Unit 5 - Practice Quiz

CSC202 60 Questions
0 Correct 0 Wrong 60 Left
0/60

1 What is the primary function of a network firewall?

Configuring Network Security: Configure the firewall Easy
A. To store user passwords securely
B. To monitor CPU usage
C. To manage software packages
D. To filter network traffic based on a set of rules

2 Which of the following commands is commonly used to manage the firewalld service on a Linux system?

Configuring Network Security: Configure the firewall Easy
A. firewall-cmd
B. ufw-tool
C. iptables-config
D. net-config

3 What is the main purpose of a network analysis tool like tcpdump?

Configuring Network Security: Monitor network traffic Easy
A. To capture and display network packets in real-time
B. To check the available disk space
C. To edit text files
D. To install new software applications

4 Which command is commonly used to display active network connections, open ports, and routing tables on a Linux system?

Configuring Network Security: Monitor network traffic Easy
A. top
B. ss
C. df
D. ls

5 Which of the following is a fundamental step in hardening a Linux system?

Managing Linux Security: Harden a Linux system Easy
A. Granting all users root privileges
B. Using 'password' as the root password
C. Never updating system software
D. Disabling unused services and ports

6 Why is it critical to regularly apply software updates to a server?

Managing Linux Security: Harden a Linux system Easy
A. To free up hard drive space
B. To make the system run slower
C. To patch known security vulnerabilities
D. To get the newest desktop wallpaper

7 What is the primary purpose of an SSL/TLS certificate on a web server?

Managing Linux Security: Manage certificates Easy
A. To manage user accounts
B. To store website content
C. To increase the server's processing speed
D. To encrypt the communication between a web server and a browser

8 What is the role of a Certificate Authority (CA)?

Managing Linux Security: Manage certificates Easy
A. To issue and digitally sign trusted SSL/TLS certificates
B. To host websites for free
C. To develop web browsers
D. To provide internet connectivity

9 Authentication is the process of:

Managing Linux Security: Understand authentication Easy
A. Granting permissions to a user
B. Encrypting a hard drive
C. Recording user activity in a log file
D. Verifying the identity of a user or process

10 In a modern Linux system, where are the hashed user passwords stored?

Managing Linux Security: Understand authentication Easy
A. /etc/group
B. /etc/shadow
C. /etc/hosts
D. /etc/passwd

11 What is the main goal of Mandatory Access Control (MAC) systems like SELinux?

Managing Linux Security: Configure SELinux or AppArmor Easy
A. To confine programs to a limited set of actions and resources
B. To manage software package installations
C. To automatically set strong user passwords
D. To make the command line look better

12 If SELinux is in permissive mode, what will it do when a policy violation occurs?

Managing Linux Security: Configure SELinux or AppArmor Easy
A. Allow the action but log the violation
B. Completely ignore the action and not log anything
C. Block the action and log the violation
D. Shut down the system

13 What is the purpose of the #!/bin/bash line at the beginning of a script?

Implementing Simple Scripts: Understand bash scripting basics Easy
A. It declares a variable named 'bash'
B. It sets the script's background color
C. It is a 'shebang' that specifies the interpreter to run the script
D. It is a comment that describes the script's author

14 Which command makes a script file named backup.sh executable by its owner?

Implementing Simple Scripts: Understand bash scripting basics Easy
A. exec backup.sh
B. run +x backup.sh
C. make backup.sh executable
D. chmod u+x backup.sh

15 In a bash script, which character indicates the start of a comment?

Implementing Simple Scripts: Understand bash scripting basics Easy
A. #
B. %
C. //
D. /*

16 Which of the following lines correctly declares a variable named my_var and assigns it the value 10 in bash?

Implementing Simple Scripts: Use shell script elements Easy
A. my_var := 10
B. my_var=10
C. set my_var = 10
D. let my_var = 10

17 How would you print the value of a variable named USERNAME to the terminal?

Implementing Simple Scripts: Use shell script elements Easy
A. print USERNAME
B. echo $USERNAME
C. echo USERNAME
D. cat $USERNAME

