed patches, patch numbers, whether a patch obsoletes a previous patch, if any prerequisite patches exist for a current patch, whether a patch is incompatible with other patches, and what packages are directly affected by a patch.

103.

Which of the following directories are the most common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system?

  1. /etc

  2. /usr/aset

  3. /usr/local

  4. /devices

  5. All of the above

    A and D. Device-specific files in the /etc and /devices directories are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system.     B is incorrect because /usr/asset is the working directory for ASET. C is incorrect because /usr/local is simply an example of a typical download directory used to store files and programs by the current user.

104.

Which of the following is an example of the principle of least privilege?

  1. Programs—using privileges—that do not require making calls to setuid.

  2. System administrators can delegate privileged commands to non-root users without giving them full superuser access.

  3. A user should be given only the privileges or permissions necessary for performing a job.

  4. Privilege commands execute with administrative capabilities usually reserved for administrators.

  5. All of the above

    A, B, and C. Examples of the principle of least privilege include programs-using privileges- that do not require making calls to setuid , when system administrators delegate privileged commands to non-root users without giving them full superuser access, and users that are only given privilege or permission necessary for performing their jobs.     D is incorrect because it is simply a factual statement regarding privileged commands and not an example of the principle of least privilege.

105.

Which command associates a user's login with a role, profile, and authorization in the /etc/ user_attr database, which can also be used to grant a user access to a role?

  1. ppriv

  2. smc &

  3. usermod

  4. roleadd

  5. All of the above

    C. The usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role.     A is wrong because to check the privileges available to your current shell's process, you would use the ppriv   -v pid $$  command. B is wrong because to start the management console you would issue the /usr/sbin/smc & command. D is wrong because the roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.

106.

To monitor and help prevent unauthorized changes from being made to system files, which of the following does Sun recommend using?

  1. Automated Security Enhancement Tool (ASET)

  2. Basic Security Module (BSM)

  3. Solaris cryptographic framework

  4. Tripwire

  5. All of the above

    E. All of the answers are correct. Protecting files is a core component in Sun's Solaris security strategy. Although MD5 and SHA1, part of the Solaris cryptographic framework, were developed to help detect corrupt or maliciously altered files, Sun also recommends using a more comprehensive package as well called Tripwire. In addition to Tripwire, to help prevent unauthorized changes from being made to system files, Sun also recommends using ASET (discussed in Chapter 8 ) and the Basic Security Module (BSM), which is discussed in Chapter 5 .

107.

What command is used to display a list of mechanisms that can be used with the installed providers?

   The cryptoadm -m command displays a list of mechanisms that can be used with the installed providers. If a provider is specified, the command will display the name of the specified provider and the mechanism list that can be used with that provider.

108.

Which rights profile database contains the profile name and commands with specific security attributes?

  1. prof_attr

  2. exec_attr

  3. user_attr

  4. passwd

  5. shadow

  6. All of the above

    B. The rights profile name and commands with specific security attributes are stored in the exec_attr database.     A is incorrect because the rights profile name and authorizations can be found in the prof_attr database. C, D, and E are incorrect because the user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.

109.

Which of these can be deployed to monitor and help prevent unauthorized changes from being made to system files?

  1. Tripwire

  2. BSM

  3. Solaris cryptographic framework

  4. ASET

  5. All of the above

    E. All of the answers are correct. To monitor and help prevent unauthorized changes from being made to system files, Sun recommends using the Automated Security Enhancement Tool (ASET), the Basic Security Module (BSM), Tripwire, and the Solaris cryptographic framework.

110.

Which command would display the following output in a terminal session that could indicate that the system is being attacked?

10.16.3.11.22   10.16.3.100.21834    0    0  9112    0 SYN_RECEIVED 
10.16.3.11.22   10.16.3.100.22090    0    0  9112    0 SYN_RECEIVED 
10.16.3.11.22   10.16.3.100.22346    0    0  9112    0 SYN_RECEIVED 
10.16.3.11.22   10.16.3.100.22602    0    0  9112    0 SYN_RECEIVED 
10.16.3.11.22   10.16.3.100.22858    0    0  9112    0 SYN_RECEIVED
  1. find directory -user root

  2. netstat -a -f inet

  3. showrev -p

  4. grep inetd.conf

  5. All of the above

    B. The netstat command with -a and -f inet switches can be used to show the state of all sockets and all routing table entries for the AF_INET address family showing IPv4 information only.     A is incorrect because find directory -user root is used to check all mounted paths starting at the specified directory and to display files owned by root. C is incorrect because the command showrev -p is used for viewing the system's current installed patches. D is incorrect because grep inetd.conf as it stands will produce nothing.

111.

Who must be ultimately responsible for information security within organizations?

  1. Information security professionals

  2. Information systems auditors

  3. Top management

  4. Stockholders

  5. All of the above

    C. Top management is ultimately responsible for information security.     A is incorrect because information security professionals advise management and implement management's decisions, but they do not make the decisions. B is incorrect because information systems auditors report on an organization's security to the board of directors and/or the stockholders, but they do not make decisions. D is incorrect because while stockholders appoint management, they are not responsible for making security decisions.

112.

Do insiders pose a threat to information security, and if so why?

  1. No, because they are bound by employment and confidentiality agreements.

  2. Yes, because they are not subject to access control.

  3. No, because they already have access to information.

  4. Yes, because they have more authorizations and knowledge.

  5. All of the above

    D. Employees, managers, contractors, consultants, and other insiders constitute a higher threat than a person on the street because they have more authorized network access and sensitive knowledge than outsiders. In fact, risks posed by insider attacks are more substantial, require less means to mount, and may result in larger losses than risks posed by outside attackers-they may also be more difficult to detect and recover from.     A, B, and C are incorrect because although insiders are usually bound by employment and confidentiality agreements, that alone doesn't remove the threat. Insiders are subject to access controls, and access to information is not a threat in itself.

113.

Documents that are usually technical, detailed, and implement security policies are called

  1. Guidelines

  2. Normative acts

  3. Procedures

  4. Standards

  5. All of the above

    C. Security procedures are developed by subject-matter specialists within the organization with the assistance of security professionals and/or information systems auditors. Because security procedures are usually highly specific and technical in nature, they should be developed by those who appreciate these considerations.     A, B, and D are incorrect because guidelines, normative acts, and standards only influence procedures.

114.

Nonbinding recommendations on how to develop, define, and enforce security policies and procedures are known as

  1. Standards

  2. Auditing regulations

  3. Guidelines

  4. Control objectives

  5. All of the above

    C. Security guidelines are nonbinding recommendations that deal with how to develop, define, and enforce security policies and procedures. Although guidelines are nonbinding, it is customary to require explanation from those who choose not to follow them.     A, B, and D are incorrect because standards, auditing regulations, and control objectives are not non-binding recommendations.

115.

The syslog daemon is located in which directory?

  1. /etc

  2. /etc/init.d

  3. /usr/local

  4. /usr/asset

  5. /devices

  6. All of the above

    B. The syslog daemon that controls the logging facilities is located in the / etc/init.d directory as syslog .     A and E are wrong because device-specific files are located in the /etc and /devices directories, which are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system. C is wrong because /usr/local is an example of a typical download directory used to store files and programs by the current user. D is wrong because /usr/asset is the working directory for ASET.

116.

In the audit_control file, which arguments define which attributable and nonattributable events should be audited for the entire system?

  1. flags

  2. minfree

  3. dir:

  4. naflags

  5. All of the above

    A and D. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the  na  preceding the second flags argument specifies nonattributable events) should be audited for the entire system-that is, all users on the system.     B is wrong because the minfree argument is used to set the free-space warning threshold. C is incorrect because the dir: attribute is used to specify primary and secondary audit directories.

