Unit 5 - Practice Quiz

A firewall acts as a security barrier, filtering incoming and outgoing network traffic according to predefined security rules to protect a network from unauthorized access.

firewall-cmd is the primary command-line tool used to interact with and configure the firewalld daemon, which manages the system's firewall rules.

tcpdump is a command-line packet analyzer that allows a system administrator to capture and inspect the data packets being transmitted or received over a network.

The ss (socket statistics) command is a utility used to investigate network sockets and is the modern replacement for the older netstat command.

Hardening involves reducing the system's attack surface. Disabling services that are not needed means there are fewer potential entry points for an attacker to exploit.

Software updates frequently contain patches for security flaws that have been discovered. Applying them is a crucial proactive measure to protect the system from known exploits.

An SSL/TLS certificate enables HTTPS, which encrypts data in transit, ensuring that information like login credentials and credit card numbers are transmitted securely.

A Certificate Authority is a trusted entity that verifies the identity of organizations and domains, then issues digital certificates that browsers can trust to establish secure connections.

Authentication is the security step where a system confirms that a user is who they claim to be, typically by checking credentials like a username and password.

For security reasons, the encrypted (hashed) passwords are not stored in the world-readable /etc/passwd file but in the /etc/shadow file, which can only be read by the root user.

SELinux and AppArmor enforce a strict security policy that limits what processes can do, thereby containing the potential damage if a service is compromised.

In permissive mode, SELinux does not enforce the security policy (it doesn't block actions), but it still logs warnings. This is useful for testing policies before enforcing them.

The shebang line tells the operating system which program (in this case, /bin/bash) should be used to execute the commands within the script file.

The chmod command is used to change file permissions. u+x specifically grants (+) the execute (x) permission to the user (u) who owns the file.

The hash or pound symbol (#) is used for single-line comments in bash scripting. The interpreter ignores any text on the line following this character.

In bash, variable assignment is done with the VARIABLE_NAME=value syntax. It is important that there are no spaces around the equals (=) sign.

The echo command is used to display text. To access the value stored in a variable, you must prefix its name with a dollar sign ($).

Positional parameters are special variables that hold the arguments passed to a script. 2 the second, and so on.

A bash conditional block starts with if, executes code after then, provides an alternative with else, and is terminated by fi (if spelled backwards).

A for loop is a control flow statement that allows a block of code to be repeatedly executed for each element in a sequence or list.

To create a rule that combines a source address with a specific service in firewalld, a 'rich rule' is required. The --add-rich-rule flag allows for complex rule creation. The --permanent flag ensures the rule persists after a reboot. The other options are either syntactically incorrect for firewalld or use a different tool (iptables).

The OUTPUT chain is used for packets originating from the local server. -d 203.0.113.50 specifies the destination IP, --dport 8080 specifies the destination port, and -j DROP silently discards the matching packets. The INPUT chain is for incoming traffic, and FORWARD is for traffic being routed through the server.

The -i eth0 flag specifies the interface. The -w dns_traffic.pcap flag writes the raw packet data to a file in pcap format. The filter expression 'port 53' correctly captures traffic where either the source or destination port is 53, which is used for DNS over both UDP and TCP.

LISTEN state means the socket is waiting for an incoming connection. *:ssh indicates it is listening on the standard SSH port (22) on all available network interfaces (*). The users:(("sshd",pid=1234,...)) part explicitly identifies the process name and its PID that owns this listening socket.

By disabling direct root login via SSH, an attacker can no longer target the universally known 'root' username. They must first discover a valid non-privileged username and then guess its password. This increases the complexity of a brute-force attack. It also promotes better administrative practice by forcing admins to log in as a regular user and elevate privileges using sudo or su, which provides a clearer audit trail.

The find command's -perm argument can be used with a leading slash (in some versions) or hyphen to match 'any' of the bits. -perm -4000 finds files with the SUID bit set, and -perm -2000 finds files with the SGID bit set. The -o operator acts as a logical OR. The command searches for any file (-type f) where either the SUID bit OR the SGID bit is set.

Limiting the attack surface means reducing the number of potential entry points for an attacker. Every installed package and running service is a potential source of vulnerabilities. By removing software that is not absolutely essential for the server's function (like compilers, graphical interfaces, or other services), you reduce the number of potential vulnerabilities that could be exploited.

The openssl req command is used for managing CSRs. The -new flag indicates a new request. The -newkey rsa:2048 option instructs OpenSSL to generate a new 2048-bit RSA private key on the fly. -nodes means 'no DES', so the private key will not be encrypted with a passphrase. -keyout and -out specify the output files for the key and CSR, respectively.

