1. | Examine the following sequence of executed commands and system responses:
$ whoami user1 $ su passmgr Password: Roles can only be assumed by authorized users su: Sorry $ Which of the following statements best describes the results of the command sequence?
|
|
2. | You are the Solaris administrator for a small group of workstations. Because of your current workload, you decide to allow all users to have administrative rights on their workstations. However, you still want them logging in under their own user account. Which of the following solutions meets your needs, without directly granting users access to the superuser account? (Choose all that apply.)
|
|
3. | You have just created a junior administrator role on your Solaris computer. You are going to assign the role, named jradmin, to a user named abradley. Which of the following commands do you use to perform this task?
|
|
4. | Here is an excerpt from the user_attr database:
root::::auths=solaris.*,solaris.grant;profiles=All lp::::profiles=Printer Management adm::::profiles=Log Management jradmin::::type=role;auths=solaris.admin.*,solaris.profmgr.*;profiles=All cmalcolm::::type=normal;roles=jradmin Based on this information, which of the following statements are true? (Choose all that apply.)
|
|
5. | Which of the following RBAC-related files contain information about both authorizations and profiles? (Choose all that apply.)
|
|
6. | Examine the following command sequence:
# ls -l -rw-rw-r-- 1 qdocter author 880 Nov 29 13:46 doc1 -rwxr----- 1 qdocter author 880 Nov 29 14:04 file1 # setfacl -s u::rwx,g::r--,o:---,m:r--,u:3486:rw- doc1 Which of the following statements are true regarding the results of the command sequence? (Choose all that apply.)
|
|
7. | You are configuring RBAC for your Solaris server. Instead of using the command line, you want to manually edit the RBAC database files. Which of the following files is not located in the /etc/security directory?
|
|
8. | You are the Solaris security administrator for your network. You are going to configure an Access Control List on a file that several users need access to. Which of the following statements are true regarding setting the ACL? (Choose all that apply.)
|
|
9. | Examine the following information:
# getfacl doc1 # file: doc1 # owner: qdocter # group: author user::rwx user:3856:rw- #effective:rw- group::r-- #effective:r-- mask:r-- other:--- One of these lines has been modified from the real getfacl output. Which piece of information from this simulated getfacl output must be incorrect, based on the rules for ACLs?
|
|
10. | You have created an Access Control List on a file named abcfile. Now, you want to delete the Access Control List. Which command do you execute to perform this task?
|
|
11. | You are the Solaris administrator for your network. You want to grant one rights policy to all users on the network. Which file can you edit to accomplish this in one step?
|
|
12. | Here is an excerpt from the user_attr database:
root::::auths=solaris.*,solaris.grant;profiles=All lp::::profiles=Printer Management adm::::profiles=Log Management jradmin::::type=role;auths=solaris.admin.*,solaris.profmgr.*;profiles=All jgebelt::::type=normal;roles=admin2,jradmin;auths=solaris.jobs.* admin2::::type=role;auths=solaris.* Based on this information, which of the following statements are true? (Choose all that apply.)
|
|
13. | You are the security administrator for your network. A file named app1 has an existing Access Control List. You want to change the ACL to include additional users, while keeping the existing settings. Which of the following commands would you execute to perform this task?
|
|
14. | Here is an excerpt from one of the RBAC databases:
Software Installation:suser:cmd:::/usr/bin/pkginfo:uid=0 File System Management:suser:cmd:::/usr/lib/fs/autofs/automount:euid=0 Object Access Management:suser:cmd:::/usr/bin/getfacl:euid=0 Which one of the databases is this data from?
|
|
15. | Examine the following information, which is the complete output from an executed command (which is blacked out for obvious reasons):
Based on this information, which of the following statements must be true? (Choose all that apply.)
|
|
16. | Examine the following information:
# getfacl doc1 # file: doc1 # owner: jgebelt # group: cpuguru user::rwx user:3856:rw- #effective:rw- group::r-- #effective:r-- mask:rw- other:--- Which pof the following commands did you execute to configure this ACL?
|
|
17. | You are the senior Solaris administrator for your company. One of the junior administrators has been assigned the task of granting 10 users access to a project file. Each of the users will need read and write access to the file. The users are from several departments, and for logistical reasons (potential security difficulties), you have instructed the junior administrator not to create a group for the individuals involved in the project. Now he is confused as to how to best apply security on the file. What do you instruct him to do?
|
|
18. | You are the Solaris security administrator for your company. You have just set up an ACL on a file named phonelist, and you want to configure the exact same ACL on a file named addresses. What is the easiest way you can accomplish this task using the Bourne shell (sh)?
|
|
19. | Examine the following command sequence:
# ls -l -rw-rw-r-- 1 qdocter author 880 Nov 29 13:46 doc1 -rwxr----- 1 qdocter author 880 Nov 29 14:04 file1 # setfacl -s u::rwx,g::rw-,o:---,m:rw-,u:3486:rw- doc1 Which of the following statements are true regarding the results of the command sequence? (Choose all that apply.)
