|
|
þ B and C. Providers are cryptographic plug-ins that consumers use. According to Sun. the framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.
ý A is wrong because consumers, not providers, can be applications, end users, or kernel operations.
þ C, D, and E. Role information can be found in the passwd, shadow, and user_attr databases. The user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.
ý A and B are wrong because the rights profile name and authorizations can be found in the prof_attr database, while the rights profile name and commands with specific security attributes are stored in the exec_attr database.
þ To set the minimum free disk space for an audit file before a warning is sent, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage.
þ B. To actively detect and display superuser access attempts on the console in real time, uncomment the CONSOLE=/dev/console entry in the /etc/default/su file.
ý A is wrong because you will enable remote superuser login access. C is wrong because by uncommenting the CONSOLE=/dev/console entry in the /etc/default/login file you will disable remote superuser login access. D is wrong because that will simply turn off the detection and display of superuser access attempts directly on the console.
þ B, C, and D. A process life cycle–based approach to information security management is appropriate because it takes into account changing information systems environments, it is business-oriented, and is considered a good practice.
ý A is incorrect because the process life cycle-based approach is not the only existing approach to information security management.
þ E. All of the answers are correct. It is important to protect software version numbers and other details of your systems in order to make attackers spend more time and effort on an attack, to avoid easy identification of bugs and vulnerabilities of deployed software, to avoid or minimize script kiddie attacks, and to comply with principles of minimization and least privilege.
þ B. False. When default executable stacks with permissions set to read, write, and execute are allowed, programs may be inherently vulnerable to buffer overflow attacks.
ý A is incorrect because by default programs are not inherently vulnerable to stack smashing. This is especially true when the latest patches have been applied.
þ D. A fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes.
ý A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system to system. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system.
þ B and D. RBAC allows system administrators to delegate privileged commands to non-root users without giving them full superuser access to the system. Similarly, users can be assigned only the exact privileges and permissions necessary for performing a job.
ý A is wrong because, although it's true that privilege commands execute with administrative capabilities usually reserved for administrators, that statement does not describe a benefit to RBAC. C is wrong because Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.
þ C. The purpose of audit trails and logs is to provide accountability in information systems.
ý A is correct but is not the best answer; choices B and D are wrong. The issue of whether audit trails and logs can be used in court proceedings would depend on the particular jurisdiction and is outside the scope of this book; audit trail and logs are detective controls but may function as deterrent controls as well when their existence is known to potential attackers.
þ E. All answers are correct. The security life cycle process consists of prevention, detection, response, and deterrence.
þ F. All answers are correct. A message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. The MD5 (for shorter message digests) and the Secure Hashing Algorithm (SHA1, for larger message digests) are among the most popular message digest algorithms. The Solaris Fingerprint Database (sfpDB) is a free tool from Sun that allows you to check the integrity of system files online through cryptographic checksums stored in the database. System files checks is an ASET task used as a file comparison check from a master file that is created when the task is first executed.
þ A right is a named collection, consisting of commands, authorizations to use specific applications (or to perform specific functions within an application), and other, previously created, rights, whose use can be granted or denied to an administrator.
þ Providers are cryptographic plug-ins that applications, end users, or kernel operations— which are all termed "consumers"—use. The Solaris cryptographic framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.
þ B. Fingerprints can be used for what you are, or biometric, authentication.
ý A is wrong because what you have authentication refers to token-based authentication mechanisms. C is wrong because there is no such term as biological identification in information security. D is wrong because the use of fingerprints does not simplify authentication or identification since it requires additional configuration and tuning.
þ D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files.
ý A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices.
þ D. During a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. This is referred to as a half-open connection, because during a normal connection between a client and a server, the connection is considered to be "open" after the handshake process. When the server has not received an ACK from the client, the connection is considered to be half-open.
ý A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack in which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.
þ B. A worm is a self-replicating program that will copy itself from system to system, sometimes using up all available resources on a target or installing a backdoor on the system.
ý A is incorrect because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is incorrect because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent.
þ D. The roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.
ý A is wrong because to check the privileges available to your current shell's process, you would use the ppriv -v pid $$ command. B is wrong because in order to start the management console you would issue the /usr/sbin/smc & command. C is wrong because the usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role.
þ A. Consumers can be applications, end users, or kernel operations.
ý B and C are wrong because providers are cryptographic plug-ins that consumers use. According to Sun, the framework allows only three types of plug-ins: user-level plug-ins that are shared objects that provide services by using PKCS #11 libraries, kernel-level plug-ins that provide for implementations of algorithms in software, and hardware plug-ins that are device drivers and their associated hardware accelerators.
þ D. A rights profile can be assigned to a role or user as a collection of administrative functions. Rights profiles can contain authorizations, privilege commands, or other rights profiles.
ý A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. B is wrong because a privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel. C is wrong because a privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command. E is wrong because a role is a predefined identity that can run privileged applications.
þ C. A logic bomb is code that is inserted into programming code designed to execute under specific circumstances.