While concatenating files works for many servers (and was the older method), modern web servers like Apache (SSLCertificateChainFile or inside the main cert file) and Nginx (ssl_certificate) are designed to handle certificate chains correctly. The standard practice is to configure the server certificate and the intermediate/chain certificate(s) so the server can present the full chain of trust to the client. The most common modern approach is to have one file for the server certificate and another for the rest of the chain (intermediate + root), or to concatenate them in order: server cert first, then intermediate(s).

The required flag indicates that the module's success is necessary for the final outcome. However, even if a required module fails, PAM continues to process the rest of the modules in the stack. This prevents an attacker from discovering which specific module failed, as the final failure is only reported after all modules have run. This contrasts with requisite, which fails immediately.

For security reasons, the SSH daemon (sshd) is very strict about permissions. It will ignore the authorized_keys file if the user's home directory, the .ssh directory, or the authorized_keys file itself is writable by other users. The typical required permissions are 700 or 755 for the home directory, 700 for ~/.ssh, and 600 for ~/.ssh/authorized_keys.

The correct and permanent way to fix this is to update the SELinux file context policy. semanage fcontext adds a new rule defining that /srv/www and all files/directories under it ((/.*)?) should have the httpd_sys_content_t type. Then, restorecon -Rv applies this new policy rule to the existing filesystem, changing the labels on the files and directories.

The aa-complain command is used to switch an AppArmor profile from the default 'enforce' mode to 'complain' mode. In complain mode, policy violations are logged in the system audit logs, but the actions are not blocked. This is a crucial step for generating or debugging a security profile without disrupting service.

grep AVC filters the audit log to show only the SELinux denial messages. Piping this output to audit2allow (without the -M flag) will analyze the denials and print a human-readable explanation along with a sample allow rule that could be added to a custom policy module. This is the standard first step in troubleshooting SELinux denials.

When you try to execute a file directly (e.g., ./myscript.sh), the kernel examines the first few bytes. If it sees the #! characters (the shebang), it treats the rest of the line as the absolute path to an interpreter program. The kernel then invokes that interpreter (/bin/bash in this case) and passes the script file as an argument to it. It is not just a comment; it is a critical directive for direct execution.

This is the most robust method. find . -maxdepth 1 -type f reliably lists only files (-type f) in the current directory (.) without recursing (-maxdepth 1). The output is then piped to wc -l to count the lines. The entire command is enclosed in $() (command substitution) to capture its output and assign it to the file_count variable. The ls based options are prone to errors with filenames containing spaces or special characters.

Initially, 3 is gamma. The shift 2 command discards the first two positional parameters (alpha and beta). After the shift, the list of positional parameters becomes just gamma. Therefore, the new # would now be 1.

The read command is used for user input. The -p option displays a prompt string without a trailing newline. The -s option stands for 'silent' mode, which prevents the user's input from being displayed on the screen. The final argument, PASSWD, is the name of the variable where the input will be stored.

The script checks the value of the STATUS variable but never assigns a value to it. To make the logic work, you must first execute a command that checks the service and then capture its exit code. systemctl is-active --quiet ? then captures this exit code into the STATUS variable for the if statement to evaluate.

Using globbing (*.log) directly in the for loop is the standard, safest, and most efficient way to iterate over filenames in bash. The shell expands /var/log/app/*.log into a list of matching file paths, and the for loop assigns each path to the variable i in turn. Using ls inside command substitution ($(ls ...)), is problematic as it will fail if filenames contain spaces or special characters.

This is a complex firewalling scenario. Rule 1 (DNAT) is needed for port forwarding. Rule 4 (MASQUERADE/SNAT) is needed for internal clients to access the internet. Critically, traffic for both scenarios must be allowed through the FORWARD chain. Rule 2 allows the new forwarded traffic from the internet to the web server. Rule 3 allows the return traffic from the internal network's internet browsing. Without all four rules (assuming a default DROP policy on the FORWARD chain, which is best practice), the configuration will fail in one of the two requirements. Rule 2 is not insecure because it's highly specific to the destination IP and port; combining it with state matching (-m state --state NEW) would be even better, but it's necessary to allow the initial packet of the DNAT'd connection.

The correct procedure for creating a custom policy module from an audit log denial is to pipe the relevant log entry into audit2allow. The -M flag creates a Type Enforcement (.te) file and compiles it into a policy package (.pp). The semodule -i command then installs this package. setsebool is for toggling existing booleans, not fixing this specific context issue. chcon would set the context, but the denial shows var_t, implying the directory is not in a standard web content location, and the change would not survive a filesystem relabel. restorecon is used to restore default contexts, which wouldn't help if the application genuinely needs to write to a location with a non-standard context.

This question tests the precedence and short-circuiting behavior of && (AND) and || (OR) operators in bash. && has higher precedence than ||. The expression is evaluated as (check_service && restart_service) || notify_admin.