18 In a bash script, what does the special variable $1 represent?

Implementing Simple Scripts: Use shell script elements Easy
A. The first argument passed to the script from the command line
B. The total number of arguments
C. The process ID of the script
D. The name of the script

19 Which set of keywords is used to define a conditional if-then-else block in bash?

Implementing Simple Scripts: Implement scripts with logical controls Easy
A. if, then, otherwise, close
B. if, then, else, endif
C. if, then, else, fi
D. if, do, otherwise, end

20 What is the primary purpose of a for loop in a script?

Implementing Simple Scripts: Implement scripts with logical controls Easy
A. To check if a condition is true or false one time
B. To end the script immediately
C. To define a new command
D. To iterate over a list of items and execute commands for each item

21 A system administrator needs to configure firewalld on a RHEL server to allow incoming HTTPS traffic, but only from the 10.10.20.0/24 subnet. Which command correctly and permanently implements this policy?

Configuring Network Security: Configure the firewall Medium
A. iptables -A INPUT -p tcp -s 10.10.20.0/24 --dport 443 -j ACCEPT
B. firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.20.0/24" service name="httpss" accept'
C. firewall-cmd --permanent --add-port=443/tcp --source-net=10.10.20.0/24
D. firewall-cmd --zone=public --add-service=https --add-source=10.10.20.0/24

22 Using iptables, you need to block all outgoing TCP traffic from your server to the IP address 203.0.113.50 on port 8080. Which command will accomplish this?

Configuring Network Security: Configure the firewall Medium
A. iptables -A FORWARD -p tcp -d 203.0.113.50 --dport 8080 -j DROP
B. iptables -A INPUT -p tcp -d 203.0.113.50 --dport 8080 -j DROP
C. iptables -A OUTPUT -p tcp -d 203.0.113.50 --dport 8080 -j DROP
D. iptables -A OUTPUT -p tcp -s 203.0.113.50 --sport 8080 -j REJECT

23 You want to capture all DNS query traffic (both TCP and UDP) leaving your server's eth0 interface and save it to a file named dns_traffic.pcap for later analysis with Wireshark. Which tcpdump command is most appropriate?

Configuring Network Security: Monitor network traffic Medium
A. tcpdump -i eth0 -o dns_traffic.pcap 'udp port 53'
B. tcpdump --interface eth0 --write dns_traffic.pcap 'protocol 53'
C. tcpdump -i eth0 -w dns_traffic.pcap 'port 53'
D. tcpdump -i eth0 > dns_traffic.pcap 'host dns.google'

24 While investigating active network connections using the ss command, you see the following line of output:
tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=1234,fd=3))

What does this line indicate?

Configuring Network Security: Monitor network traffic Medium
A. The SSH daemon (sshd) has established an outbound connection from this server.
B. There are 128 active SSH connections to the server.
C. A user is actively connected via SSH from any IP address.
D. The SSH service, with process ID 1234, is listening for incoming connections on all network interfaces.

25 What is the primary security benefit of setting PermitRootLogin no in the /etc/ssh/sshd_config file?

Managing Linux Security: Harden a Linux system Medium
A. It encrypts the root user's password in the /etc/shadow file.
B. It forces attackers to guess both a valid username and a password, increasing brute-force difficulty.
C. It completely disables the root account on the system.
D. It prevents all users from using the sudo command.

26 A system administrator wants to find all files on the system that have either the SUID or SGID permission bit set, as these can sometimes represent a security risk. Which find command is the correct way to search for these files?

Managing Linux Security: Harden a Linux system Medium
A. find / -type f ( -perm -4000 -o -perm -2000 )
B. find / -perm /u=s,g=s
C. find / -perm 6000
D. find / -exec chmod -s {} \;

27 You are hardening a public-facing web server. Which of the following actions is a crucial step to limit the system's attack surface?

Managing Linux Security: Harden a Linux system Medium
A. Uninstalling all unnecessary services and packages (e.g., compilers, X11, printing services).
B. Configuring daily backups to a remote location.
C. Increasing the size of the swap partition.
D. Setting a complex root password.