ý A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system-to-system. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system.
þ C. The user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. The primary check is made from the passwd and group files, and the passwords in local, and NIS, and NIS+ files.
ý A is wrong because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level a list of directories that contains files to check is automatically defined; however, this list can be modified. D is incorrect because during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and then reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.
þ B and D. When you disallow executable stacks, programs that attempt to execute code on their stack will abort with a core dump. At that time, a warning message will be displayed with the name of the program, its process ID, and the UID of the user who ran the program. In addition, the message can be logged by syslog when the syslog kern facility is set to notice level.
ý A is incorrect because when a program attempts to execute code on its stack when you disallow executable stacks, the program will abort. C is incorrect because whether or not you are monitoring executable stacks has nothing to do with the results of a program that attempts to execute code on its stack.
þ E. A Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.
ý A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack by which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack the attacker sends a flood of connection requests but does not respond to any of the replies.
þ A. True. A popular form of permissible backdoor that can potentially be exploitable is a program setup by a programmer to provide remote access to the system to perform debugging and troubleshooting tasks.
þ C and D. The bsmconv script is used to enable the auditing service, which also enables device allocation, which is enforced during user allocation to require user authorization to access a peripheral device such as a CD-ROM or printer.
ý A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default, and is used to audit changes in device policy. B is incorrect because device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system. E is wrong because to modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p policy device-driver command.
þ B and E. Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. To modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p policy device-driver command.
ý A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default, which is used to audit changes in device policy. C is incorrect because the bsmconv script is used to enable the auditing service, which also enables device allocation. D is wrong because device allocation is enforced during user allocation to require user authorization to access a peripheral device such as a CD-ROM or printer.
þ E. The auditreduce command can be used to merge audit files into a single output source to create an audit trail.
ý A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord command can be used to display record formats.
þ F. All answers are correct. Disabling user logins can be accomplished by creating a /etc/nologin file, bringing the system down to single-user mode (by issuing the init S or shutdown command with the default init state), and disabling user accounts individually with the Solaris Management Console (SMC) interface.
þ A and C. Certification is the technical evaluation of systems, and it is granted by independent and qualified third parties. Certification does not require accreditation. Certification is a basis for accreditation, but the responsibility for the accredited system lies mainly with the management of the organization which accredits the system.
ý B is incorrect because certification is not done by an organization's management. D is incorrect because certification does not require accreditation.
þ B and C. The defense against brute-force attacks is to make the amount of time and computations required to conduct an exhaustive search impossible to afford by using a sufficiently large set—that is, longer passwords and keys.
ý A and D are incorrect. The use of strong authentication alone would not guarantee protection against brute-force attacks, and Role-Based Access Control does not address the risk of brute-force attacks.
þ A, B, and D. Cost-benefit analysis is necessary because organizations cannot reduce all risks to zero, it increases an organization's return on investment, and it is a good governance practice.
ý C is wrong because cost-benefit analysis is not related to, and does not prevent, denial of service attacks.
þ B and D. A trusted system or component has the power to break a security policy. This may seem like an oxymoron—how do you trust a component that can break your security policy? Although it is a good engineering practice to have as few trusted components as possible (remember the principles of least privilege and minimization), it is impossible to eliminate them altogether. Because of this, trusted systems are subject to more testing and verification than non-trusted systems.
ý A and C are incorrect because a high security system is not necessarily a trusted system, and trusted systems do not refer to operating systems only.
þ C. Continuous authentication protects against hijacking attacks but does not protect against sniffing unless all traffic is encrypted.
ý Answers A and B are too general. D is incorrect because continuous authentication does not protect against sniffing unless all traffic is encrypted.
þ A. True. To disable a service that is defined in inetd, you simply comment it out in the /etc/ inetd.conf file by inserting a hash character in the very first character position before the service. To activate the change, simply restart the process or reboot the operating system.
ý B is incorrect because unless the service is enabled in inetd, the port and service will not be listening for connection attempts.
þ B and E. A rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent.
ý A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes.
þ A role is a special user account used to grant rights. Users can assume only those roles they have been granted permission to assume. Once a user takes on a role, the user relinquishes his or her own user identity and takes on the properties, including the rights, of that role. With RBAC each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier.
þ C and D. Random keys can be generated using the encrypt and mac commands.
ý A is wrong because you can generate the symmetric key with the dd command. B is wrong because you can issue the digest command to compute a message digest for one or more files.
þ The cryptoadm list -p command displays the mechanism policy for the installed providers. It also displays the provider feature policy. If a provider is specified, the command will display the name of the provider with the mechanism policy enforced on it only.
þ D. The bsmrecord command can be used to display record formats.
ý A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. C is wrong because you would run the bsmconv script to enable and disable the auditing service. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.
þ B. To view device policies for all devices or specific ones, you would use the getdevpolicy command.
ý A is wrong because list_devices is used to display information about allocatable devices. C is wrong because a user with the appropriate rights and authorization can allocate a device by issuing the allocate device-name command.