1. check_service is executed and returns an exit code of 1 (failure).
2. Because the left side of the && failed, the right side (restart_service) is not executed (short-circuiting).
3. The result of the (check_service && restart_service) group is failure (exit code 1).
4. Because the left side of the || failed, the right side (notify_admin) is executed.
5. notify_admin runs and echoes its message. The final output is from check_service and notify_admin.

This question requires deep knowledge of tcpdump filter syntax, specifically for TCP flags. The TCP flags are in the 13th byte of the TCP header (offset 0). A value of 2 (binary 00000010) means that only the SYN flag is set. The other options are flawed:

• The tcp[tcpflags] & (tcp-syn) != 0 expression is true if the SYN flag is set, but it doesn't exclude packets that also have other flags set (like SYN/ACK).
• The tcp-syn keyword is not a valid primitive in tcpdump filter expressions.
• The last option is too broad; ip proto \tcp is redundant with tcp, and it doesn't filter for the SYN flag at all.

This question tests the understanding of PAM control flags, specifically requisite. The requisite flag means that if the module (in this case pam_sss.so) fails, the entire authentication process for this stack type (auth) fails immediately. Control is returned to the calling application (sshd) without processing any subsequent modules in the stack. In contrast, required would allow subsequent modules to be processed before ultimately returning failure. Therefore, pam_deny.so will not even be evaluated.

The verify return code: 21 is a very specific OpenSSL error. It means that the client could not find an issuer certificate for the first certificate it was presented with (the server's leaf certificate). In a typical chain (Root -> Intermediate -> Server), this happens when the server is configured to send only its own certificate but not the intermediate certificate. The client cannot bridge the gap in the chain of trust from the server certificate to a trusted root CA in its trust store. A clock skew would be code 9 or 10, a hostname mismatch would be a different error (e.g., code 62), and a key mismatch would likely prevent the server from starting or completing the handshake at all.

This question highlights a critical concept of subshells and variable scope in bash. In Snippet A, the while loop is on the right side of a pipe (|). This causes the loop to be executed in a subshell. Any variable modifications made inside that subshell (like incrementing count) are lost when the subshell exits. Therefore, the echo in the parent shell still sees count as 0. In Snippet B, input redirection (< file.txt) is used. This does not create a subshell for the while loop. The loop runs in the current shell's context, so the modifications to the count variable persist, and the final echo correctly prints 10.

A robust defense against SYN floods involves a multi-faceted approach. net.ipv4.tcp_syncookies = 1 is the core of the defense, as it allows the server to handle SYN requests without filling up the SYN backlog (by encoding connection info into the SYN-ACK sequence number). However, it's only activated when the backlog is full. Therefore, net.ipv4.tcp_max_syn_backlog must be increased from its default to handle larger bursts of legitimate traffic before syncookies are needed. net.ipv4.tcp_synack_retries reduces the number of times the server tries to re-send a SYN-ACK, which frees up resources faster when dealing with spoofed source IPs that will never respond. All three work in concert for an effective mitigation strategy.

This question requires understanding the syntax and logic of firewalld rich rules. The goal is to perform multiple actions based on a single condition. The correct option uses an inverted source address match (!192.168.100.0/24) to target all other traffic. Crucially, it combines the log and reject actions into a single rule. This is the most efficient method. The first option uses three separate rules, which is less efficient and harder to manage. The third option only implements the accept part of the requirement. The fourth option drops the packets silently without logging, failing to meet the logging requirement.

This question tests the critical difference between @, and more specifically, the behavior of "@" expands to a separate, properly quoted string for each positional parameter. This means that arguments containing spaces ("first arg" and "third arg with spaces") are treated as single arguments by the for loop. If the script had used *", all arguments would have been expanded into a single string ("first arg second third arg with spaces"), and the loop would have executed only once.

The most secure and correct profile follows several AppArmor best practices. It starts with the profile keyword. It includes <abstractions/base> for common system file access. Most importantly, it uses the owner keyword to ensure the application can only access these files if it has the necessary DAC (user/group) permissions. For the log file, it uses a (append) mode instead of w (write), which is more secure for logging as it prevents truncation or overwriting of the entire file. The other options are less secure: Option A lacks the base abstraction and uses w instead of a. Option B uses overly broad wildcards (** and *) and grants an unnecessary and powerful capability (dac_override). Option D only allows execution (ux) and is incomplete.

This is a nuanced question about modern certificate validation techniques. The primary security advantage of OCSP stapling is privacy. In a standard OCSP check, the client contacts the CA directly, revealing the client's IP and the site they are visiting to the CA. With OCSP stapling, the web server makes this request periodically and 'staples' the signed, timestamped response to the TLS handshake. This means the CA only sees requests from the web server, not from every individual client. The critical dependency for this system is that the web server itself must have network connectivity to the CA's OCSP responder to fetch and cache these responses.