28 You need to generate a new 2048-bit RSA private key and an associated Certificate Signing Request (CSR) for www.example.com. Which openssl command accomplishes both tasks in a single step?

Managing Linux Security: Manage certificates Medium
A. openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
B. openssl genrsa -out server.key 2048 && openssl csr -in server.key -out server.csr
C. openssl ca -new -key server.key -out server.csr
D. openssl x509 -req -in server.csr -signkey server.key -out server.crt

29 A Certificate Authority (CA) has issued you a signed server certificate (server.crt) and an intermediate certificate (intermediate.crt). To avoid browser trust warnings, how should you configure these in a web server like Nginx or Apache?

Managing Linux Security: Manage certificates Medium
A. Configure the server to only use server.crt, as the intermediate is handled by the client.
B. Concatenate the intermediate certificate and the server certificate into a single file, and point the web server's certificate directive to this combined file.
C. Place both files in the same directory and the web server will automatically find and serve the intermediate.
D. Configure the server with server.crt and use a separate directive to specify the path to intermediate.crt.

30 In a PAM (Pluggable Authentication Modules) configuration file, what is the behavior of the required control flag?

Managing Linux Security: Understand authentication Medium
A. If the module succeeds, authentication is immediately successful and no other modules are checked.
B. The module's success is optional; failure does not cause the overall authentication to fail.
C. The module must succeed for the overall authentication to succeed, but all other modules in the stack are still executed regardless of the result.
D. If the module fails, authentication immediately fails and an error is returned to the application without processing other modules.

31 A user has correctly placed their SSH public key in ~/.ssh/authorized_keys on a server. However, they are still being prompted for a password when they try to connect. The SSH server logs show no specific errors. What is the most likely cause of this issue?

Managing Linux Security: Understand authentication Medium
A. The server's clock is out of sync with the client's clock.
B. The user's home directory (~) or their ~/.ssh directory has incorrect, overly permissive file permissions.
C. The server's /etc/ssh/sshd_config has PasswordAuthentication no set.
D. The client-side SSH agent is not running.

32 An Apache web server (httpd) running on a system with SELinux in enforcing mode cannot access content located in /srv/www. Audit logs show AVC denial errors related to httpd_t trying to access files labeled default_t. What are the correct commands to permanently relabel the directory and its contents for web server access?

Managing Linux Security: Configure SELinux or AppArmor Medium
A. chcon -R -t httpd_sys_content_t /srv/www
B. semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?" && restorecon -Rv /srv/www
C. audit2allow -a -M httpd_custom && semodule -i httpd_custom.pp
D. setenforce 0

33 A newly installed application is being blocked by AppArmor. You want to temporarily allow the application to run while logging all policy violations so you can build a correct profile. Which command should you use to place the application's profile into complain/learning mode?

Managing Linux Security: Configure SELinux or AppArmor Medium
A. aa-disable /etc/apparmor.d/usr.bin.newapp
B. aa-enforce /etc/apparmor.d/usr.bin.newapp
C. aa-complain /etc/apparmor.d/usr.bin.newapp
D. aa-logprof /usr/bin/newapp

34 After reviewing /var/log/audit/audit.log, you find SELinux AVC denial messages. You want to understand these denials in a human-readable format and see a suggestion for a local policy module to allow the action. Which command pipeline is best suited for this initial analysis?

Managing Linux Security: Configure SELinux or AppArmor Medium
A. grep AVC /var/log/audit/audit.log | audit2allow
B. cat /var/log/audit/audit.log | audit2why
C. semanage permissive -a httpd_t
D. restorecon -Rv /

35 What is the primary function of the #!/bin/bash line (shebang) at the very beginning of a shell script?

Implementing Simple Scripts: Understand bash scripting basics Medium
A. It is a comment that tells the user which shell the script was written for.
B. It is an instruction to the kernel's program loader, specifying the interpreter that should be used to execute the script's contents.
C. It loads the user's .bashrc profile before executing the rest of the script.
D. It sets the BASH_VERSION environment variable for the script's execution environment.