|
|
20. | Here is an excerpt from one of the RBAC databases:
Media Restore:::Restore files and file systems from backups: \ help=RtMediaRestore.html User Management:::Manage users, groups, home directory: \ auths=solaris.profmgr.read,solaris.admin.usermgr.write, \ solaris.admin.usermgr.read;help=RtUserMngmnt.html Which one of the databases is this data from?
|
|
Answers
1. | B. If you try to use a role that you do not have access to, you will receive this error message. If the role did not exist, you would receive a message that the ID was unknown. Supplying an incorrect password will result in only su: Sorry. You must use su to assume a role. |
2. | B, E. By giving all users the root username and password, you are giving them direct access to the root user account. Instead, either add an authorization for all users in policy.conf for solaris.*, or grant a profile of Primary Administrator. Neither the user_attr nor the prof_attr databases use the keyword=value pairing used in the answers. |
3. | A. Users are associated with roles through the usermod command, not the rolemod command. The proper syntax is usermod -R rolename username. |
4. | B, D. The jradmin account is a role, not a user account. This is identified by the type=role key pair. The cmalcolm account is a user account (type=normal), and has been authorized to use the jradmin role. Therefore, anyone logging in as cmalcolm (and has the password for jradmin) can assume jradmin's role. |
5. | A, E. The user_attr file contains user and role accounts, and can contain associations for both authorizations and profiles. The auth_attr file contains only authorizations, the prof_attr file contains only profiles, and exec_attr contains execution attributes. Authorizations and profiles can be assigned to all users in the policy.conf file. |
6. | C, E. The setfacl command set an Access Control List on the file doc1. When you use setfacl, the existing permissions on the file are replaced by the new permissions set by the ACL. Therefore, the user (owner) will have rwx, as specified by u::rwx. The author group will be granted Read-only access (g::r--), and everyone else will have no access (o:---). The 3486 user will have only Read permission, as the mask is set to r--, limiting the user to Read-only, even though they were explicitly granted Read and Write. |
7. | A. The full path for the user database is /etc/user_attr. All of the other files listed are in /etc/security. |
8. | A, C, D. When you enable an ACL, it will override any existing permissions on the file. ACLs are set with the setfacl -s command and enable you to set separate permissions for each user or group that needs access to the file. Using the ls -l command will still display permissions set for the owner and group (which are set in the ACL); you don't need to run getfacl. However, to see the permissions for the additional users, you will need to use getfacl. |
9. | B. Because the mask is set to r--, other users can have no more than read access. Therefore, the effective rights for user 3856 cannot be rw-. |
10. | C. ACLs are deleted with the setfacl -d command. The -s switch sets a new ACL (and requires parameters to configure the ACL), the -r switch recalculates the mask, and -m modifies the ACL, although none is not a valid option. |
11. | D. Authorizations or profiles assigned in the policy.conf file affect all users who use the computer. |
12. | A, B, C. The admin2 account has been granted the solaris.* authorization, meaning that the role has access to all administrative functions of Solaris. It's also more powerful than the jradmin role, which has many, but not all, administrative powers. The jgebelt user can assume the role of either admin account, but the admin2 account does not have authorization to assume jradmin. When someone uses su to assume the role of another user or role, all of their security settings become those of the new user or role. |
13. | B. The setfacl -m command is used to modify an existing ACL. The -s switch replaces any current settings. The -r switch recalculates the mask, and -d deletes the ACL. |
14. | D. The information presented is a list of three execution attributes. They are the only database entries to contain uid or euid entries. These are stored in the /etc/security/exec_attr database. |
15. | A, B. This output is from a getfacl -d command run on a directory. Directories have default settings, but files do not. Also, the mask limits the maximum permissions for users other than the owner (and the owner's group), not the minimum permissions. After an ACL is created, it is enabled by default. |
16. | C. To set an ACL, you must use the setfacl -s command. The third answer uses the correct syntax for setting the ACL for the doc1 file. |
17. | B. You can create only one ACL per file, but you can list as many individual users in an ACL as you want to. This is by far the best (and only plausible) solution presented. |
18. | C. You can copy an ACL by piping the output from getfacl to the setfacl command for the new file. However, you must use setfacl -f - filename for the piped destination. Using setfacl again to create another ACL would be more work than is necessary. Creating a copy of the phonelist file will copy the ACL. However, it's unlikely that you want to overwrite your address list with a phone list. |
19. | B, D, E. The setfacl command set an Access Control List on the file doc1. When you use setfacl, the existing permissions on the file are replaced by the new permissions set by the ACL, and the new permissions are reflected by the ls -l command. Based on the command, the user (owner) will have rwx, as specified by u::rwx. The author group will be granted read and write access (g::rw-), and everyone else will have no access (o:---). The 3486 user will have read and write permission, as they were granted rw-, and the mask enables other users to have read and write access. |
20. | C. The information presented is two profiles: the Media Restore profile and the User Management profile. Profiles are stored in the /etc/security/prof_attr database. |
|
|