Chapter 19 Flashcards
Embracing Best Security Practices
Describe the different authentication methods available in Linux.
For network servers, the four most popular user authentication methods are Kerberos, which uses a single sign-on method of authenticating users; LDAP, which incorporates authorization as well as authentication; RADIUS, which provides a simple authentication process; and TACACS+, which is commonly used for network devices. Linux also supports several two-factor authentication methods, including using biometric data such as fingerprints, iris scans, and facial recognition; both software and hardware tokens, which provide a digital certificate identifying the user; and PKI, which allows users to create public and private keys so that they can keep their private key secret and only disclose their public key to servers.
Describe the different types of system security that you should consider on Linux systems.
The separation of system data and user data is a relatively simple security feature that you can implement. By creating a separate partition for user data, you will prevent a user from filling up the entire disk space on the system and stopping the server. Using encrypted storage is useful in environments where the storage device may leave the physical area, such as in laptops or external storage devices. Restricting applications using chroot is also helpful in preventing accidental or malicious applications from gaining data used by other applications. Likewise, disabling USB storage devices is a good option for systems that require control over data leaving the server. If your Linux system is in a vulnerable physical location, it’s also a good idea to prevent unauthorized rebooting of the server by disabling the Ctrl+Alt+Del key combination along with implementing a BIOS/UEFI password as well as a GRUB boot menu password.
Explain the different methods of protecting your Linux system on the network.
For protecting your Linux system on the network, you can create a hosts deny list or allow list. The hosts.deny file allows you to block suspicious hosts from accessing network resources on your system. If you prefer, you can instead use the hosts.allow file to allow only specific hosts to connect to applications on your system. It’s also a good idea to disable any unused network applications, especially those that send and receive user accounts and data in plaintext, such as FTP, Telnet, and Finger. It may also help to change the default ports used by network applications to help deter attackers from finding them on your system. Finally, it’s a good idea to incorporate encryption on any network application on your Linux system. The OpenSSL package provides both SSL and TLS encryption services for any application.
Which authentication method issues tickets to users and helps with implementing the single sign-on feature in a network of servers?
LDAP Kerberos RADIUS TACACS+ Biometrics
B. The Kerberos authentication method uses a ticket-granting system to assign a ticket to the user account after a successful authentication. Any server on the network that uses Kerberos can then authenticate the user account using that ticket. Thus, option B is correct. The LDAP, RADIUS, and TACACS+ authentication methods don’t use tickets for user authentication, so options A, C, and D are all incorrect. The biometrics authentication method uses user physical features to authenticate user accounts but doesn’t issue a ticket to allow single sign-on, so option E is incorrect.
Mary wants to implement two-factor authentication using fingerprint readers for her users to authenticate with the Linux system. Which method of authentication should she look into implementing?
LDAP Tokens Biometrics PKI Kerberos
C. Biometrics uses physical features of users to authenticate them on the Linux system, so option C is correct. LDAP and Kerberos are only single-factor authentication methods, so options A and E are incorrect. Tokens and PKI are both two-factor authentication methods but use digital tokens instead of physical features for authentication, so options B and D are incorrect.
Jaime is interested in using a distributed database method for authorizing users to access resources located on multiple network servers. Which authentication method would be best for her to use?
LDAP Kerberos Tokens RADIUS PKI
A. The LDAP authentication method allows administrators to create a distributed database that not only authenticates user accounts but tracks user authorization of network resources, so option A is correct. The Kerberos and RADIUS authentication methods don’t use a distributed database, nor can they authorize users to access network resources, so options B and D are incorrect. Tokens and PKI are two-factor authentication methods that don’t use distributed databases, nor do they authorize users to access network resources, so options C and E are incorrect.
Fred wants to block users from logging in directly with the root user account from any console or terminal session. What is the best way he can do that?
Implement biometric authentication. Implement tokens. Use Kerberos authentication. Remove root user entry from the /etc/passwd file. Set the default login shell for the root user to /usr/sbin/nologin.
E. When you specify the nologin utility as the default shell for a user account, users will receive a message upon successful login that they aren’t allowed to access the system, so option E is correct. Biometrics, tokens, and Kerberos are all authentication methods that won’t prevent the root user account from logging in, so options A, B, and C are all incorrect. Removing the root user account from the /etc/passwd file removes the root user account from the system, which will break applications that require the root user account to run, so option D is incorrect.
Which directory should you place on a separate partition to separate user data from system data?