36 Which of the following lines in a bash script will correctly count the number of files (excluding directories) in the current directory and store the result in a variable named file_count?

Implementing Simple Scripts: Understand bash scripting basics Medium
A. file_count='ls -l | grep "^-" | wc -l'
B. set file_count = $(ls | wc -l)
C. let file_count = ls -f
D. file_count=$(find . -maxdepth 1 -type f | wc -l)

37 What will be the output of the following shell script when executed as ./script.sh alpha beta gamma?

bash
#!/bin/bash
echo "Total arguments: $#"
echo "The third argument is: $3"
shift 2
echo "The first argument now is: $1"

Implementing Simple Scripts: Use shell script elements Medium
A. Total arguments: 3
The third argument is: gamma
The first argument now is: gamma
B. Total arguments: 3
The third argument is: $3
The first argument now is: $1
C. Total arguments: 3
The third argument is: gamma
The first argument now is: alpha
D. Total arguments: 4
The third argument is: gamma
The first argument now is: beta

38 You are writing a script that needs to prompt the user for a password and store it in a variable named PASSWD without echoing the typed characters to the terminal. Which command achieves this?

Implementing Simple Scripts: Use shell script elements Medium
A. read -s -p "Enter Password: " PASSWD
B. read -p "Enter Password: " PASSWD
C. echo "Enter Password: " > PASSWD
D. input -h "Enter Password: " PASSWD

39 Consider the following script, which is intended to check the status of a service and restart it if it is not running. What logical control is missing for the script to function correctly?

bash
#!/bin/bash
SERVICE_NAME="httpd"

# Missing logic here
if [ $STATUS -ne 0 ]; then
echo "Service $SERVICE_NAME is not running. Restarting..."
systemctl restart $SERVICE_NAME
fi

Implementing Simple Scripts: Implement scripts with logical controls Medium
A. A for loop to iterate through all services.
B. A case statement to handle different service names.
C. A command to capture the exit status of the service check into the STATUS variable, such as systemctl is-active --quiet ?
D. An echo $STATUS command to display the status to the user.

40 You need to write a script that processes every file with a .log extension in the /var/log/app directory. Which for loop syntax is the most appropriate and common way to achieve this in bash?

Implementing Simple Scripts: Implement scripts with logical controls Medium
A. for i in $(ls /var/log/app/*.log); do
# commands
done
B. for (i in /var/log/app/*.log); do
# commands
done
C. for i in /var/log/app/*.log; do
# commands
done
D. ls /var/log/app/*.log | while read i; do
# commands
done

41 A system administrator needs to configure iptables on a Linux router (forwarding enabled) to allow established web traffic from an internal network (192.168.1.0/24) to the internet, while also redirecting incoming traffic on port 80 of the router's external interface (eth0) to an internal web server at 192.168.1.50. Which combination of rules most accurately and securely accomplishes this?

1. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.50
2. iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -d 192.168.1.50 -j ACCEPT
3. iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
4. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Which of the following represents the minimal and correct set of rules required?

Configuring Network Security: Configure the firewall Hard
A. Only rules 1, 3, and 4 are required; rule 2 is insecure as it doesn't check connection state.
B. Only rules 1 and 4 are required; forwarding rules are not needed with NAT.
C. Rules 1, 2, 3, and 4 are all required.
D. Only rules 1, 2, and 4 are required; rule 3 is redundant if the default FORWARD policy is ACCEPT.

42 An administrator sees the following AVC denial in /var/log/audit/audit.log:

type=AVC msg=audit(1678886400.123:456): avc: denied { write } for pid=7890 comm="httpd" name="cache" dev="dm-0" ino=12345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0

They want to create a local SELinux policy module to allow this specific action permanently and in a targeted way. What is the most appropriate sequence of commands to achieve this?