þ C. Compensating controls offset deficiencies of other controls.
ý There is no such term as defensive controls in information security, so that rules out B. Choices A and D are incorrect because preventive controls aim to prevent security violations and recovery controls are not intended to offset deficiencies of other controls.
þ B. This answser is correct because even if A trusts B, and B trusts C, it does not mean that A automatically trusts C.
ý A and C are wrong because trust is not transitive: if A trusts B, and B trusts C, it does not mean that A automatically trusts C, or vice versa. D is wrong because trust is not symmetric: if A trusts B, it doesn't mean that B trusts A.
þ A, B, and C. Detection is important because it shows whether or not preventive controls work, because it serves as a quality and reliability control, and because no usable preventive control is perfect.
ý D is incorrect because the security level of the environment has no bearing on the need for detective controls.
þ A. True. The su program usage, by default, is already monitored through the /etc/default/su file as SULOG=/var/adm/sulog, and the syslog logging facility will determine whether or not to log all su attempts with the SYSLOG=YES entry.
þ A. The primary and secondary audit directories are specified in the audit_control file.
ý B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates mail to an e-mail alias called audit_warn. D is wrong because the audit_user file defines specific users and classes of events that should always or never be audited for each user.
þ C. Run the bsmconv script to enable and disable the auditing service.
ý A is wrong because that command is used to refresh the kernel. B is wrong because that command is used to refresh the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.
þ D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files by reporting file-level changes that have occurred on the system.
ý A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices.
þ F. All of the answers are correct. To prevent DoS attacks against the Solaris operating system, Sun advocates disabling executable stacks, disabling extraneous IP ports, using egress filtering, monitoring the network, using firewalls, and implementing a patch update program.
þ A. The system files permissions tuning task automatically sets system file permissions according to the security level you choose. At the high level setting, permissions are assigned to restrict access; at the medium level, permissions are tightened just enough for most normal operating environments; and at the low level setting, permissions are set for open sharing.
ý B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level a list of directories that contains files to check is automatically defined; however, this list can be modified. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.
þ The principle of least privilege asserts that a user should not be granted any more privileges or permissions than those necessary for performing a specific job.
þ C. User-level plug-ins are shared objects that provide services by using PKCS #11 libraries.
ý A is wrong because hardware plug-ins are device drivers and their associated hardware accelerators. B is wrong because kernel-level plug-ins provide for implementations of algorithms in software.
þ To disable a kernel software provider, issue the cryptoadm disable provider command; to restore an inactive software provider, issue the cryptoadm refresh command.
þ C. At least two different authentication methods are necessary for strong authentication.
ý Long passwords do not provide strong authentication on their own, so answer A is not correct. Strong authentication does not necessarily require the use of smart cards, as stated in B. And C is wrong because biometrics does not necessarily provide strong authentication on its own.
þ E. All of the answers are correct. Authentication is needed to obtain proof of claimed identity, to implement access control, to establish accountability, and to allow for different users with different authorizations.
þ C. User trust refers to users' expectations of reasonable security of systems, which in practical terms is the responsibility of security administrators who enforce security policy set by the management. User trust may also refer to expectations of reasonable operation of systems (hardware and software), which is closely linked to the issue of assurance. User trust is gained and maintained by definition of sound security policies and their professional implementation and enforcement.
ý A, B, and D are incorrect because user trust is not guaranteed by trusted systems, it is not defined in security policy, and it is not transitive and bi-directional.
þ C. Deterrent controls are created to discourage potential attackers. Deterrent controls may potentially be confused with preventive controls, and although both types of controls aim to preclude security violations from happening, they try to do so at different times.
ý A and B are incorrect because deterrent controls are not a backup for detective controls and they do not necessarily prevent attacks from happening. D is incorrect because, while preventive security controls try to prevent a breach of security after the adversary has decided to attack but before the attack has succeeded, deterrent controls try to discourage the attacker from attacking in the first place by demonstrating that the attack is not going to succeed and even if it does, it will be detected and dealt with.
þ C. The logins command with the -p option is used to display which users do not have assigned passwords.
ý A is wrong because the logins command will display general information concerning all login accounts organized in ascending order by user ID. B is incorrect because the -x argument will display extended information regarding all login accounts. D is wrong because Solaris keeps track of each user login and records login attempts in the var/adm/loginlog file.
þ Audit policy determines the characteristics of the audit records. When auditing is enabled, the contents of the etc/security/audit_startup file determine the audit policy.
þ B. After you start the auditing service in a production environment, there may be times when you'll need to tweak the configuration to audit more classes or perhaps audit specific users more closely. After making changes, you'll need to update the auditing service. This restarts the auditd daemon, which in effect will apply the new configuration changes to the service. To refresh the auditing service, issue the command auditconfig -conf.