117.

Which of these techniques can be used to set up a warning alias, which is the e-mail account that will receive warnings generated from the audit_warn script, such as when the minimum free-space level is reached?

  1. Redirect the audit_warn e-mail alias to the appropriate account

  2. Edit the etc/security/audit_warn file by changing the e-mail alias in the script at entry: ADDRESS=audit_warn

  3. Edit the audit_control file in your text editor and modify the minfree entry by specifying the audit_warn e-mail alias

  4. All of the above

    A and B. Setting up a warning alias can be accomplished in two ways. The easiest method is to edit the etc/security/audit_warn file by changing the e-mail alias in the script at entry: ADDRESS=audit_warn :  #------------------------------------------------------------------------- send_msg() { MAILER=/usr/bin/mailx SED=/usr/bin/sed LOGCMD=`$LOGGER -p daemon.alert` ADDRESS=audit_warn  # standard alias for audit alerts  The second way is a little more complicated and requires redirecting the audit_warn e-mail alias to the appropriate account. To do so, add the audit_warn e-mail alias to the new alias file-in /etc/mail/aliases or the mail_aliases database in the namespace-such as audit_warn: alertadmin.      C is wrong because that procedure is used to set the free-space warning threshold manually.

118.

Which of the following is a type of information commonly found in a BART manifest?

  1. Group ID

  2. Content

  3. User ID

  4. Permissions

  5. Size

  6. All of the above

    F. All of the answers are correct. Each line in a BART manifest contains the following types of file information: size, content, user ID, group ID, and permissions.

119.

By comparing BART manifests over time, which of the following can you accomplish?

  1. Detect corrupt files.

  2. Verify the integrity of files.

  3. Detect security breaches.

  4. Troubleshoot the system.

  5. All of the above

    E. All of the answers are correct. The most useful feature of BART is to compare manifests over time to monitor file-level changes. By doing so, you can verify the integrity of files, and detect corrupt files and security breaches, all of which help troubleshoot the system.

120.

Which of the following should be added to the /etc/system file manually to disable programs from using executable stacks?

  1. set noexec_user_stack=1

  2. set noexec_user_stack_log=1

  3. set noexec_program_stack=0

  4. set noexec_user_stack_log=0

  5. All of the above

    A. If the noexec_user_stack variable is set to non-zero, the operating system will apply non-executable but readable and writable attributes to every process stack.     B and D are incorrect because these settings are used to disable or enable executable stack message logging. C is incorrect because that option does not exist.

121.

Which type of attack occurs when a program process or task receives extraneous data that is not properly programmed?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    A. A program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed.     B is incorrect because Ping of Death is a malformed ICMP packet attack where an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

122.

It is advisable not to assign rights profiles, privileges, and authorizations directly to users.

  1. True

  2. False

    A. True. Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.

123.

Which of the following types of applications comply with RBAC and therefore can check a user's authorizations before giving the user access?

  1. Audit administration commands

  2. The Solaris Management Console tool suite

  3. Printer administration commands

  4. Batch job commands

  5. Device commands

  6. All of the above

    F. All of the answers are correct. Applications that comply with RBAC can check a user's authorizations before giving the user access. These applications include the following: audit administration commands (that is, auditconfig and auditreduce ), batch job commands (that is, at , atq , batch , and crontab ), device commands (that is, allocate , deallocate , list_devices , and cdrw ), printer administration commands (that is, lpadmin and lpfilter ), and the Solaris Management Console (includes all tools).

124.

Explain the usage of message digest with regard to file integrity.

   A message digest is a one-way function for a stream of binary data as verification that the data was not altered since the message digest was first generated, such as from when a file was compiled or modified. With regard to checking the integrity of files, you can use the Solaris Fingerprint Database (sfpDB), which is a free tool from Sun that allows you to check the integrity of system files through online cryptographic checksums. By doing so, you can determine whether system binaries and patches are safe in accordance with their original checksums among a huge database stored at Sun.

125.

What command would you issue to remove a kernel software provider permanently?

   To remove a provider permanently, issue the cryptoadm uninstall command (for example: cryptoadm uninstall des ).

126.

Which rights profile database contains user and role information that supplements the passwd and shadow databases?

  1. prof_attr

  2. exec_attr

  3. user_attr

  4. passwd

  5. shadow

  6. All of the above

    C. The user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.     A is incorrect because the rights profile name and authorizations can be found in the prof_attr database. B is wrong because the rights profile name and commands with specific security attributes are stored in the exec_attr database. D and E are incorrect because the passwd and shadow databases do not contain user and role information that supplement themselves.

127.

Which of the following are common forms of DoS attacks against Solaris operating systems?

  1. Program buffer overflow

  2. Extraneous IP ports

  3. Teardrop

  4. Executable stacks

  5. SYN flooding

  6. All of the above

    A, C, and E. A buffer overflow occurs when a program process or task receives extraneous data that is not properly programmed. As a result, the program typically operates in such a way that an intruder can abuse or misuse it. In a Teardrop attack, the attacker modifies the length and fragmentation offset fields in IP packets, which causes the target to crash. Finally, during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies thus leaving the connection half-open. The SYN messages will usually flood the server and as a result the target system will fill up with requests until it is unable to accommodate any new requests. In some cases, the system could consume available memory, crash, or be rendered inoperative.     B is incorrect because although extraneous IP ports and services could be potential targets for denial of service attacks, they're not forms of attacks in and of themselves. D is incorrect because although when default executable stacks with permissions set to read/write/execute are allowed, programs may be targets for buffer overflow attacks, but executable stacks alone are not an attack. It's also important to note that some software may require executable stacks. Therefore, if you disable executable stacks, programs that require the contrary will be aborted.

128.

Users with the appropriate rights and authorization can allocate and deallocate devices. Which of these authorizations is required to forcibly allocate a device?

  1. solaris.device.allocate

  2. solaris.device.revoke

  3. Both solaris.device.allocate and solaris.device.revoke

  4. All of the above

    B. The authorization required to allocate or deallocate a device forcibly is solaris.device.revoke.      A is wrong because solaris.device.allocate is the authorization required to allocate a device.

129.

With regard to classes of events, the audit_event file is the event database that can be read to find out which events are part of classes you can audit. Which event numbers are available for third-party TCB applications?

  1. 1–2047

  2. 2048–32767

  3. 6144–32767

  4. 32768–65535

  5. All of the above

    D. The event numbers 32768 65535 are available for third-party TCB applications.     A is incorrect because 1 2047 are reserved for the Solaris Kernel events. B is incorrect because 2048 32767 are reserved for the Solaris TCB programs. C is incorrect because 6144  32767 are used for SunOS 5.X user-level audit events.

130.

Which configuration file specifies classes of events that should always or never be audited for each user?

  1. audit_control

  2. audit_startup

  3. audit_warn

  4. audit_user

  5. All of the above

    D. The audit_user file defines specific users and classes of events that should always or never be audited for each user.     A is wrong because general configuration specifications such as the primary and secondary audit directories are specified in the audit_control file. B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates mail to an e-mail alias called audit_warn .

131.

Which of these is a common run level used to stop the operating system and then reboot?

  1. S

  2. 0

  3. 2

  4. 5

  5. 6

  6. All of the above

    E. By issuing the init 6 command, you will stop the operating system and reboot.     A is incorrect because init S is used to go into single-user state for administrative functions. B is wrong because init 0 is used to go into firmware maintenance mode. C is wrong because init 2 is used to go into a multi-user state where NFS is not running. D is wrong because init 5 is used to shut down the operating system altogether.