Managing Linux Security: Configure SELinux or AppArmor Hard
A. setsebool -P httpd_can_network_connect on
B. chcon -t httpd_sys_rw_content_t /var/www/cache
C. grep httpd /var/log/audit/audit.log | audit2allow -M myhttpd; semodule -i myhttpd.pp
D. ausearch -c 'httpd' --raw | audit2why; restorecon -Rv /var/www/cache

43 Analyze the following Bash script snippet:

bash
#!/bin/bash

check_service() {
echo "Checking service..."
return 1 # Simulate failure
}

notify_admin() {
echo "Notifying admin..."
return 0
}

restart_service() {
echo "Restarting service..."
return 0
}

check_service && restart_service || notify_admin


What will be the output of this script when executed?

Implementing Simple Scripts: Implement scripts with logical controls Hard
A. Checking service...
Restarting service...
B. Checking service...
C. Checking service...
Restarting service...
Notifying admin...
D. Checking service...
Notifying admin...

44 A security analyst needs to use tcpdump to capture packets on interface eth0 that match a very specific and complex profile for identifying a potential slow-scan attack. The criteria are: packets must be TCP, must have only the SYN flag set (no other flags like ACK), must originate from the 10.0.0.0/8 network, and must be destined for port 443. Which tcpdump filter expression is the most precise and correct way to capture only these specific packets?

Configuring Network Security: Monitor network traffic Hard
A. tcpdump -i eth0 'tcp and src net 10.0.0.0/8 and dst port 443 and tcp-syn'
B. tcpdump -i eth0 'ip proto \tcp and src net 10.0.0.0/8 and port 443'
C. tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0 and src net 10.0.0.0/8 and dst port 443'
D. tcpdump -i eth0 'src net 10.0.0.0/8 and dst port 443 and tcp[13] == 2'

45 A system is configured with the following /etc/pam.d/sshd stack for authentication:


auth requisite pam_sss.so
auth required pam_deny.so


A user, testuser, exists in SSSD (LDAP) but provides the wrong password during an SSH attempt. What is the immediate outcome of this authentication attempt from PAM's perspective?

Managing Linux Security: Understand authentication Hard
A. The pam_sss.so module returns an 'ignore' status, and control passes to pam_deny.so which causes the failure.
B. The pam_sss.so module fails, and then pam_deny.so is processed, which also fails, and sshd denies access.
C. The authentication immediately fails and control is returned to the application (sshd) without processing pam_deny.so.
D. The authentication is marked as failed by pam_sss.so, but PAM continues to pam_deny.so, after which failure is reported.

46 An administrator is debugging a TLS connection to https://secure.example.com using openssl s_client -connect secure.example.com:443. The command output includes the following line at the end of the certificate chain verification section:

verify return code: 21 (unable to verify the first certificate)

Assuming the server's own certificate and the root CA certificate are correct and trusted, what is the most likely cause of this specific error?

Managing Linux Security: Manage certificates Hard
A. The client's system clock is skewed, causing the certificate to appear not yet valid or expired.
B. The server is not presenting the necessary intermediate CA certificate in the TLS handshake.
C. The server's private key does not match its public certificate.
D. The server certificate's Common Name (CN) does not match secure.example.com.

47 Consider the following two Bash script snippets intending to process a file line by line:

Snippet A:
bash
count=0
cat file.txt | while read line; do
((count++))
done
echo "A: $count"


Snippet B:
bash
count=0
while read line; do
((count++))
done < file.txt
echo "B: $count"


If file.txt contains 10 lines, what will be the output?

Implementing Simple Scripts: Use shell script elements Hard
A. A: 10
B: 10
B. A: 0
B: 10
C. A: 10
B: 0
D. A: 0
B: 0

48 To mitigate TCP SYN flood attacks, a sysadmin modifies /etc/sysctl.conf. Which set of parameters provides the most robust defense by enabling a non-state-based cookie mechanism and optimizing the handling of incoming SYN packets?

# /etc/sysctl.conf

net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1

Managing Linux Security: Harden a Linux system Hard
A. All three parameters (tcp_max_syn_backlog, tcp_synack_retries, tcp_syncookies) are essential and work together.
B. Only net.ipv4.tcp_max_syn_backlog is necessary to increase the queue size for legitimate connections.
C. Only net.ipv4.tcp_syncookies = 1 is necessary; the others are for performance tuning, not security.
D. Setting net.ipv4.tcp_synack_retries = 0 would be more effective as it stops retransmissions.