ý A is wrong because that command is used to refresh the kernel. C is wrong because you would run the bsmconv script to enable and disable the auditing service. D is wrong because the bsmrecord command can be used to display record formats. E is wrong because the auditreduce command can be used to merge audit files into a single output source to create an audit trail.
þ B. False. You can create a manifest of more than one file by separating the files with a space, not a comma.
þ C. To verify that a patch was successfully installed, issue the shorev command showrev -p, or to verify a specific individual patch, use showrev -p | grep filename, where filename is the name of the patch.
ý A is incorrect because grep filename is an option to the showrev command when verifying that a specific patch was successfully installed. B is incorrect because the command showpatch -p does not exist. D is incorrect because vi is the system's visual editor, which is used to create and modify text within files. Depending on where you executed the command vi system, the editor would either create a new file entitled system or open the current system file for editing.
þ B. Ping of Death is a malformed ICMP packet attack in which an attacker sends an oversized ping packet in an attempt to overflow the system's buffer.
ý A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.
þ A, B, and D. To harden your system and help protect against Trojan horse programs, Sun recommends that path variables do not contain a parameter indicated with a dot (.) that could cause the system to search for executables or libraries within that path, as well as a search path for root or superuser that contains the current directory.
ý C is wrong because a forward slash is legitimately used in the search path to indicate root and subdirectories.
þ C. Checksum uses the sum command to produce a cyclical-redundancy-check (CRC) and block count for files that can help prevent backdoor attacks.
ý A is incorrect because ASET enables you to monitor and restrict access to system files and directories with automated administration governed by a preset security level (low, medium, or high). B is wrong because a message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. D is incorrect because the EEPROM check is an ASET task that inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with.
þ A, B, and D. Every process has four sets of privileges: the effective privilege set (E), which are privileges currently in use (note that processes can add permitted privileges to the set); the inheritable privilege set (I), which are privileges a process can inherit; the permitted privilege set (P), which are privileges available for use now; and the limit privilege set (L), which are outside privilege limits of which processes can shrink but never extend.
ý C and E are wrong because they do not represent any known existing privileges.
þ A, B and C. Cryptography provides for the integrity, confidentiality, and authenticity of information.
ý D is wrong because RBAC is a system of controlling which users have access to resources based on the role of the user. E is wrong because checksum is a simple error-detection scheme.
þ The cryptoadm list command displays the list of installed providers.
þ A and B. With asymmetric (public key) algorithms, two keys are used: one to encrypt a message and another to decrypt it.
ý C and D are wrong because in symmetric (secret key) algorithms, the same key is used for both encryption and decryption—anyone knowing the key can both encrypt and decrypt messages.
þ A. To check the privileges available to your current shell's process, you would use the ppriv -v pid $$ command.
ý B is wrong because to start the management console, you would issue the /usr/sbin/smc & command. C is wrong because the usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role. D is wrong because the roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.
þ B. A system files check is a file comparison check from a master file that is created when the task is first executed. For each security level, a list of directories that contains files to check is automatically defined; however, this list can be modified.
ý A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because during the system configuration files check ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.
þ B. False. The principle of least privilege does not only apply to user accounts but is a universally applicable principle.
þ C and D. A threat is anyone or anything that can exploit a vulnerability. Threats to information systems may be grouped into natural, physical, and logical threats.
ý A and B are incorrect because the absence of security mechanisms is not a threat, and threat is not the opposite of assurance.
þ C. The most effective defense against spoofing is the use of cryptographic authentication and digital signatures.
ý A is incorrect because encryption does not necessarily protect against spoofing. There is no such term as cryptographic initiation (B), and secret addresses don't make sense (D).
þ A, B, and D. Depending on the jurisdiction and industry, incident response capability may be required but it is not required in all cases.
ý C is wrong because incident response capability is not required by law.
þ B and C. Sun's policy mandates that passwords must be composed of between 6 and 15 letters, numbers, and special characters, and must have at least 2 alphabetic characters and at least 1 numeric or special character within the first 6 characters.
ý A and D are wrong because they are part of industry-recognized security recommendations for creating passwords and are not mandated by Sun's password policy.
þ A. By issuing init S you will go into single-user mode.
ý B is wrong because init 0 is used to go into firmware maintenance mode. C is wrong because init 2 is used to go into multi-user state where NFS is not running. D is wrong because init 5 is used to shut down the operating system altogether. E is incorrect because by issuing init 6 you will stop the operating system and reboot.
þ To set the minimum free disk space for an audit file before a warning is sent, you need to modify the /etc/security/audit_control file by adding the minfree argument followed by a percentage. It's important to first save a backup of the original file before making changes. For example, to set the minimum free-space level for all audit file systems so that a warning is sent when 15 percent of the file system is available, edit the audit_control file and modify the following line item: minfree:xx; where xx is a percentage less than 100.
þ B. False. The syslog text logs can generate massive log files so be sure to monitor and archive them regularly. In addition, you should never store syslog audit files in the same location as binary data.
þ To verify that you have the appropriate rights to forcibly deallocate a device (for example, solaris.device.revoke), you can issue the auths command.