132.

Which of the following commands can be executed to switch between run levels on, and to perform functions such as halting and rebooting the Solaris operating system?

  1. shutdown -y

  2. init (Run Level #)

  3. shutdown -i init-level -g grace-period -y

  4. All of the above

    D. All of the answers are correct. By issuing the init (   Run Level #   ) command, you can switch between run levels and perform functions such as halting and rebooting the Solaris operating system. Additionally, you can shut down the system with the command shutdown -i   init-level   -g   grace-period   -y; where  init-level  is 0, 1, 2, 5, 6, or S (which is the default), and  grace-period  is the time (in seconds) before the system is shut down (default is 60 seconds). For example, to shut down the system to run level S and therefore disable all logins, use the command shutdown -y .

133.

Which of the following are events that are capable of creating audit logs?

  1. Privileged rights usage

  2. Object creation and destruction

  3. Permission changes

  4. Process creation and destruction

  5. Thread creation and destruction

  6. All of the above

    F. All of the answers are correct. Events that are capable of creating audit logs include system startup and shutdown, login and logout, identification and authentication, privileged rights usage, permission changes, process and thread creation and destruction, object creation and manipulation, application installation, and system administration.

134.

Which of the following can be used to control access to files on a Solaris system?

  1. Access control lists (ACLs)

  2. Device policy

  3. Device allocation

  4. Basic Audit Reporting Tool (BART)

  5. All of the above

    A. Access control lists (ACLs) are mechanisms used to control access to files.     B and C are wrong because device policy and device allocation are used to control access to devices. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files.

135.

To disable an extraneous service and associated IP port, which file would you edit?

  1. /usr/sbin/in.telnetd

  2. /tmp/patch

  3. /etc/services

  4. /etc/inetd.conf

  5. All of the above

    D. The /etc/inetd.conf defines how the inetd daemon handles common Internet service requests.     A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. C is incorrect because the /etc/services file specifies the ports used by the server processes as contact ports which are also known as well-known ports.

136.

It is advisable to assign privileges and authorizations directly to roles.

  1. True

  2. False

    B. False. Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.

137.

What command displays the provider feature policy? If a provider is specified, this command will display the name of the provider with the mechanism policy enforced on it only.

   The cryptoadm list -p command displays the mechanism policy for the installed providers. It also displays the provider feature policy. If a provider is specified, the command will display the name of the provider with the mechanism policy enforced on it only.

138.

Which of the following can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command?

  1. Authorization

  2. Privilege

  3. Privileged application

  4. Rights profile

  5. Role

  6. All of the above

    C. A privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command.     A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. B is wrong because a privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel. D is wrong because a rights profile can be assigned to a role or user as a collection of administrative functions. E is wrong because a role is a predefined identity that can run privileged applications.

139.

Which of these techniques can be implemented for the most efficient auditing while still adhering to security prioritizations?

  1. Auditing only a small percentage of users at any one time

  2. Compressing files

  3. Archiving older audit logs

  4. Monitoring in real time

  5. Automatically increasing unusual event auditing

  6. All of the above

    F. All of the answers are correct. Sun recommends the following techniques for the most efficient auditing while still adhering to security prioritizations: For large networks with limited storage capacity, try randomly auditing a percentage of users at any one time. Perform routine audit file maintenance by reducing the disk-storage requirements by combining, removing, and compressing older log files. It's good practice to develop procedures for archiving the files, for transferring the files to removable media, and for storing the files offline. Monitor the audit data for unusual events in real time. Set up procedures to monitor the audit trail for certain potentially malicious activities. Adhere to company policy and immediately execute mitigations with regard to substantiated malicious findings. Deploy a script to trigger an automatic increase in the auditing of certain users or certain systems in response to the detection of unusual or potentially malicious events.

140.

Which of these commands can be executed to display only the extended user login status for Becky Blake, whose login name is b_blake?

  1. logins

  2. logins b_blake

  3. logins -p

  4. logins -x -l b_blake

  5. All of the above

    D. To display the extended user login status for a particular user, issue the logins - x -l   user  command.     A is incorrect because the logins command will display general information concerning all login accounts organized in ascending order by user ID. B is incorrect because the logins   user  command will only display general information about a particular user account. C is wrong because the logins -p command will display user accounts that currently do not have assigned passwords.

141.

With regard to the Solaris auditing subsystem, what is the directory of last resort?

   A directory of last resort is a local audit directory that is used if the primary and all secondary audit directories become unavailable.

142.

What is the highest evaluation assurance level under Common Criteria that may be reached using commonly accepted best practices in systems/software development?

  1. EAL7

  2. EAL5

  3. EAL4

  4. EAL3

  5. All of the above

    C. EAL4 is the highest practical level of assurance that may be gained using good commercial development practices.     A and B are wrong because higher levels (EAL5 7) require special development methodologies and procedures which are expensive and not commonplace. D is incorrect, of course, because it is a lower level of assurance than EAL4.

143.

Information security policies and procedures are a(n):

  1. Technical control

  2. Administrative control

  3. Form of access control

  4. Operational control

  5. All of the above

    B. Information security policies and procedures are an administrative control.     A is wrong because policies and procedures are not a technical control. C is wrong because policies and procedures are not a form of access control. D is wrong because, although policies and procedures address operational controls, B is a better answer.

144.

Which of the following are applications or commands that check for privileges?

  1. prof_attr

  2. Commands that control processes

  3. File commands

  4. ndd 473 5/10/05 3:46:16 PM

  5. ifconfig

  6. user_attr

  7. All of the above

    B, C, and D. Applications and commands that check for privileges include commands that control processes (such as kill , pcred , rcapadm ), file and file system commands (such as chmod , chgrp , mount ), Kerberos commands (such as kadmin , kprop , kdb5_util ), and network commands (such as ifconfig , route , snoop ).     A and E are wrong because they represent databases.

145.

Which of the following provide for implementations of algorithms in software?

  1. Hardware plug-ins

  2. Kernel-level plug-ins

  3. User-level plug-ins

  4. All of the above

    B. Kernel-level plug-ins provide for implementations of algorithms in software.     A is wrong because hardware plug-ins are device drivers and their associated hardware accelerators. C is wrong because user-level plug-ins are shared objects that provide services by using PKCS #11 libraries.

146.

What command is used to prevent the use of a user-level mechanism?

   To prevent the use of a user-level mechanism, issue the cryptoadm disable   provider   \   mechanism(s)  command.

147.

Which of the following can be granted to a command, user, role, or system, and gives a process the ability to perform an operation and therefore enforces security policy in the kernel?

  1. Authorization

  2. Privilege

  3. Privileged application

  4. Rights profile

  5. Role

  6. All of the above

    B. A privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel.     A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. C is wrong because a privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command. D is wrong because a rights profile can be assigned to a role or user as a collection of administrative functions. E is wrong because a role is a predefined identity that can run privileged applications.

148.

In which of the following is the same cryptographic key used for both encryption and decryption?

  1. Asymmetric algorithm

  2. Public key

  3. Secret key

  4. Symmetric algorithm

  5. All of the above

    C and D. In symmetric (secret key) algorithms, the same key is used for both encryption and decryption-anyone knowing the key can both encrypt and decrypt messages.     A and B are wrong because with asymmetric (public key) algorithms, two keys are used: one to encrypt a message and another to decrypt it.

149.

For an attack to take place and succeed, which of the following should be present?

