The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.
1. | Consider the following entry in the auth_attr database:
solaria.admin.:::Solaris Adminstration::help=SolarisAdmin.html Which of the following statements is true about this entry?
|
|
2. | Which RBAC database assigns roles to the users?
|
|
3. | Which RBAC database assigns privileged operations, such as commands with security attributes, to the rights profiles?
|
|
4. | Which of the following files (databases) does RBAC use?
|
|
5. | Which of the following commands can be used to assign a role to a user?
|
|
6. | Which of the following are the valid keys to specify security attributes in the exec_attr database of RBAC?
|
|
7. | Which of the following commands can be used to manage syslog?
|
|
8. | What does the following line mean in the syslog.conf file?
*.alert *
|
|
9. | Which of the following lines would you add to the syslog.conf file so that the user.alert and user.emerg messages are sent to both the root and the operator?
|
|
10. | Which of the following statements are true about the RBAC model?
|
|
Answers
1. | þ D. When the authname field in an entry ends with a period, it means it is just a header, not an authorization. ý A and B are incorrect because an entry in the auth_attr database does not specify who is going to have this authorization. C is incorrect because a user (who has this authorization) will have the grant rights only if the authname field ends with the word grant. |
2. | þ D. The user_attr database assigns roles to users and profiles to roles. ý A is incorrect because the auth_attr database defines authorizations, and B is incorrect because exec_attr assigns privileged operations such as commands with security attributes to rights profiles. C is incorrect because prof_attr defines profiles by assigning authorizations to them, and E is incorrect because there is no RBAC database called user_role. |
3. | þ B. That is because exec_attr assigns privileged operations such as commands with security attributes to rights profiles. ý A is incorrect because the auth_attr database defines authorizations, and C is incorrect because prof_attr defines profiles by assigning authorizations to them. D is incorrect because the user_attr database assigns roles to users and profiles to roles, and E is incorrect because there is no RBAC database called prof_priv. |
4. | þ D. The databases that support RBAC are: /etc/security/auth_attr, /etc/security/exec_attr, /etc/security/prof_attr, and /etc/user. ý A, B, and C are incorrect because these database files should be in the /etc/security directory, not in the /etc directory. |
5. | þ C and D. A role can be assigned to a user by using the -R option, either at the time of user creation with the useradd command or later with the usermod command ý A and B are incorrect because you cannot use the -R option with roleadd or rolemod given that you are not allowed to assign a role to a role. In other words, the -R option is not available for the roleadd or rolemod command. |
6. | þ A, C, D, and E. The value for the keys uid and euid can be a single user name or a numeric user ID, and the value for the keys gid and egid can be a group name or a numeric group ID. ý B is incorrect because setuid is not part of RBAC. |
7. | þ A and B. You can use both the syslogd command and the SMF command svcadm to manage syslog. ý C and D are incorrect because there are no such commands as syslogconfig or syslog. |
8. | þ A. A * in the second column of an entry in the syslog.conf file means that destinations of the messages are the individual users, not any other destination. ý B, C, and D are incorrect because A * in the second column of an entry in the syslog.conf file means that the destinations of the messages are the individual users, not any other destination. |
9. | þ B. The list of facility sources, arid the list of destinations has to be comma delimited. ý A, C, and D are incorrect because the lists should be comma delimited and not semi-colon delimited. |
10. | þ B. You can assign more than one role to a user, but the user cannot assume more than one role at a time. ý A is incorrect because you can assign more than one role to a user, but the user cannot assume more than one role at a time. C is incorrect because a role may contain more than one role. D is incorrect because you cannot assign a role to another role; you can only assign a role to a user. |