þ C. The /etc/services file specifies the ports used by the server processes as contact ports, which are also known as well-known ports.
ý A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. D is incorrect because the inetd.conf file defines how the inetd daemon handles common Internet service requests.
þ F. All of the answers are correct. To harden your system and help protect against Trojan horse programs, Sun recommends user awareness education, installing and updating anti- virus software, removing unnecessary compilers, securing file and directory permissions, and monitoring path variables.
þ D. During the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file.
ý A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the eeprom security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay.
þ To audit a role, you should add the ua or the as event to the flags line in the audit_control file, and then start the auditing service.
þ Without altering the original file and to protect a digest, you can compute a message authentication code (MAC) of a file.
þ D. Compartmentalization is the isolation of process spaces from each other in order to minimize the effect of a security violation in one compartment on another.
ý Answer A, virtualization, is a related concept but is not the correct answer. B is wrong because compartmentalization is the correct term. C is wrong because defense in depth is about using several types and/or layers of defense.
þ D. Choke points are logical "narrow channels" that can be easily monitored and controlled.
ý A is wrong because choke points are not used to isolate firewalls. Choke points do not affect confidentiality of information, so B is wrong. And C is not the answer because choke points are not protocol-dependent.
þ B and C. Vulnerabilities can be exploited by threats, and malicious hackers can pose a threat.
ý A and D are incorrect because risks and software bugs do not exploit vulnerabilities—risk is the possibility of an exploit and software bugs are vulnerabilities.
þ F. All of the answers are correct. Risk is the likelihood and cost of a threat exploiting a vulnerability. Information security management is about risk management because in the absolute majority of cases it is either impossible or cost-ineffective to eliminate all risks. In these cases, risk management comes to the rescue and helps us to understand risks and decide what risks to minimize, what risks to transfer (insure against), and what risks to accept.
þ E. All of the answers are correct. To address all of these concerns, security awareness training should be held regularly.
þ A, B, and C. ISO 17799 is a Code of Practice for Information Security Management and does not cover any specific products or systems such as Solaris.
ý D is incorrect because ISO 17799 does not cover the Solaris operating environment specifically but is an information security management standard.
þ D. Solaris keeps track of each terminal session login attempts in the var/adm/loginlog file.
ý A is wrong because /etc/default/login involves syslog and monitoring all unsuccessful login attempts. B is wrong because /etc/nologin is used to disable user logins. C is incorrect because the /etc/shadow file can be accessed to determine which accounts are locked or disabled and which do not currently have assigned passwords.
þ D. Most organizations are at the repeatable level of the information security maturity model.
ý C is inappropriate because it refers to a type of control. Other choices are wrong because surveys show that most organizations are at the repeatable level.
þ C. This simple formula conveniently shows the relationship between threats, vulnerabilities, and risk.
ý A, B, and D are incorrect because the correct formula is Threats × Vulnerabilities × Asset value = Risk.
þ D. Security policies are set by management and are high-level in nature. They specify what should and should not happen, without going into detail on how to reach these goals. Security policies should be sufficiently specific to convey their meaning and objectives unambiguously but at the same time be general enough not to require modification every month or after introduction of a new system or application in the organization.
ý A, B, and C are incorrect because guidelines are recommendations for consideration, procedures are detailed step-by-step instructions, and standards are general in nature.
þ A and B. Identifying user login status—by issuing the logins command and viewing the /etc/shadow file—is important to determine which accounts are locked or disabled and which do not currently have assigned passwords.
ý C is wrong because the init S command is used to bring down the system to run level S (single-user mode). D is wrong because the /var/adm/loginlog file is used to log failed terminal session user login attempts.
þ B and C. Capturing unsuccessful terminal session login attempts is accomplished by creating a var/adm/loginlog file. To monitor all failed login attempts, edit the /etc/default/login file and make sure that the SYSLOG=YES and SYSLOG_FAILED_LOGINS=0 entries are uncommented.
ý A is incorrect because by uncommenting the RETRIES entry in the /etc/default/login file and editing the SYSLOG_FAILED_LOGINS=some number, you'll force the system to close the login connection after some predefined number of unsuccessful login attempts.
þ A. True. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the na preceding the second flags argument specifies nonattributable events) should be audited for the entire system—that is, all users on the system. Incidentally, you can specify events by using the bsmrecord command.
þ A. The event numbers (with the exception of 0, which is reserved as an invalid event number) reserved for the Solaris Kernel events are 1–2047.
ý B is incorrect because 2048–32767 are reserved for the Solaris TCB programs. C is incorrect because 6144–32767 is used for SunOS 5.X user-level audit events. D is wrong because 32768– 65535 are available for third-party TCB applications.
þ B and C. Controlling access to devices on a Solaris operating system is accomplished by two mechanisms: device policy and device allocation. Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. Device allocation, which is not enabled by default, is enforced during user allocation to require user authorization to access a peripheral device.
