IS3440 CHAP 14 DETECTING AND RESPONDING TO SECURITY BREACHES Flashcards Preview

IS3440 LINUX SECURITY > IS3440 CHAP 14 DETECTING AND RESPONDING TO SECURITY BREACHES > Flashcards

Flashcards in IS3440 CHAP 14 DETECTING AND RESPONDING TO SECURITY BREACHES Deck (28):
1

COMMAND ___ is known as the disk dump command, it supports a full copy of all data on a partition, volume, or drive.

dd

2

COMMAND ___ is a variation on the dd command that reads data from back to front on a specified partition, volume, or drive. It is more error tolerant than dd.

dd_rescue

3

COMMAND ___ is a command that lists libraries used by a specified command; its use requires the full path to the target command.

ldd

4

COMMAND ___ is a file that dynamically represents the contents of RAM on the local system.

/proc/kcore

5

COMMAND ___ is a command that synchronizes files from one location to another; may be used in conjunction with SSH.

rsync

6

COMMAND ___ is a command that traces the system calls used by another command; primarily used for troubleshooting.

strace

7

COMMAND ___ is a package that tracks the RAM and CPU usage on a system, with the help of the 'cron' service.

sysstat

8

COMMAND ___ is a command that lists currently logged in users and the process currently being run by that user.

w

9

COMMAND ___ is a command that lists currently logged in users.

who

10

___ is an abbreviation for Computer Aided Investigative Environment, a bootable live CD distribution available from http://caine-live.net/.

CAINE

11

___ is built on Ubuntu Linux. It includes a number of live tools for recovering data from live Microsoft operating systems available.

DEFT

12

___ is a live CD distribution that incorporates the tools associated with the Sleuth Kit.

Master Key Linux

13

___ is a system for bug reports on Red Hat distributions.

Red Hat Bugzilla

14

___ is a package of tools that can be used to save volatile data; intended for use on read-only media as commands on compromised systems.

Sleuth Ket

15

1. Which of the following COMMANDS can display the free memory in RAM and in a swap partition? (Select two)

1. free
2. mem
3. top
4. swapon

free

top

16

2. It is important to have a security policy that applies to users for how they do their backups.
TRUE OR FALSE

FALSE

17

3. What command reads log files created through the system status tool?

sar

18

4. Which of the following COMMANDS is used to identify users who have since logged out?

1. who
2. w
3. last
4. sar

last

19

5. Which of the following file extensions is NOT associated with software packages?

1. .odt
2. .tar.gz
3. .rpm
4. .deb

.odt

20

6. Which of the following is most important to recover from a compromised system before powering it down?

1. /home/
2. /etc/fstab
3. /proc/kcore
4. None of the above

/proc/kcore

21

7. Which of the following FILES is most likely to change when a system is powered down?

1. /etc/mtab
2. /etc/fstab
3. /etc/boot/grub/menu.1st
4. /etc/crontab

/etc/mtab

22

8. which of the following COMMANDS is least useful for recovering data from a live system?

1. nc
2. vi
3. dmesg
4. cat

vi

23

9. What command can be used to duplicate the contents of a partition by its device file?

dd

24

10. Which of the following COMMANDS is NOT associated with compiling the source code associated with other commands?

1. config
2. configure
3. make install
4. make

config

25

11, Which of the following actions is normally done from a forensic operating system booted from live media, when connected to a compromised hard drive?

1. Recovering information from RAM
2. Making a copy of the /proc/kcore file
3. Recovering information from a swap partition
4. Copying the contents of /etc/mtab

Recovering information from a swap partition

26

12. Which of the following commands does NOT include free space in the duplication process?

1. rsync
2. dd
3. dd_rescue
4. icat

rsync

27

13. Which of the following steps is NOT appropriate when saving compromised data from a hard drive?

1. Keeping a compromised system connected to a network during an investigation
2. Taking special care to avoid overwriting data in a swap partition
3. Booting a live Knoppix CD distribution
4. Powering down a compromised system after saving dynamic data

Booting a live Knoppix CD distribution

28

14. Which of the following steps should you take if you've identified a new security problem with open source software?

1. Share the concern on a standard mailing list for the distribution
2. Share the concern on a standard mailing list for the compromised software
3. Communicate privately with the developers of the compromised software
4. Nothing, as it is important to protect proprietary information in the open source community

Communicate privately with the developers of the compromised software