This question tests understanding of shell command execution and short-circuiting in edge cases. The use of && ensures that the stat command is only run if the file exists (-f "file is an empty string, the first test [[ -f "" ]] evaluates to false. The stat command is not executed due to short-circuiting. But the problem lies in what happens if the logic were different or if a command wasn't inside [[ ]]. The real killer is that stat -c %s "" would be executed if the first check was different (e.g. [[ -n "file is empty. The stat command stat -c %s "" will error out with 'stat: cannot stat '': No such file or directory', causing a non-zero exit code.

This is a classic advanced scripting problem. When you use a pipe (command | while ...), Bash creates a subshell for the command on the right side of the pipe. Any variables created or modified inside that while loop exist only within that subshell and are lost when the loop terminates. In contrast, when using process substitution (while ... < <(command)), the command runs in a subshell, but its output is connected to the while loop via a named pipe or a file descriptor. The while loop itself runs in the current shell context. This means any variables modified inside the loop will retain their values after the loop has finished, which is a common requirement in complex scripts.

This is a highly specific configuration issue that requires knowledge of SSSD's integration with AD for SSH. While id_provider = ad, auth_provider = ad, and ldap_schema = ad are necessary for basic integration and password authentication, they do not tell SSSD where to look for SSH public keys. To enable SSH public key retrieval from Active Directory, you must explicitly tell SSSD which AD attribute stores the keys. The ldap_user_ssh_public_key option is used for this purpose. Since the keys are in altSecurityIdentities, this line must be present and correct in the [domain/...] section of sssd.conf for key-based authentication to function through SSSD.

Passive FTP is tricky for stateful firewalls. The client establishes a control connection on port 21. For data transfer (like a directory listing), the server tells the client to connect to a new, high-numbered port. From the firewall's perspective, this incoming connection on a random high port is NEW and would normally be blocked. The nf_conntrack_ftp kernel module (also known as ip_conntrack_ftp) is a connection tracking helper that inspects the FTP control connection. It identifies the port the server offers for the data connection and dynamically marks the subsequent incoming connection on that port as RELATED to the existing control connection. Therefore, two things are required: 1) the helper module must be loaded, and 2) an iptables rule must exist to explicitly ACCEPT traffic whose state is RELATED.

This combination provides layered security for a world-writable directory like /tmp. noexec prevents any binary files stored there from being executed directly. nosuid prevents any SUID/SGID bits on files from taking effect, which stops a common privilege escalation vector. nodev prevents the creation of character or block special device files, which could be used to access system hardware. ro (read-only) would break /tmp's functionality. defaults is a standard baseline, not a hardening measure. Quotas and ACLs are for resource management and permissions, not for preventing execution-based attacks.

This question tests knowledge of advanced Bash features (extglob) and the order of evaluation in case statements. The case statement evaluates patterns sequentially and stops at the first match.

1. shopt -s extglob enables extended globbing patterns.
2. The first pattern is *.@(log|txt). The @(...) pattern matches exactly one of the given sub-patterns. Since filename is "report.txt", it matches *.txt.
3. Because a match is found, the script executes echo "Text or Log File" and exits the case block.
4. It never evaluates the second pattern !(report.*), which means "match anything except files starting with 'report.'". Even though "report.txt" would not match this second pattern, it's irrelevant because the first pattern already matched.

For common, expected application behaviors like a web server sending mail, the SELinux reference policy provides tunable booleans. The correct boolean is httpd_can_sendmail. The command to set it persistently across reboots is setsebool -P httpd_can_sendmail on. This method is superior to creating a custom policy with audit2allow because it's an intended, built-in feature of the policy. It's maintained by the policy packagers, less likely to break on system updates, and clearly signals the admin's intent. Creating a custom policy for such a common task is overkill and creates a maintenance burden. semanage boolean can also work but setsebool -P is the more common and direct tool for this task.

This question tests a deep understanding of trap, subshells, and the exit command.

1. The main script sets a trap on EXIT.
2. main() is called, printing "Main function started".
3. A subshell is created with (...).
4. Inside the subshell, a new trap on EXIT is set. This trap is local to the subshell.
5. "Inside subshell" is printed.
6. The exit 5 command is executed. Crucially, exit inside a subshell only terminates the subshell, not the parent script.
7. As the subshell exits, its local EXIT trap fires, printing "Subshell trap fired".
8. Control returns to the parent script, right after the subshell block. The set -e option is not triggered because the subshell's exit is just a command completion to the parent.
9. The parent script continues, printing "Main function finished".
10. The main function finishes, and the script reaches its end. As the main script exits, its EXIT trap fires, printing "Cleanup trap fired".