ý A is wrong because access control lists (ACLs) are mechanisms used to control access to files. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files.
þ F. All of the answers are correct. Viewing your system's current patches using the showrev -p command will display all installed patches, patch numbers, whether a patch obsoletes a previous patch, if any prerequisite patches exist for a current patch, whether a patch is incompatible with other patches, and what packages are directly affected by a patch.
þ A and D. Device-specific files in the /etc and /devices directories are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system.
ý B is incorrect because /usr/asset is the working directory for ASET. C is incorrect because /usr/local is simply an example of a typical download directory used to store files and programs by the current user.
þ A, B, and C. Examples of the principle of least privilege include programs—using privileges— that do not require making calls to setuid, when system administrators delegate privileged commands to non-root users without giving them full superuser access, and users that are only given privilege or permission necessary for performing their jobs.
ý D is incorrect because it is simply a factual statement regarding privileged commands and not an example of the principle of least privilege.
þ C. The usermod command associates a user's login with a role, profile, and authorization in the /etc/user_attr database, which can also be used to grant a user access to a role.
ý A is wrong because to check the privileges available to your current shell's process, you would use the ppriv -v pid $$ command. B is wrong because to start the management console you would issue the /usr/sbin/smc & command. D is wrong because the roleadd command can be used to create roles and associates a role with an authorization or a profile from the command line.
þ E. All of the answers are correct. Protecting files is a core component in Sun's Solaris security strategy. Although MD5 and SHA1, part of the Solaris cryptographic framework, were developed to help detect corrupt or maliciously altered files, Sun also recommends using a more comprehensive package as well called Tripwire. In addition to Tripwire, to help prevent unauthorized changes from being made to system files, Sun also recommends using ASET (discussed in Chapter 8) and the Basic Security Module (BSM), which is discussed in Chapter 5.
þ The cryptoadm -m command displays a list of mechanisms that can be used with the installed providers. If a provider is specified, the command will display the name of the specified provider and the mechanism list that can be used with that provider.
þ B. The rights profile name and commands with specific security attributes are stored in the exec_attr database.
ý A is incorrect because the rights profile name and authorizations can be found in the prof_attr database. C, D, and E are incorrect because the user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.
þ E. All of the answers are correct. To monitor and help prevent unauthorized changes from being made to system files, Sun recommends using the Automated Security Enhancement Tool (ASET), the Basic Security Module (BSM), Tripwire, and the Solaris cryptographic framework.
þ B. The netstat command with -a and -f inet switches can be used to show the state of all sockets and all routing table entries for the AF_INET address family showing IPv4 information only.
ý A is incorrect because find directory -user root is used to check all mounted paths starting at the specified directory and to display files owned by root. C is incorrect because the command showrev -p is used for viewing the system's current installed patches. D is incorrect because grep inetd.conf as it stands will produce nothing.
þ C. Top management is ultimately responsible for information security.
ý A is incorrect because information security professionals advise management and implement management's decisions, but they do not make the decisions. B is incorrect because information systems auditors report on an organization's security to the board of directors and/or the stockholders, but they do not make decisions. D is incorrect because while stockholders appoint management, they are not responsible for making security decisions.
þ D. Employees, managers, contractors, consultants, and other insiders constitute a higher threat than a person on the street because they have more authorized network access and sensitive knowledge than outsiders. In fact, risks posed by insider attacks are more substantial, require less means to mount, and may result in larger losses than risks posed by outside attackers—they may also be more difficult to detect and recover from.
ý A, B, and C are incorrect because although insiders are usually bound by employment and confidentiality agreements, that alone doesn't remove the threat. Insiders are subject to access controls, and access to information is not a threat in itself.
þ C. Security procedures are developed by subject-matter specialists within the organization with the assistance of security professionals and/or information systems auditors. Because security procedures are usually highly specific and technical in nature, they should be developed by those who appreciate these considerations.
ý A, B, and D are incorrect because guidelines, normative acts, and standards only influence procedures.
þ C. Security guidelines are nonbinding recommendations that deal with how to develop, define, and enforce security policies and procedures. Although guidelines are nonbinding, it is customary to require explanation from those who choose not to follow them.
ý A, B, and D are incorrect because standards, auditing regulations, and control objectives are not non-binding recommendations.
þ B. The syslog daemon that controls the logging facilities is located in the /etc/init.d directory as syslog.
ý A and E are wrong because device-specific files are located in the /etc and /devices directories, which are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system. C is wrong because /usr/local is an example of a typical download directory used to store files and programs by the current user. D is wrong because /usr/asset is the working directory for ASET.
þ A and D. In the audit_control file, the flags and naflags arguments define which attributable and nonattributable events (the na preceding the second flags argument specifies nonattributable events) should be audited for the entire system—that is, all users on the system.
ý B is wrong because the minfree argument is used to set the free-space warning threshold. C is incorrect because the dir: attribute is used to specify primary and secondary audit directories.