  1. Opportunity

  2. Means

  3. Motives

  4. All of the above

    D. All answers are correct. For an attack of any type to take place and to succeed, three factors must be present: the attacker must have a motive, an opportunity, and the means to carry out the attack.

150.

If a provider is specified, what command will display the name of the specified provider and the mechanism list that can be used with that provider?

   The cryptoadm -m . command displays a list of mechanisms that can be used with the installed providers. If a provider is specified, the command will display the name of the specified provider and the mechanism list that can be used with that provider.

Answers

1.

B and C. Providers are cryptographic plug-ins that consumers use. According to Sun. the framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.

A is wrong because consumers, not providers, can be applications, end users, or kernel operations.

2.

C, D, and E. Role information can be found in the passwd, shadow, and user_attr databases. The user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.

A and B are wrong because the rights profile name and authorizations can be found in the prof_attr database, while the rights profile name and commands with specific security attributes are stored in the exec_attr database.

3.

To set the minimum free disk space for an audit file before a warning is sent, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage.

4.

B. To actively detect and display superuser access attempts on the console in real time, uncomment the CONSOLE=/dev/console entry in the /etc/default/su file.

A is wrong because you will enable remote superuser login access. C is wrong because by uncommenting the CONSOLE=/dev/console entry in the /etc/default/login file you will disable remote superuser login access. D is wrong because that will simply turn off the detection and display of superuser access attempts directly on the console.

5.

B, C, and D. A process life cycle–based approach to information security management is appropriate because it takes into account changing information systems environments, it is business-oriented, and is considered a good practice.

A is incorrect because the process life cycle-based approach is not the only existing approach to information security management.

6.

E. All of the answers are correct. It is important to protect software version numbers and other details of your systems in order to make attackers spend more time and effort on an attack, to avoid easy identification of bugs and vulnerabilities of deployed software, to avoid or minimize script kiddie attacks, and to comply with principles of minimization and least privilege.

7.

B. False. When default executable stacks with permissions set to read, write, and execute are allowed, programs may be inherently vulnerable to buffer overflow attacks.

A is incorrect because by default programs are not inherently vulnerable to stack smashing. This is especially true when the latest patches have been applied.

8.

D. A fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes.

A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system to system. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system.

9.

B and D. RBAC allows system administrators to delegate privileged commands to non-root users without giving them full superuser access to the system. Similarly, users can be assigned only the exact privileges and permissions necessary for performing a job.

A is wrong because, although it's true that privilege commands execute with administrative capabilities usually reserved for administrators, that statement does not describe a benefit to RBAC. C is wrong because Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.

10.

C. The purpose of audit trails and logs is to provide accountability in information systems.

A is correct but is not the best answer; choices B and D are wrong. The issue of whether audit trails and logs can be used in court proceedings would depend on the particular jurisdiction and is outside the scope of this book; audit trail and logs are detective controls but may function as deterrent controls as well when their existence is known to potential attackers.

11.

E. All answers are correct. The security life cycle process consists of prevention, detection, response, and deterrence.

12.

F. All answers are correct. A message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. The MD5 (for shorter message digests) and the Secure Hashing Algorithm (SHA1, for larger message digests) are among the most popular message digest algorithms. The Solaris Fingerprint Database (sfpDB) is a free tool from Sun that allows you to check the integrity of system files online through cryptographic checksums stored in the database. System files checks is an ASET task used as a file comparison check from a master file that is created when the task is first executed.

13.

A right is a named collection, consisting of commands, authorizations to use specific applications (or to perform specific functions within an application), and other, previously created, rights, whose use can be granted or denied to an administrator.

14.

Providers are cryptographic plug-ins that applications, end users, or kernel operations— which are all termed "consumers"—use. The Solaris cryptographic framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.

15.

B. Fingerprints can be used for what you are, or biometric, authentication.

A is wrong because what you have authentication refers to token-based authentication mechanisms. C is wrong because there is no such term as biological identification in information security. D is wrong because the use of fingerprints does not simplify authentication or identification since it requires additional configuration and tuning.

16.

D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files.

A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices.

17.

D. During a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. This is referred to as a half-open connection, because during a normal connection between a client and a server, the connection is considered to be "open" after the handshake process. When the server has not received an ACK from the client, the connection is considered to be half-open.

A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack in which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

18.

B. A worm is a self-replicating program that will copy itself from system to system, sometimes using up all available resources on a target or installing a backdoor on the system.

A is incorrect because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is incorrect because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent.

19.

D. The roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.

A is wrong because to check the privileges available to your current shell's process, you would use the ppriv -v pid $$ command. B is wrong because in order to start the management console you would issue the /usr/sbin/smc & command. C is wrong because the usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role.

20.

A. Consumers can be applications, end users, or kernel operations.

B and C are wrong because providers are cryptographic plug-ins that consumers use. According to Sun, the framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.

21.

D. A rights profile can be assigned to a role or user as a collection of administrative functions. Rights profiles can contain authorizations, privilege commands, or other rights profiles.

A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. B is wrong because a privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel. C is wrong because a privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command. E is wrong because a role is a predefined identity that can run privileged applications.

22.

C. A logic bomb is code that is inserted into programming code designed to execute under specific circumstances.

A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system-to-system. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system.

23.

C. The user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. The primary check is made from the passwd and group files, and the passwords in local, and NIS, and NIS+ files.

A is wrong because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level a list of directories that contains files to check is automatically defined; however, this list can be modified. D is incorrect because during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and then reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

24.

B and D. When you disallow executable stacks, programs that attempt to execute code on their stack will abort with a core dump. At that time, a warning message will be displayed with the name of the program, its process ID, and the UID of the user who ran the program. In addition, the message can be logged by syslog when the syslog kern facility is set to notice level.

A is incorrect because when a program attempts to execute code on its stack when you disallow executable stacks, the program will abort. C is incorrect because whether or not you are monitoring executable stacks has nothing to do with the results of a program that attempts to execute code on its stack.

25.

E. A Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack by which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack the attacker sends a flood of connection requests but does not respond to any of the replies.

26.

A. True. A popular form of permissible backdoor that can potentially be exploitable is a program setup by a programmer to provide remote access to the system to perform debugging and troubleshooting tasks.

27.

C and D. The bsmconv script is used to enable the auditing service, which also enables device allocation, which is enforced during user allocation to require user authorization to access a peripheral device such as a CD-ROM or printer.

A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default, and is used to audit changes in device policy. B is incorrect because device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system. E is wrong because to modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p policy device-driver command.

28.

B and E. Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. To modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p policy device-driver command.

A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default, which is used to audit changes in device policy. C is incorrect because the bsmconv script is used to enable the auditing service, which also enables device allocation. D is wrong because device allocation is enforced during user allocation to require user authorization to access a peripheral device such as a CD-ROM or printer.

29.

E. The auditreduce command can be used to merge audit files into a single output source to create an audit trail.

A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord command can be used to display record formats.

30.

F. All answers are correct. Disabling user logins can be accomplished by creating a /etc/nologin file, bringing the system down to single-user mode (by issuing the init S or shutdown command with the default init state), and disabling user accounts individually with the Solaris Management Console (SMC) interface.

31.

A and C. Certification is the technical evaluation of systems, and it is granted by independent and qualified third parties. Certification does not require accreditation. Certification is a basis for accreditation, but the responsibility for the accredited system lies mainly with the management of the organization which accredits the system.

B is incorrect because certification is not done by an organization's management. D is incorrect because certification does not require accreditation.

32.

B and C. The defense against brute-force attacks is to make the amount of time and computations required to conduct an exhaustive search impossible to afford by using a sufficiently large set—that is, longer passwords and keys.

