Self Test

1. 

You have a network with 50 Linux workstations and five Linux servers. Most of the workstations are in public areas, and your users need to be able to log in from any workstation on the network. What is the most efficient way to satisfy this requirement?

1. Keep a master copy of /etc/passwd on one of the servers, and do a backup and restore of that copy to all the workstations every evening.

2. Set one of the servers up to be an NIS server. Arrange another server to be an NIS slave server. Make the workstations NIS clients.

3. Set the workstations up to be NIS clients.

4. Create a common account on every workstation and give each person the password to this account.

2. 

How would you set up the workstations to be NIS clients?

1. Edit /etc/passwd and add the USE_NIS command at the end of the file.

2. Start the ypbind daemon, and configure it to start the next time you boot Linux.

3. Add a command to /etc/xinetd.conf to start the ypbind daemon.

4. Run the Red Hat Authentication Configuration Utility and enable NIS.

1. 

þ B. This is an ideal situation for NIS, where you can set up a single database of usernames and passwords.
ý A is incorrect because it is labor intensive and would lead to many password and database inconsistencies. C is incorrect because you need at least one NIS server. D is incorrect because this is obviously an insecure way to run a network.

2. 

þ D. Although you can configure NIS clients manually, the easier way is to use the Red Hat Authentication Configuration utility.
ý A is incorrect because this is invalid syntax. B is incorrect because you need to do more than start ypbind; you also need to configure the NIS domain. C is incorrect because ypbind is an independent service that you need to start from the /etc/rc.d/init.d directory.

3. 

Which of the following measures is the most effective way to prevent attacks through various network services?

1. Disable a service in the appropriate /etc/xinetd.d configuration file.

2. Block service requests with the appropriate commands in /etc/hosts.deny.

3. Use a firewall to drop all requests to unneeded services.

4. Uninstall unneeded network services.

3. 

þ D. The most effective way to prevent an attack through a network service is to make sure that it is not installed.
ý A, B, and C are all incorrect. Since the service is still installed on the system, it is still at least theoretically possible to attack through that service.

4. 

What are the four areas associated with Pluggable Authentication Modules?

1. Authentication management, account management, session management, and password management

2. Authentication management, account management, network management, and password management

3. Authentication management, account logging, session management, and password management

4. Authentication management, account management, session management, and firewall management

5. 

You are editing the PAM configuration file by adding a module. How would you indicate the authentication process should immediately terminate and succeed if the module succeeds?

1. Make sure the module is either an auth module or a password module, since these must always succeed.

2. Use the required control flag.

3. Use the sufficient control flag.

4. It doesn't matter; the authentication process always stops as soon as a module fails.

4. 

þ A. PAM breaks the authentication process into these four areas.
ý B, C, and D are not the four areas associated with PAM.

5. 

þ C. The sufficient flag is used to indicate the authentication process should end immediately if the module succeeds.
ý A is incorrect because any PAM module can fail and the authorization process can continue. B is incorrect because failure would be delayed until any other modules of the same type have been checked. D is incorrect because the control flag determines when the authorization process terminates.

6. 

Assume you normally work from a user account called sysadm. How might you configure your Red Hat Enterprise Linux 3 System to notify you whenever there is a serious problem with the kernel?

1. Edit /etc/syslog.conf and add an entry such as this:

   kern.err        root,sysadm

   Recompile the kernel to include error notification and specify sysadm as the user to be notified.Write a C program to monitor the /proc/err directory and send any messages that appear there to sysadm.Edit /etc/syslog.conf and add an entry such as this:

   *.*        root,sysadm 

6. 

þ A. Although D might seem like a good choice, this would also show you all messages from every facility. It would be very difficult to pick out just the kernel messages from everything else that would be coming to your screen.
ý B and C are obviously incorrect because there is too much effort involved. D is also incorrect, as explained earlier.

7. 

You are using the xinetd program to start services. How could you limit access to Telnet access to clients on the 192.168.170.0 network?

1. Edit /etc/xinetd.d/telnet and add this line

   DENY EXCEPT 192.168.170.0.

   Edit /etc/hosts.allow and add this line:

   telnetd : 192.168.170.0/255.255.255.0

   Edit /etc/hosts.deny and add this line:

   telnetd : 192.168.170.0/255.255.255.0

   Edit /etc/hosts.deny and add this line:

   telnetd : ALL EXCEPT 192.168.170.0/255.255.255.0

7. 

þ D. Although B would allow the requested access, since no other configuration has been done for tcp_wrappers, /etc/hosts.deny will be empty, so other clients will be allowed access by default. The best choice is to restrict all access to the telnet daemon and then make an exception for clients in the requested subnet.
ý A is incorrect because the syntax is wrong. C is incorrect because it would result in Telnet access being denied to the 192.168.170.0 network.

8. 

You have just recently connected your organization's network to the Internet, and you are a little worried because there is nothing other than your router standing between your network and the Internet. You have a spare 400 MHz PC with 256MB of RAM that just happens to have two Ethernet cards. You also have a mixture of systems on your network that includes Macintosh, Windows 98, and Linux. What might you do to alleviate your concerns?

1. Nothing, you're not advertising the systems on your LAN via DNS, so no one will ever find them.

2. Install RHEL 3 on the spare PC and use iptables to set it up as a firewall.

3. Install RHEL 3 on the spare PC and use tcp_wrappers to set it up as a firewall.

4. Install Linux on all systems on your network.

9. 

Consider the following command:

# iptables -A INPUT -s 192.168.77.77 -j REJECT

What effect will this have when the client with an IP of 192.168.77.77 tries to connect to your system?

1. No effect at all.

2. Access will be denied, and the client computer won't get any message on what happened.

3. Access will be denied, and the client application will get a message that the target destination is unreachable.

4. You will receive a notification message on the system console.

8. 

þ B. Your best choice would be to take the unused PC and turn it into a firewall using Linux and iptables. If you use a router to connect to the Internet, then your firewall system sits between your LAN and the router. This results in a two-node network consisting of the router and one of the network interfaces in your firewall that serves as a DMZ between the Internet and your LAN. You assume that any traffic on this side of the firewall is potentially unsafe.
ý A is incorrect because this is a poor way to secure a network. C is incorrect because although you might also want to use tcp_wrappers as part of your security strategy, it is designed to secure individual computers, not an entire network. Although D is a good option in principle, it won't necessarily make your network more secure.

9. 

þ C. Because the target is set to REJECT, the client will receive an error message. If the target was set to DENY, the client would not get any error message.
ý A, B, and D do not describe what happens with this firewall when the client with an IP address of 192.168.77.77 tries to connect to your system.

10. 

You are setting up a small office and would like to provide Internet access to a small number of users, but you don't want to pay for a dedicated IP address for each system on the network. How could Linux help with the problem?

1. Assign the official IP address to a Linux system and create accounts on that system for all of the office personnel.

2. Install Linux and configure it for IP forwarding.

3. Install a Linux router.

4. Use the Linux system to connect to the Internet; then use iptables to set up IP masquerading.

10. 

þ D. If you need to connect several systems to the Internet but have only one official IP address to use, IP masquerading is the perfect solution.
ý A is incorrect unless your users want to telnet to a single system and use a command line interface. B and C are essentially the same answer and are both incorrect because a router will not help in this situation.