þ A and B. Setting up a warning alias can be accomplished in two ways. The easiest method is to edit the etc/security/audit_warn file by changing the e-mail alias in the script at entry: ADDRESS=audit_warn:
#-------------------------------------------------------------------------
send_msg() {
MAILER=/usr/bin/mailx
SED=/usr/bin/sed
LOGCMD="$LOGGER -p daemon.alert"
ADDRESS=audit_warn # standard alias for audit alerts
The second way is a little more complicated and requires redirecting the audit_warn e-mail alias to the appropriate account. To do so, add the audit_warn e-mail alias to the new alias file—in /etc/mail/aliases or the mail_aliases database in the namespace—such as audit_warn: alertadmin.
ý C is wrong because that procedure is used to set the free-space warning threshold manually.
þ F. All of the answers are correct. Each line in a BART manifest contains the following types of file information: size, content, user ID, group ID, and permissions.
þ E. All of the answers are correct. The most useful feature of BART is to compare manifests over time to monitor file-level changes. By doing so, you can verify the integrity of files, and detect corrupt files and security breaches, all of which help troubleshoot the system.
þ A. If the noexec_user_stack variable is set to non-zero, the operating system will apply non-executable but readable and writable attributes to every process stack.
ý B and D are incorrect because these settings are used to disable or enable executable stack message logging. C is incorrect because that option does not exist.
þ A. A program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed.
ý B is incorrect because Ping of Death is a malformed ICMP packet attack where an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.
þ A. True. Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.
þ F. All of the answers are correct. Applications that comply with RBAC can check a user's authorizations before giving the user access. These applications include the following: audit administration commands (that is, auditconfig and auditreduce), batch job commands (that is, at, atq, batch, and crontab), device commands (that is, allocate, deallocate, list_devices, and cdrw), printer administration commands (that is, lpadmin and lpfilter), and the Solaris Management Console (includes all tools).
þ A message digest is a one-way function for a stream of binary data as verification that the data was not altered since the message digest was first generated, such as from when a file was compiled or modified. With regard to checking the integrity of files, you can use the Solaris Fingerprint Database (sfpDB), which is a free tool from Sun that allows you to check the integrity of system files through online cryptographic checksums. By doing so, you can determine whether system binaries and patches are safe in accordance with their original checksums among a huge database stored at Sun.
þ To remove a provider permanently, issue the cryptoadm uninstall command (for example: cryptoadm uninstall des).
þ C. The user_attr database contains user and role information that supplements the passwd and shadow databases. This database also contains extended user attributes such as authorizations, rights profiles, and assigned roles.
ý A is incorrect because the rights profile name and authorizations can be found in the prof_attr database. B is wrong because the rights profile name and commands with specific security attributes are stored in the exec_attr database. D and E are incorrect because the passwd and shadow databases do not contain user and role information that supplement themselves.
þ A, C, and E. A buffer overflow occurs when a program process or task receives extraneous data that is not properly programmed. As a result, the program typically operates in such a way that an intruder can abuse or misuse it. In a Teardrop attack, the attacker modifies the length and fragmentation offset fields in IP packets, which causes the target to crash. Finally, during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies thus leaving the connection half-open. The SYN messages will usually flood the server and as a result the target system will fill up with requests until it is unable to accommodate any new requests. In some cases, the system could consume available memory, crash, or be rendered inoperative.
ý B is incorrect because although extraneous IP ports and services could be potential targets for denial of service attacks, they're not forms of attacks in and of themselves. D is incorrect because although when default executable stacks with permissions set to read/write/execute are allowed, programs may be targets for buffer overflow attacks, but executable stacks alone are not an attack. It's also important to note that some software may require executable stacks. Therefore, if you disable executable stacks, programs that require the contrary will be aborted.
þ B. The authorization required to allocate or deallocate a device forcibly is solaris.device.revoke.
ý A is wrong because solaris.device.allocate is the authorization required to allocate a device.
þ D. The event numbers 32768–65535 are available for third-party TCB applications.
ý A is incorrect because 1–2047 are reserved for the Solaris Kernel events. B is incorrect because 2048–32767 are reserved for the Solaris TCB programs. C is incorrect because 6144– 32767 are used for SunOS 5.X user-level audit events.
þ D. The audit_user file defines specific users and classes of events that should always or never be audited for each user.
ý A is wrong because general configuration specifications such as the primary and secondary audit directories are specified in the audit_control file. B is wrong because the audit policy is established by the auditconfig command, which is automatically started in the audit_startup script. C is incorrect because the audit_warn script generates mail to an e-mail alias called audit_warn.
þ E. By issuing the init 6 command, you will stop the operating system and reboot.
ý A is incorrect because init S is used to go into single-user state for administrative functions. B is wrong because init 0 is used to go into firmware maintenance mode. C is wrong because init 2 is used to go into a multi-user state where NFS is not running. D is wrong because init 5 is used to shut down the operating system altogether.