A and D are incorrect. The use of strong authentication alone would not guarantee protection against brute-force attacks, and Role-Based Access Control does not address the risk of brute-force attacks.

33.

A, B, and D. Cost-benefit analysis is necessary because organizations cannot reduce all risks to zero, it increases an organization's return on investment, and it is a good governance practice.

C is wrong because cost-benefit analysis is not related to, and does not prevent, denial of service attacks.

34.

B and D. A trusted system or component has the power to break a security policy. This may seem like an oxymoron—how do you trust a component that can break your security policy? Although it is a good engineering practice to have as few trusted components as possible (remember the principles of least privilege and minimization), it is impossible to eliminate them altogether. Because of this, trusted systems are subject to more testing and verification than non-trusted systems.

A and C are incorrect because a high security system is not necessarily a trusted system, and trusted systems do not refer to operating systems only.

35.

C. Continuous authentication protects against hijacking attacks but does not protect against sniffing unless all traffic is encrypted.

Answers A and B are too general. D is incorrect because continuous authentication does not protect against sniffing unless all traffic is encrypted.

36.

A. True. To disable a service that is defined in inetd, you simply comment it out in the /etc/ inetd.conf file by inserting a hash character in the very first character position before the service. To activate the change, simply restart the process or reboot the operating system.

B is incorrect because unless the service is enabled in inetd, the port and service will not be listening for connection attempts.

37.

B and E. A rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent.

A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes.

38.

A role is a special user account used to grant rights. Users can assume only those roles they have been granted permission to assume. Once a user takes on a role, the user relinquishes his or her own user identity and takes on the properties, including the rights, of that role. With RBAC each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.

39.

C and D. Random keys can be generated using the encrypt and mac commands.

A is wrong because you can generate the symmetric key with the dd command. B is wrong because you can issue the digest command to compute a message digest for one or more files.

40.

The cryptoadm list -p command displays the mechanism policy for the installed providers. It also displays the provider feature policy. If a provider is specified, the command will display the name of the provider with the mechanism policy enforced on it only.

41.

D. The bsmrecord command can be used to display record formats.

A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.

42.

B. To view device policies for all devices or specific ones, you would use the getdevpolicy command.

A is wrong because list_devices is used to display information about allocatable devices. C is wrong because a user with the appropriate rights and authorization can allocate a device by issuing the allocate device-name command.

43.

C. Compensating controls offset deficiencies of other controls.

There is no such term as defensive controls in information security, so that rules out B. Choices A and D are incorrect because preventive controls aim to prevent security violations and recovery controls are not intended to offset deficiencies of other controls.

44.

B. This answser is correct because even if A trusts B, and B trusts C, it does not mean that A automatically trusts C.

A and C are wrong because trust is not transitive: if A trusts B, and B trusts C, it does not mean that A automatically trusts C, or vice versa. D is wrong because trust is not symmetric: if A trusts B, it doesn't mean that B trusts A.

45.

A, B, and C. Detection is important because it shows whether or not preventive controls work, because it serves as a quality and reliability control, and because no usable preventive control is perfect.

D is incorrect because the security level of the environment has no bearing on the need for detective controls.

46.

A. True. The su program usage, by default, is already monitored through the /etc/default/su file as SULOG=/var/adm/sulog, and the syslog logging facility will determine whether or not to log all su attempts with the SYSLOG=YES entry.

47.

A. The primary and secondary audit directories are specified in the audit_control file.

B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates mail to an e-mail alias called audit_warn. D is wrong because the audit_user file defines specific users and classes of events that should always or never be audited for each user.

48.

C. Run the bsmconv script to enable and disable the auditing service.

A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.

49.

D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files by reporting file-level changes that have occurred on the system.

A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices.

50.

F. All of the answers are correct. To prevent DoS attacks against the Solaris operating system, Sun advocates disabling executable stacks, disabling extraneous IP ports, using egress filtering, monitoring the network, using firewalls, and implementing a patch update program.

51.

A. The system files permissions tuning task automatically sets system file permissions according to the security level you choose. At the high level setting, permissions are assigned to restrict access; at the medium level, permissions are tightened just enough for most normal operating environments; and at the low level setting, permissions are set for open sharing.

B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level a list of directories that contains files to check is automatically defined; however, this list can be modified. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

52.

The principle of least privilege asserts that a user should not be granted any more privileges or permissions than those necessary for performing a specific job.

53.

C. User-level plug-ins are shared objects that provide services by using PKCS #11 libraries.

A is wrong because hardware plug-ins are device drivers and their associated hardware accelerators. B is wrong because kernel-level plug-ins provide for implementations of algorithms in software.

54.

To disable a kernel software provider, issue the cryptoadm disable provider command; to restore an inactive software provider, issue the cryptoadm refresh command.

55.

C. At least two different authentication methods are necessary for strong authentication.

Long passwords do not provide strong authentication on their own, so answer A is not correct. Strong authentication does not necessarily require the use of smart cards, as stated in B. And C is wrong because biometrics does not necessarily provide strong authentication on its own.

56.

E. All of the answers are correct. Authentication is needed to obtain proof of claimed identity, to implement access control, to establish accountability, and to allow for different users with different authorizations.

57.

C. User trust refers to users' expectations of reasonable security of systems, which in practical terms is the responsibility of security administrators who enforce security policy set by the management. User trust may also refer to expectations of reasonable operation of systems (hardware and software), which is closely linked to the issue of assurance. User trust is gained and maintained by definition of sound security policies and their professional implementation and enforcement.

A, B, and D are incorrect because user trust is not guaranteed by trusted systems, it is not defined in security policy, and it is not transitive and bi-directional.

58.

C. Deterrent controls are created to discourage potential attackers. Deterrent controls may potentially be confused with preventive controls, and although both types of controls aim to preclude security violations from happening, they try to do so at different times.

A and B are incorrect because deterrent controls are not a backup for detective controls and they do not necessarily prevent attacks from happening. D is incorrect because, while preventive security controls try to prevent a breach of security after the adversary has decided to attack but before the attack has succeeded, deterrent controls try to discourage the attacker from attacking in the first place by demonstrating that the attack is not going to succeed and even if it does, it will be detected and dealt with.

59.

C. The logins command with the -p option is used to display which users do not have assigned passwords.

A is wrong because the logins command will display general information concerning all login accounts organized in ascending order by user ID. B is incorrect because the -x argument will display extended information regarding all login accounts. D is wrong because Solaris keeps track of each user login and records login attempts in the var/adm/loginlog file.

60.

Audit policy determines the characteristics of the audit records. When auditing is enabled, the contents of the etc/security/audit_startup file determine the audit policy.

61.

B. After you start the auditing service in a production environment, there may be times when you'll need to tweak the configuration to audit more classes or perhaps audit specific users more closely. After making changes, you'll need to update the auditing service. This restarts the auditd daemon, which in effect will apply the new configuration changes to the service. To refresh the auditing service, issue the command auditconfig -conf.

A is wrong because that command is used to refresh the kernel. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.

62.

B. False. You can create a manifest of more than one file by separating the files with a space, not a comma.

63.

C. To verify that a patch was successfully installed, issue the shorev command showrev -p, or to verify a specific individual patch, use showrev -p | grep filename, where filename is the name of the patch.

A is incorrect because grep filename is an option to the showrev command when verifying that a specific patch was successfully installed. B is incorrect because the command showpatch -p does not exist. D is incorrect because vi is the system's visual editor, which is used to create and modify text within files. Depending on where you executed the command vi system, the editor would either create a new file entitled system or open the current system file for editing.