49 A sysadmin wants to use firewalld to allow inbound SSH traffic from the 192.168.100.0/24 subnet but log and drop SSH traffic from all other sources, with log messages prefixed with "SSH-REJECT". Which single firewalld rich rule, when added to the public zone, accomplishes this entire objective most efficiently?

Configuring Network Security: Configure the firewall Hard
A. rule family="ipv4" source address="!192.168.100.0/24" service name="ssh" log prefix="SSH-REJECT" level="info" reject
B. rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept; rule family="ipv4" service name="ssh" log prefix="SSH-REJECT" level="info"; rule family="ipv4" service name="ssh" reject
C. rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept
D. rule family="ipv4" not source address="192.168.100.0/24" service name="ssh" drop

50 A script process.sh is written as follows:

bash
#!/bin/bash
for arg in "$@"
do
echo "Processing: $arg"
done


It is executed with the command: ./process.sh "first arg" "second" "third arg with spaces"

What is the exact output?

Implementing Simple Scripts: Understand bash scripting basics Hard
A. Processing: first arg second third arg with spaces
B. Processing: first
Processing: arg
Processing: second
Processing: third
Processing: arg
Processing: with
Processing: spaces
C. Processing: "first arg"
Processing: "second"
Processing: "third arg with spaces"
D. Processing: first arg
Processing: second
Processing: third arg with spaces

51 An administrator is creating an AppArmor profile for a custom application located at /usr/local/bin/myapp. The application needs to read its configuration from /etc/myapp/config.conf and write logs to /var/log/myapp.log. According to the principle of least privilege, which of the following profile snippets is both correct and most secure?

Managing Linux Security: Configure SELinux or AppArmor Hard
A.
#include <tunables/global>

profile myapp /usr/local/bin/myapp {
#include <abstractions/base>

owner /etc/myapp/config.conf r,
owner /var/log/myapp.log a,
}
B.
#include <tunables/global>

/usr/local/bin/myapp {
/etc/myapp/config.conf r,
/var/log/myapp.log w,
}
C.
#include <tunables/global>

profile myapp /usr/local/bin/myapp {
capability dac_override,

/etc/myapp/* r,
/var/log/
w,
}
D.
#include <tunables/global>

/usr/local/bin/myapp ux,

52 What is the primary security advantage that OCSP Stapling (TLS Certificate Status Request extension) offers over a client performing its own OCSP validation, and what is a critical operational dependency for it to work?

Managing Linux Security: Manage certificates Hard
A. Advantage: It works even if the CA's OCSP responder is offline. Dependency: The client must explicitly trust the web server's stapled response.
B. Advantage: It uses a stronger cryptographic algorithm than standard OCSP. Dependency: The client's browser must support the OCSP Stapling extension.
C. Advantage: It prevents the Certificate Authority (CA) from seeing which clients are visiting which sites. Dependency: The web server must be able to periodically connect to the CA's OCSP responder.
D. Advantage: It reduces latency for the client. Dependency: The web server must have a direct connection to the client.

53 You are debugging a bash script and find this line:

[[ -f "(stat -c %s "file"

The script author claims this is a safe way to process files larger than 1KB. Under which edge-case condition would this line of code produce an error and potentially terminate the script (if set -e is active)?

Implementing Simple Scripts: Implement scripts with logical controls Hard
A. When the variable $file is an empty string.
B. When the file $file does not exist.
C. When the file $file is exactly 1024 bytes.
D. When the file $file contains a space in its name.

54 What is the key difference in behavior and variable scope when using process substitution (<(command)) versus a traditional pipe (|) to feed a while read loop in Bash?

bash
# Method 1: Pipe
command | while read var; do ...; done

# Method 2: Process Substitution
while read var; do ...; done < <(command)

Implementing Simple Scripts: Use shell script elements Hard
A. The pipe method is faster, but the process substitution method allows variables set inside the loop to be accessible after the loop finishes.
B. The pipe method executes the while loop in a subshell, isolating its variables, while the process substitution method executes the loop in the current shell, preserving variable scope.
C. There is no functional difference; both execute the loop in a subshell.
D. The process substitution method executes the command in a subshell, while the pipe method executes both the command and the while loop in separate subshells.