þ D. All of the answers are correct. By issuing the init (Run Level #) command, you can switch between run levels and perform functions such as halting and rebooting the Solaris operating system. Additionally, you can shut down the system with the command shutdown -i init-level -g grace-period -y; where init-level is 0, 1, 2, 5, 6, or S (which is the default), and grace-period is the time (in seconds) before the system is shut down (default is 60 seconds). For example, to shut down the system to run level S and therefore disable all logins, use the command shutdown -y.
þ F. All of the answers are correct. Events that are capable of creating audit logs include system startup and shutdown, login and logout, identification and authentication, privileged rights usage, permission changes, process and thread creation and destruction, object creation and manipulation, application installation, and system administration.
þ A. Access control lists (ACLs) are mechanisms used to control access to files.
ý B and C are wrong because device policy and device allocation are used to control access to devices. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files.
þ D. The /etc/inetd.conf defines how the inetd daemon handles common Internet service requests.
ý A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. C is incorrect because the /etc/services file specifies the ports used by the server processes as contact ports which are also known as well-known ports.
þ B. False. Sun's best practices dictate that you do not assign rights profiles, privileges, and authorizations directly to users, or privileges and authorizations directly to roles. It's best to assign authorizations to rights profiles, rights profiles to roles, and roles to users.
þ The cryptoadm list -p command displays the mechanism policy for the installed providers. It also displays the provider feature policy. If a provider is specified, the command will display the name of the provider with the mechanism policy enforced on it only.
þ C. A privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command.
ý A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. B is wrong because a privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel. D is wrong because a rights profile can be assigned to a role or user as a collection of administrative functions. E is wrong because a role is a predefined identity that can run privileged applications.
þ F. All of the answers are correct. Sun recommends the following techniques for the most efficient auditing while still adhering to security prioritizations: For large networks with limited storage capacity, try randomly auditing a percentage of users at any one time. Perform routine audit file maintenance by reducing the disk-storage requirements by combining, removing, and compressing older log files. It's good practice to develop procedures for archiving the files, for transferring the files to removable media, and for storing the files offline. Monitor the audit data for unusual events in real time. Set up procedures to monitor the audit trail for certain potentially malicious activities. Adhere to company policy and immediately execute mitigations with regard to substantiated malicious findings. Deploy a script to trigger an automatic increase in the auditing of certain users or certain systems in response to the detection of unusual or potentially malicious events.
þ D. To display the extended user login status for a particular user, issue the logins - x -l user command.
ý A is incorrect because the logins command will display general information concerning all login accounts organized in ascending order by user ID. B is incorrect because the logins user command will only display general information about a particular user account. C is wrong because the logins -p command will display user accounts that currently do not have assigned passwords.
þ A directory of last resort is a local audit directory that is used if the primary and all secondary audit directories become unavailable.
þ C. EAL4 is the highest practical level of assurance that may be gained using good commercial development practices.
ý A and B are wrong because higher levels (EAL5–7) require special development methodologies and procedures which are expensive and not commonplace. D is incorrect, of course, because it is a lower level of assurance than EAL4.
þ B. Information security policies and procedures are an administrative control.
ý A is wrong because policies and procedures are not a technical control. C is wrong because policies and procedures are not a form of access control. D is wrong because, although policies and procedures address operational controls, B is a better answer.
þ B, C, and D. Applications and commands that check for privileges include commands that control processes (such as kill, pcred, rcapadm), file and file system commands (such as chmod, chgrp, mount), Kerberos commands (such as kadmin, kprop, kdb5_util), and network commands (such as ifconfig, route, snoop).
þ B. Kernel-level plug-ins provide for implementations of algorithms in software.
ý A is wrong because hardware plug-ins are device drivers and their associated hardware accelerators. C is wrong because user-level plug-ins are shared objects that provide services by using PKCS #11 libraries.
þ To prevent the use of a user-level mechanism, issue the cryptoadm disable provider \ mechanism(s) command.
þ B. A privilege can be granted to a command, user, role, or system. Privilege gives a process the ability to perform an operation and therefore enforces security policy in the kernel.
ý A is wrong because authorization can be assigned to a role or user but is typically included in a rights profile. C is wrong because a privileged application can check for user IDs (UIDs), group IDs (GIDs), privileges, or authorizations via an application or command. D is wrong because a rights profile can be assigned to a role or user as a collection of administrative functions. E is wrong because a role is a predefined identity that can run privileged applications.
þ C and D. In symmetric (secret key) algorithms, the same key is used for both encryption and decryption—anyone knowing the key can both encrypt and decrypt messages.
ý A and B are wrong because with asymmetric (public key) algorithms, two keys are used: one to encrypt a message and another to decrypt it.
þ D. All answers are correct. For an attack of any type to take place and to succeed, three factors must be present: the attacker must have a motive, an opportunity, and the means to carry out the attack.
þ The cryptoadm -m. command displays a list of mechanisms that can be used with the installed providers. If a provider is specified, the command will display the name of the specified provider and the mechanism list that can be used with that provider.
|
|