64.

B. Ping of Death is a malformed ICMP packet attack in which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer.

A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

65.

A, B, and D. To harden your system and help protect against Trojan horse programs, Sun recommends that path variables do not contain a parameter indicated with a dot (.) that could cause the system to search for executables or libraries within that path, as well as a search path for root or superuser that contains the current directory.

C is wrong because a forward slash is legitimately used in the search path to indicate root and subdirectories.

66.

C. Checksum uses the sum command to produce a cyclical-redundancy-check (CRC) and block count for files that can help prevent backdoor attacks.

A is incorrect because ASET enables you to monitor and restrict access to system files and directories with automated administration governed by a preset security level (low, medium, or high). B is wrong because a message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. D is incorrect because the EEPROM check is an ASET task that inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with.

67.

A, B, and D. Every process has four sets of privileges: the effective privilege set (E), which are privileges currently in use (note that processes can add permitted privileges to the set); the inheritable privilege set (I), which are privileges a process can inherit; the permitted privilege set (P), which are privileges available for use now; and the limit privilege set (L), which are outside privilege limits of which processes can shrink but never extend.

C and E are wrong because they do not represent any known existing privileges.

68.

A, B and C. Cryptography provides for the integrity, confidentiality, and authenticity of information.

D is wrong because RBAC is a system of controlling which users have access to resources based on the role of the user. E is wrong because checksum is a simple error-detection scheme.

69.

The cryptoadm list command displays the list of installed providers.

70.

A and B. With asymmetric (public key) algorithms, two keys are used: one to encrypt a message and another to decrypt it.

C and D are wrong because in symmetric (secret key) algorithms, the same key is used for both encryption and decryption—anyone knowing the key can both encrypt and decrypt messages.

71.

A. To check the privileges available to your current shell's process, you would use the ppriv -v pid $$ command.

B is wrong because to start the management console, you would issue the /usr/sbin/smc & command. C is wrong because the usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role. D is wrong because the roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.

72.

B. A system files check is a file comparison check from a master file that is created when the task is first executed. For each security level, a list of directories that contains files to check is automatically defined; however, this list can be modified.

A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because during the system configuration files check ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

73.

B. False. The principle of least privilege does not only apply to user accounts but is a universally applicable principle.

74.

C and D. A threat is anyone or anything that can exploit a vulnerability. Threats to information systems may be grouped into natural, physical, and logical threats.

A and B are incorrect because the absence of security mechanisms is not a threat, and threat is not the opposite of assurance.

75.

C. The most effective defense against spoofing is the use of cryptographic authentication and digital signatures.

A is incorrect because encryption does not necessarily protect against spoofing. There is no such term as cryptographic initiation (B), and secret addresses don't make sense (D).

76.

A, B, and D. Depending on the jurisdiction and industry, incident response capability may be required but it is not required in all cases.

C is wrong because incident response capability is not required by law.

77.

B and C. Sun's policy mandates that passwords must be composed of between 6 and 15 letters, numbers, and special characters, and must have at least 2 alphabetic characters and at least 1 numeric or special character within the first 6 characters.

A and D are wrong because they are part of industry-recognized security recommendations for creating passwords and are not mandated by Sun's password policy.

78.

A. By issuing init S you will go into single-user mode.

B is wrong because init 0 is used to go into firmware maintenance mode. C is wrong because init 2 is used to go into multi-user state where NFS is not running. D is wrong because init 5 is used to shut down the operating system altogether. E is incorrect because by issuing init 6 you will stop the operating system and reboot.

79.

To set the minimum free disk space for an audit file before a warning is sent, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage. It's important to first save a backup of the original file before making changes. For example, to set the minimum free-space level for all audit file systems so that a warning is sent when 15 percent of the file system is available, edit the audit_control file and modify the following line item: minfree:xx; where xx is a percentage less than 100.

80.

B. False. The syslog text logs can generate massive log files so be sure to monitor and archive them regularly. In addition, you should never store syslog audit files in the same location as binary data.

81.

To verify that you have the appropriate rights to forcibly deallocate a device (for example, solaris.device.revoke), you can issue the auths command.

82.

C. The /etc/services file specifies the ports used by the server processes as contact ports, which are also known as well-known ports.

A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. D is incorrect because the inetd.conf file defines how the inetd daemon handles common Internet service requests.

83.

F. All of the answers are correct. To harden your system and help protect against Trojan horse programs, Sun recommends user awareness education, installing and updating anti- virus software, removing unnecessary compilers, securing file and directory permissions, and monitoring path variables.

84.

D. During the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file.

A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.

85.

To audit a role, you should add the ua or the as event to the flags line in the audit_control file, and then start the auditing service.

86.

Without altering the original file and to protect a digest, you can compute a message authentication code (MAC) of a file.

87.

D. Compartmentalization is the isolation of process spaces from each other in order to minimize the effect of a security violation in one compartment on another.

Answer A, virtualization, is a related concept but is not the correct answer. B is wrong because compartmentalization is the correct term. C is wrong because defense in depth is about using several types and/or layers of defense.

88.

D. Choke points are logical "narrow channels" that can be easily monitored and controlled.

A is wrong because choke points are not used to isolate firewalls. Choke points do not affect confidentiality of information, so B is wrong. And C is not the answer because choke points are not protocol-dependent.

89.

B and C. Vulnerabilities can be exploited by threats, and malicious hackers can pose a threat.

A and D are incorrect because risks and software bugs do not exploit vulnerabilities—risk is the possibility of an exploit and software bugs are vulnerabilities.

90.

F. All of the answers are correct. Risk is the likelihood and cost of a threat exploiting a vulnerability. Information security management is about risk management because in the absolute majority of cases it is either impossible or cost-ineffective to eliminate all risks. In these cases, risk management comes to the rescue and helps us to understand risks and decide what risks to minimize, what risks to transfer (insure against), and what risks to accept.

91.

E. All of the answers are correct. To address all of these concerns, security awareness training should be held regularly.

92.

A, B, and C. ISO 17799 is a Code of Practice for Information Security Management and does not cover any specific products or systems such as Solaris.

D is incorrect because ISO 17799 does not cover the Solaris operating environment specifically but is an information security management standard.

93.

D. Solaris keeps track of each terminal session login attempts in the var/adm/loginlog file.

A is wrong because /etc/default/login involves syslog and monitoring all unsuccessful login attempts. B is wrong because /etc/nologin is used to disable user logins. C is incorrect because the /etc/shadow file can be accessed to determine which accounts are locked or disabled and which do not currently have assigned passwords.

94.

D. Most organizations are at the repeatable level of the information security maturity model.

C is inappropriate because it refers to a type of control. Other choices are wrong because surveys show that most organizations are at the repeatable level.

95.

C. This simple formula conveniently shows the relationship between threats, vulnerabilities, and risk.

A, B, and D are incorrect because the correct formula is Threats Vulnerabilities Asset value = Risk.

96.

D. Security policies are set by management and are high-level in nature. They specify what should and should not happen, without going into detail on how to reach these goals. Security policies should be sufficiently specific to convey their meaning and objectives unambiguously but at the same time be general enough not to require modification every month or after introduction of a new system or application in the organization.

A, B, and C are incorrect because guidelines are recommendations for consideration, procedures are detailed step-by-step instructions, and standards are general in nature.

97.

A and B. Identifying user login status—by issuing the logins command and viewing the /etc/shadow file—is important to determine which accounts are locked or disabled and which do not currently have assigned passwords.

