Self Test | Linux Patch Management: Keeping Linux Systems Up To Date

The following questions will help you measure your understanding of the material presented in this chapter. As no multiple choice questions appear on the Red Hat exams, no multiple choice questions appear in this book. These questions exclusively test your understanding of the chapter. It is okay if you have another way of performing a task. Getting results, not memorizing trivia, is what counts on the Red Hat exams. There may be more than one answer to many of these questions.

Using tcp_wrappers to Secure Services

What happens to a service if you allow the service in /etc/hosts.allow and prohibit it in /etc/ hosts.deny?

_____________________________________________________________________

You are using the xinetd program to start services. How could you limit Telnet access to clients on the 192.168.170.0 network? Hint: The telnet daemon, when installed, is in /usr/kerberos/ sbin/telnetd.

_____________________________________________________________________

Answers

If you allow a service in /etc/hosts.allow and prohibit it in /etc/hosts.deny, the service is allowed.

You are using the xinetd program to start services. To limit Telnet access to clients on the 192.168.170.0 network, you'd allow access to the network in /etc/hosts.allow and deny it to all others in /etc/hosts.deny. As /usr/kerberos/sbin is in the root user path, you can cite telnetd directly and add the following directive to /etc/hosts.allow (remember, CIDR notation doesn't work in these files):

 telnetd : 192.168.0.170/255.255.255.0

Then add the following to /etc/hosts.deny:

 telnetd : ALL

Firewalls and Packet Filtering Using netfilter

3.	You have recently connected your organization's network to the Internet, and you are a little worried because nothing other than your router is standing between your network and the Internet. You have a spare 400 MHz PC with 256MB of RAM that just happens to have two Ethernet cards. You also have a mixture of systems on your network that includes Macintosh, Windows 2000, and Linux. You also want your system to reject unwanted packets. What might you do to alleviate your concerns? _____________________________________________________________________ _____________________________________________________________________
4.	Consider the following command: # iptables -A INPUT -s 192.168.77.77 -j REJECT Once saved to your firewall, what effect will this have when the client with an IP of 192.168.77.77 tries to connect to your system? _____________________________________________________________________
5.	What command saves iptables rules? _____________________________________________________________________
6.	Where are iptables rules stored? _____________________________________________________________________

Answers

3.	It's best to create a firewall using the iptables command. The standard Red Hat Security Level Configuration tool creates iptables commands that REJECT unwanted packets by default. You can now even support access to the network that can communicate natively with Microsoft and modern Macintosh systems, Samba. All you need is to allow access using the tool.
4.	Based on the given command, any connection attempt (including pings) from the 192.168.77.77 system is rejected.
5.	The command that saves iptables rules is iptables-save.
6.	Rules associated with iptables rules are stored in /etc/sysconfig/iptables.

Network Address Translation

You are setting up a small office and would like to provide Internet access to a small number of users, but you don't want to pay for a dedicated IP address for each system on the network. What can you do?

_____________________________________________________________________

What iptables command switch sets up masquerading?

_____________________________________________________________________

Answers

7.	To set up a small office while providing Internet access to a small number of users, all you need is one dedicated IP address. The other addresses can be on a private network. Masquerading makes this possible.
8.	The iptables command switch that sets up masquerading is -t nat.

Security Enhanced Linux

9.	What directive activates Security Enhanced Linux in /etc/sysconfig/selinux? _____________________________________________________________________
10.	If you want to let SELinux allow vsFTP service for user home directories, what would you do? _____________________________________________________________________
11.	Where are standard SELinux boolean directives stored? _____________________________________________________________________
12.	If you want to disable SELinux, what would you do? _____________________________________________________________________ _____________________________________________________________________

Answers

9.	The directive in /etc/sysconfig/selinux that activates Security Enhanced Linux is SELINUX=enabled.
10.	If you want SELinux to allow reading of home directories via an FTP server, activate the Allow Ftp To Read/Write Files In The User Home Directories option. Alternatively, run the setsebool-P ftp_home_dir 1 command. Additional configuration is required in the vsFTP configuration file, as defined in Chapter 10.
11.	Standard SELinux boolean directives are stored in the /selinux/booleans directory.
12.	You can disable SELinux in a number of ways. You can do so directly in /etc/sysconfig/selinux by setting SELINUX=disabled. You can use the Security Level Configuration tool or even the SELinux Management Tool. You can even add the selinux=0 directive to the kernel configuration line in your GRUB bootloader. I can even visualize a situation where all these options are used, which would make it more difficult for an RHCE candidate to enable SELinux during an exam.