55 A company uses SSSD to integrate their Linux servers with an Active Directory domain. A user reports they can log in via SSH using their password, but SSH key-based authentication fails. The user's public key is correctly placed in the altSecurityIdentities attribute in Active Directory. Which configuration directive in /etc/sssd/sssd.conf is most likely missing or misconfigured, preventing SSSD from retrieving the user's public key?

Managing Linux Security: Understand authentication Hard
A. id_provider = ad
B. ldap_schema = ad
C. ldap_user_ssh_public_key = altSecurityIdentities
D. auth_provider = ad

56 An administrator is setting up a stateful iptables firewall on a server that must act as a passive-mode FTP server. They have a rule iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT. However, clients can connect and authenticate but cannot get directory listings or transfer files. Which of the following is the most likely missing component for a secure and functional configuration?

Configuring Network Security: Configure the firewall Hard
A. Loading the nf_conntrack_ftp kernel module via modprobe.
B. Both loading the nf_conntrack_ftp module and adding a rule to accept RELATED state traffic.
C. A rule to accept RELATED state traffic: iptables -A INPUT -m state --state RELATED -j ACCEPT.
D. A rule to accept traffic on TCP ports 1024-65535: iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT.

57 When hardening /etc/fstab for security, which combination of mount options for a separate /tmp partition provides the most comprehensive protection against common local attacks, such as executing downloaded scripts or using SUID binaries?

Managing Linux Security: Harden a Linux system Hard
A. ro,noatime
B. noexec,nosuid,nodev
C. usrquota,grpquota,acl
D. defaults,rw

58 Given the following script using Bash's extended globbing features:

bash
#!/bin/bash
shopt -s extglob

filename="report.txt"

case $filename in
.@(log|txt)) echo "Text or Log File";;
!(report.
)) echo "Not a Report File";;
.pdf) echo "PDF File";;
) echo "Unknown";;
esac


What is the output of this script?

Implementing Simple Scripts: Use shell script elements Hard
A. Not a Report File
B. Text or Log File
C. The script will produce a syntax error.
D. Unknown

59 A web application running under the httpd_t SELinux context needs to send email, but SELinux is blocking the connection to the local mail transfer agent (MTA). The administrator knows there is an SELinux boolean for this. What is the correct command to persistently allow this action, and why is this method superior to writing a custom policy module in this specific scenario?

Managing Linux Security: Configure SELinux or AppArmor Hard
A. setsebool httpd_can_sendmail 1 - It's superior because it's simpler and may not survive a reboot.
B. audit2allow -a -M httpd_sendmail; semodule -i httpd_sendmail.pp - It's superior because it is more specific to the exact denial.
C. setsebool -P httpd_can_sendmail on - It's superior because it uses a pre-defined, tested, and supported policy interface, making it less error-prone and more maintainable than a custom module.
D. semanage boolean -m --on httpd_can_sendmail - It's superior because it only affects one service without requiring a policy recompile.

60 A bash script is designed to perform a cleanup operation on exit, even if an error occurs. Consider this script:

bash
#!/bin/bash
set -e

trap 'echo "Cleanup trap fired"' EXIT

main() {
echo "Main function started"
(
# Start of subshell
trap 'echo "Subshell trap fired"' EXIT
echo "Inside subshell"
exit 5
echo "This is never printed"
)
echo "Main function finished"
}

main


What is the final output when this script is executed?

Implementing Simple Scripts: Implement scripts with logical controls Hard
A. Main function started
Inside subshell
Cleanup trap fired
B. Main function started
Inside subshell
Subshell trap fired
Cleanup trap fired
C. Main function started
Inside subshell
Subshell trap fired
Main function finished
Cleanup trap fired
D. Main function started
Inside subshell
Subshell trap fired