C is wrong because the init S command is used to bring down the system to run level S (single-user mode). D is wrong because the /var/adm/loginlog file is used to log failed terminal session user login attempts.

98.

B and C. Capturing unsuccessful terminal session login attempts is accomplished by creating a var/adm/loginlog file. To monitor all failed login attempts, edit the /etc/default/login file and make sure that the SYSLOG=YES and SYSLOG_FAILED_LOGINS=0 entries are uncommented.

A is incorrect because by uncommenting the RETRIES entry in the /etc/default/login file and editing the SYSLOG_FAILED_LOGINS=some number, you'll force the system to close the login connection after some predefined number of unsuccessful login attempts.

99.

A. True. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the na preceding the second flags argument specifies nonattributable events) should be audited for the entire system—that is, all users on the system. Incidentally, you can specify events by using the bsmrecord command.

100.

A. The event numbers (with the exception of 0, which is reserved as an invalid event number) reserved for the Solaris Kernel events are 1–2047.

B is incorrect because 2048–32767 are reserved for the Solaris TCB programs. C is incorrect because 6144–32767 is used for SunOS 5.X user-level audit events. D is wrong because 32768– 65535 are available for third-party TCB applications.

101.

B and C. Controlling access to devices on a Solaris operating system is accomplished by two mechanisms: device policy and device allocation. Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. Device allocation, which is not enabled by default, is enforced during user allocation to require user authorization to access a peripheral device.

A is wrong because access control lists (ACLs) are mechanisms used to control access to files. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files.

102.

F. All of the answers are correct. Viewing your system's current patches using the showrev -p command will display all installed patches, patch numbers, whether a patch obsoletes a previous patch, if any prerequisite patches exist for a current patch, whether a patch is incompatible with other patches, and what packages are directly affected by a patch.

103.

A and D. Device-specific files in the /etc and /devices directories are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system.

B is incorrect because /usr/asset is the working directory for ASET. C is incorrect because /usr/local is simply an example of a typical download directory used to store files and programs by the current user.

104.

A, B, and C. Examples of the principle of least privilege include programs—using privileges— that do not require making calls to setuid, when system administrators delegate privileged commands to non-root users without giving them full superuser access, and users that are only given privilege or permission necessary for performing their jobs.

D is incorrect because it is simply a factual statement regarding privileged commands and not an example of the principle of least privilege.

105.

C. The usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role.

A is wrong because to check the privileges available to your current shell's process, you would use the ppriv -v pid $$ command. B is wrong because to start the management console you would issue the /usr/sbin/smc & command. D is wrong because the roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.

106.

E. All of the answers are correct. Protecting files is a core component in Sun's Solaris security strategy. Although MD5 and SHA1, part of the Solaris cryptographic framework, were developed to help detect corrupt or maliciously altered files, Sun also recommends using a more comprehensive package as well called Tripwire. In addition to Tripwire, to help prevent unauthorized changes from being made to system files, Sun also recommends using ASET (discussed in Chapter 8) and the Basic Security Module (BSM), which is discussed in Chapter 5.

107.

The cryptoadm -m command displays a list of mechanisms that can be used with the installed providers. If a provider is specified, the command will display the name of the specified provider and the mechanism list that can be used with that provider.

108.

B. The rights profile name and commands with specific security attributes are stored in the exec_attr database.

A is incorrect because the rights profile name and authorizations can be found in the prof_attr database. C, D, and E are incorrect because the user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.

109.

E. All of the answers are correct. To monitor and help prevent unauthorized changes from being made to system files, Sun recommends using the Automated Security Enhancement Tool (ASET), the Basic Security Module (BSM), Tripwire, and the Solaris cryptographic framework.

110.

B. The netstat command with -a and -f inet switches can be used to show the state of all sockets and all routing table entries for the AF_INET address family showing IPv4 information only.

A is incorrect because find directory -user root is used to check all mounted paths starting at the specified directory and to display files owned by root. C is incorrect because the command showrev -p is used for viewing the system's current installed patches. D is incorrect because grep inetd.conf as it stands will produce nothing.

111.

C. Top management is ultimately responsible for information security.

A is incorrect because information security professionals advise management and implement management's decisions, but they do not make the decisions. B is incorrect because information systems auditors report on an organization's security to the board of directors and/or the stockholders, but they do not make decisions. D is incorrect because while stockholders appoint management, they are not responsible for making security decisions.

112.

D. Employees, managers, contractors, consultants, and other insiders constitute a higher threat than a person on the street because they have more authorized network access and sensitive knowledge than outsiders. In fact, risks posed by insider attacks are more substantial, require less means to mount, and may result in larger losses than risks posed by outside attackers—they may also be more difficult to detect and recover from.

A, B, and C are incorrect because although insiders are usually bound by employment and confidentiality agreements, that alone doesn't remove the threat. Insiders are subject to access controls, and access to information is not a threat in itself.

113.

C. Security procedures are developed by subject-matter specialists within the organization with the assistance of security professionals and/or information systems auditors. Because security procedures are usually highly specific and technical in nature, they should be developed by those who appreciate these considerations.

A, B, and D are incorrect because guidelines, normative acts, and standards only influence procedures.

114.

C. Security guidelines are nonbinding recommendations that deal with how to develop, define, and enforce security policies and procedures. Although guidelines are nonbinding, it is customary to require explanation from those who choose not to follow them.

A, B, and D are incorrect because standards, auditing regulations, and control objectives are not non-binding recommendations.

115.

B. The syslog daemon that controls the logging facilities is located in the /etc/init.d directory as syslog.

A and E are wrong because device-specific files are located in the /etc and /devices directories, which are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system. C is wrong because /usr/local is an example of a typical download directory used to store files and programs by the current user. D is wrong because /usr/asset is the working directory for ASET.

116.

A and D. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the na preceding the second flags argument specifies nonattributable events) should be audited for the entire system—that is, all users on the system.

B is wrong because the minfree argument is used to set the free-space warning threshold. C is incorrect because the dir: attribute is used to specify primary and secondary audit directories.

117.

A and B. Setting up a warning alias can be accomplished in two ways. The easiest method is to edit the etc/security/audit_warn file by changing the e-mail alias in the script at entry: ADDRESS=audit_warn:

#-------------------------------------------------------------------------
send_msg() {
        MAILER=/usr/bin/mailx
        SED=/usr/bin/sed
        LOGCMD="$LOGGER -p daemon.alert"
        ADDRESS=audit_warn               # standard alias for audit alerts

The second way is a little more complicated and requires redirecting the audit_warn e-mail alias to the appropriate account. To do so, add the audit_warn e-mail alias to the new alias file—in /etc/mail/aliases or the mail_aliases database in the namespace—such as audit_warn: alertadmin.

C is wrong because that procedure is used to set the free-space warning threshold manually.

118.

F. All of the answers are correct. Each line in a BART manifest contains the following types of file information: size, content, user ID, group ID, and permissions.

119.

E. All of the answers are correct. The most useful feature of BART is to compare manifests over time to monitor file-level changes. By doing so, you can verify the integrity of files, and detect corrupt files and security breaches, all of which help troubleshoot the system.

120.

A. If the noexec_user_stack variable is set to non-zero, the operating system will apply non-executable but readable and writable attributes to every process stack.

B and D are incorrect because these settings are used to disable or enable executable stack message logging. C is incorrect because that option does not exist.

121.

A. A program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed.

B is incorrect because Ping of Death is a malformed ICMP packet attack where an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

122.

A. True. Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.

123.