/usr /home /etc /sbin /bin
B. All user data is normally stored under the /home directory structure on Linux systems, so placing the /home directory on a separate disk partition would separate user data from system data, making option B correct. The /usr, /etc, /sbin, and /bin directories all contain system data and not user data, so options A, C, D, and E are all incorrect.
Sally is concerned about an application that allows guests to connect to her Linux system and access a database. What can she do to limit the application to a specific directory structure on the Linux server so it can’t access system data?
Block the application network port. Move the application port to a private port number. Place the application in an encrypted partition. Run the application with chroot. Place the application in a separate partition.
D. The chroot program restricts an application to a specific area within the virtual filesystem structure, so option D is correct. Blocking the application network port would prevent guests from connecting to the application, so option A is incorrect. Moving the application to a private port number wouldn’t restrict access to directories, so option B is incorrect. Placing the application in an encrypted partition or on a separate partition wouldn’t prevent the application from accessing data outside of the application, so options C and E are incorrect.
Ted wants to provide encryption at the disk level so that users don’t need to encrypt individual files as they store them. What Linux feature should he use?
LUKS chroot auditd PKI Kerberos
A. The Linux Unified Key Setup (LUKS) feature provides disk-level encryption so that all files stored in a partition are automatically encrypted when written and decrypted when read, so option A is correct. The chroot utility restricts an application to a specific location in the virtual filesystem but doesn’t encrypt files, so option B is incorrect. The auditd utility creates detailed logs of system activity such as user file access but doesn’t encrypt files or disks, so option D is incorrect. Both PKI and Kerberos are authentication methods and not disk encryption methods, so both options D and E are incorrect.
Ned notices in the logs that a user account schedules a job every day at noon that uses all of the system resources. How can he prevent that user account from doing that?
Use chroot for the user account. Use nologin as the user's default shell. Add the user account to the /etc/cron.deny file. Add the user account to the /etc/hosts.deny file. Create a /etc/motd message telling users to not schedule large jobs.
C. The /etc/cron.deny file is a list of user accounts prevented from scheduling jobs, so adding the user to that file would stop them from scheduling the job, making option C correct. The chroot program restricts applications to a specific location in the virtual filesystem; it doesn’t block users from scheduling jobs, so option A is incorrect. The nologin program prevents user accounts from logging into the system, which is an extreme solution to the problem, so option B isn’t a good solution. The /etc/hosts.deny file blocks hosts from accessing the system and not users from scheduling jobs, so option D is incorrect. The /etc/motd file displays a message to all users as they log into the system, but it won’t block them from scheduling jobs, so option E is incorrect.
Tom sees an attacker continually attempt to break into a user account on his Linux system from a specific IP address. What can he do to quickly mitigate this issue?
Place the application in a chroot jail. Add the nologin shell to the user account. Implement two-factor authentication. Add the attacker's IP address to the /etc/hosts.deny file. Add the user account to the /etc/cron.deny file.
D. The fastest way to deter an attacker is to place their IP address in the /etc/hosts.deny file, preventing them from accessing the system, so option D is correct. Placing applications into a chroot jail prevents the application from accessing files outside of the jail filesystem but doesn’t prevent the attacker from continuing to access a user account, so option A is incorrect. Adding the nologin shell to the user account will prevent the attacker from accessing the user account but will also block the valid user from accessing the account, so option B is incorrect. Implementing two-factor authentication will help stop the attacker but isn’t a quick solution, so option C is incorrect. Adding the user account to the /etc/cron.deny file prevents the user account from scheduling jobs but won’t stop the attacker from trying to log in as the user account, so option E is incorrect.
Despite his warnings, Fred continues to see users transfer files to his Linux server using unsecure FTP. How can he stop this?
Place a message in the /etc/motd file telling users to stop. Move the FTP application to a different network port. Place the user accounts in the /etc/hosts.deny file. Place the user accounts in the /etc/cron.deny file. Disable the FTP application ports.
E. Disabling the FTP application network ports will prevent users from being able to use the FTP service, so option E is correct. Placing a message in the /etc/motd file to display when users log in won’t prevent them from using the FTP service, so option A is incorrect. Moving the FTP application to a different network port may temporarily solve the problem, but once users find the alternative ports, they can continue using FTP, so option B is incorrect. The /etc/hosts.deny file contains IP addresses or hostnames of remote hosts to block, not user accounts, so option C is incorrect. The /etc/cron.deny file blocks users from scheduling jobs, not accessing network applications, so option D is incorrect.