F. All of the answers are correct. Applications that comply with RBAC can check a user's authorizations before giving the user access. These applications include the following: audit administration commands (that is, auditconfig and auditreduce), batch job commands (that is, at, atq, batch, and crontab), device commands (that is, allocate, deallocate, list_devices, and cdrw), printer administration commands (that is, lpadmin and lpfilter), and the Solaris Management Console (includes all tools).

124.

A message digest is a one-way function for a stream of binary data as verification that the data was not altered since the message digest was first generated, such as from when a file was compiled or modified. With regard to checking the integrity of files, you can use the Solaris Fingerprint Database (sfpDB), which is a free tool from Sun that allows you to check the integrity of system files through online cryptographic checksums. By doing so, you can determine whether system binaries and patches are safe in accordance with their original checksums among a huge database stored at Sun.

125.

To remove a provider permanently, issue the cryptoadm uninstall command (for example: cryptoadm uninstall des).

126.

C. The user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.

A is incorrect because the rights profile name and authorizations can be found in the prof_attr database. B is wrong because the rights profile name and commands with specific security attributes are stored in the exec_attr database. D and E are incorrect because the passwd and shadow databases do not contain user and role information that supplement themselves.

127.

A, C, and E. A buffer overflow occurs when a program process or task receives extraneous data that is not properly programmed. As a result, the program typically operates in such a way that an intruder can abuse or misuse it. In a Teardrop attack, the attacker modifies the length and fragmentation offset fields in IP packets, which causes the target to crash. Finally, during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies thus leaving the connection half-open. The SYN messages will usually flood the server and as a result the target system will fill up with requests until it is unable to accommodate any new requests. In some cases, the system could consume available memory, crash, or be rendered inoperative.

B is incorrect because although extraneous IP ports and services could be potential targets for denial of service attacks, they're not forms of attacks in and of themselves. D is incorrect because although when default executable stacks with permissions set to read/write/execute are allowed, programs may be targets for buffer overflow attacks, but executable stacks alone are not an attack. It's also important to note that some software may require executable stacks. Therefore, if you disable executable stacks, programs that require the contrary will be aborted.

128.

B. The authorization required to allocate or deallocate a device forcibly is solaris.device.revoke.

A is wrong because solaris.device.allocate is the authorization required to allocate a device.

129.

D. The event numbers 32768–65535 are available for third-party TCB applications.

A is incorrect because 1–2047 are reserved for the Solaris Kernel events. B is incorrect because 2048–32767 are reserved for the Solaris TCB programs. C is incorrect because 6144– 32767 are used for SunOS 5.X user-level audit events.

130.

D. The audit_user file defines specific users and classes of events that should always or never be audited for each user.

A is wrong because general configuration specifications such as the primary and secondary audit directories are specified in the audit_control file. B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates mail to an e-mail alias called audit_warn.

131.

E. By issuing the init 6 command, you will stop the operating system and reboot.

A is incorrect because init S is used to go into single-user state for administrative functions. B is wrong because init 0 is used to go into firmware maintenance mode. C is wrong because init 2 is used to go into a multi-user state where NFS is not running. D is wrong because init 5 is used to shut down the operating system altogether.

132.

D. All of the answers are correct. By issuing the init (Run Level #) command, you can switch between run levels and perform functions such as halting and rebooting the Solaris operating system. Additionally, you can shut down the system with the command shutdown -i init-level -g grace-period -y; where init-level is 0, 1, 2, 5, 6, or S (which is the default), and grace-period is the time (in seconds) before the system is shut down (default is 60 seconds). For example, to shut down the system to run level S and therefore disable all logins, use the command shutdown -y.

133.

F. All of the answers are correct. Events that are capable of creating audit logs include system startup and shutdown, login and logout, identification and authentication, privileged rights usage, permission changes, process and thread creation and destruction, object creation and manipulation, application installation, and system administration.

134.

A. Access control lists (ACLs) are mechanisms used to control access to files.

B and C are wrong because device policy and device allocation are used to control access to devices. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files.

135.

D. The /etc/inetd.conf defines how the inetd daemon handles common Internet service requests.

A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. C is incorrect because the /etc/services file specifies the ports used by the server processes as contact ports which are also known as well-known ports.

136.

B. False. Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.

137.

The cryptoadm list -p command displays the mechanism policy for the installed providers. It also displays the provider feature policy. If a provider is specified, the command will display the name of the provider with the mechanism policy enforced on it only.

138.

C. A privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command.

A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. B is wrong because a privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel. D is wrong because a rights profile can be assigned to a role or user as a collection of administrative functions. E is wrong because a role is a predefined identity that can run privileged applications.

139.

F. All of the answers are correct. Sun recommends the following techniques for the most efficient auditing while still adhering to security prioritizations: For large networks with limited storage capacity, try randomly auditing a percentage of users at any one time. Perform routine audit file maintenance by reducing the disk-storage requirements by combining, removing, and compressing older log files. It's good practice to develop procedures for archiving the files, for transferring the files to removable media, and for storing the files offline. Monitor the audit data for unusual events in real time. Set up procedures to monitor the audit trail for certain potentially malicious activities. Adhere to company policy and immediately execute mitigations with regard to substantiated malicious findings. Deploy a script to trigger an automatic increase in the auditing of certain users or certain systems in response to the detection of unusual or potentially malicious events.

140.

D. To display the extended user login status for a particular user, issue the logins - x -l user command.

A is incorrect because the logins command will display general information concerning all login accounts organized in ascending order by user ID. B is incorrect because the logins user command will only display general information about a particular user account. C is wrong because the logins -p command will display user accounts that currently do not have assigned passwords.

141.

A directory of last resort is a local audit directory that is used if the primary and all secondary audit directories become unavailable.

142.

C. EAL4 is the highest practical level of assurance that may be gained using good commercial development practices.

A and B are wrong because higher levels (EAL5–7) require special development methodologies and procedures which are expensive and not commonplace. D is incorrect, of course, because it is a lower level of assurance than EAL4.

143.

B. Information security policies and procedures are an administrative control.

A is wrong because policies and procedures are not a technical control. C is wrong because policies and procedures are not a form of access control. D is wrong because, although policies and procedures address operational controls, B is a better answer.

144.

B, C, and D. Applications and commands that check for privileges include commands that control processes (such as kill, pcred, rcapadm), file and file system commands (such as chmod, chgrp, mount), Kerberos commands (such as kadmin, kprop, kdb5_util), and network commands (such as ifconfig, route, snoop).

A and E are wrong because they represent databases.

145.

B. Kernel-level plug-ins provide for implementations of algorithms in software.

A is wrong because hardware plug-ins are device drivers and their associated hardware accelerators. C is wrong because user-level plug-ins are shared objects that provide services by using PKCS #11 libraries.

146.

To prevent the use of a user-level mechanism, issue the cryptoadm disable provider \ mechanism(s) command.

147.

B. A privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel.

A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. C is wrong because a privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command. D is wrong because a rights profile can be assigned to a role or user as a collection of administrative functions. E is wrong because a role is a predefined identity that can run privileged applications.

148.

C and D. In symmetric (secret key) algorithms, the same key is used for both encryption and decryption—anyone knowing the key can both encrypt and decrypt messages.

A and B are wrong because with asymmetric (public key) algorithms, two keys are used: one to encrypt a message and another to decrypt it.

149.

D. All answers are correct. For an attack of any type to take place and to succeed, three factors must be present: the attacker must have a motive, an opportunity, and the means to carry out the attack.

150.

The cryptoadm -m. command displays a list of mechanisms that can be used with the installed providers. If a provider is specified, the command will display the name of the specified provider and the mechanism list that can be used with that provider.


Previous Page
Next Page