Test Yourself on Sun Certified Security Administrator
1. Which type of key does the sshd daemon use for authentication purposes, but is too computationally intensive for use when encrypting all session traffic, for example, when transferring large blocks of data?
A. public key
B. shared keys
C. secret key
D. symmetric key
2. Your organization uses the secure shell to connect to remote systems across the Internet. A system is currently configured so that root can log in remotely using the secure shell. You want to disable this capability and force the user to first log in as a regular user and then use the su command to switch to the root account. Which item describes how to set up the secure shell so that root cannot directly login from a remote host?
A. Modify the /etc/default/login file and set the CONSOLE variable to /dev/console.
B. Set the AllowRootLogin parameter to yes in the /etc/ssh/sshd_config file.
C. Set the PermitRootLogin parameter to yes in the /etc/ssh/sshd_config file.
D. Set the StrictModes parameter to yes in the /etc/ssh/sshd_config file.
3. Which is the “most up-to-date” tool that provides “best practice” methods for probing system network services to detect anything that could allow an attacker to gain unauthorized access, mount a denial-of-service attack or gain sensitive information about the network?
4. This framework uses runtime pluggable modules to provide a method for developing programs that are independent of the authentication scheme. This authentication framework can be “plugged into” login, ftp, telnet and other unsecured commands. This framework can also integrate the UNIX OS login service with other security mechanisms. Which of the following correctly names that framework?
B. PAM (*)
C. Secure Shell
5. You want to configure your server to display the following message when a user is denied access to a telnet session:
Warning! Your attempt to connect to a secure system has failed.
Your IP address <IP_ADDRESS>, also known as has been logged.
Utilizing TCP wrappers, how would you configure your Solaris system to display this message? Choose four steps:
A. mkdir /etc/tcpd.deny
B. cp /usr/local/doc/tcp_wrappers/Banners.Makefile Makefile
C. Create a message in the /etc/tcpd.deny/in.telnetd file
D. Run the make command
E. Create a message in the /etc/default/telnetd file
F. Add the following line to the /etc/hosts.deny file: ALL :ALL :spawn /etc/default/telnetd
1. A is correct. Options B, C and D are wrong because they all describe secret keys. Secret keys are neither as long (bit lengths seldom exceed 256 bits in secret keys) nor are they as secure as public keys (where key length can be as high as 4,096 bits and higher). Because secret keys are shorter, they involve simpler computations for encryption and decryption and as a result are less processor-intensive. Therefore, only the public key is used to authenticate the user, which is a sensitive and important task worthy of computationally intense security, whereas secret keys are used to encrypt data transfer because they provide reasonable security that imposes far less performance degradation. For additional information, visit www.strongsec.com/tutorials/security.htm, hotwired.lycos.com/webmonkey/00/20/index3a.html or refer to the Security Services section of Sun’s System Administration Guide at docs.sun.com.
2. Option C is correct because it assigns the correct value to the proper parameter in the right config file to force the required action. Option A is wrong because the /etc/default/login file does not contain settings that configure the behavior of the secure shell. Option B is wrong because there is no parameter called AllowRootLogin in the sshd config file. Option D is wrong because the StrictModes parameter is used to ensure secure permissions on the users’ .ssh directory, not to block root from direct remote logins using the secure shell. For additional information on configuring the secure shell in Solaris, refer to the Security Services section of Sun’s System Administration Guide at docs.sun.com.
3. Option A is correct because SAINT is a second-generation network probe tool (based on SATAN) that provides all the required features and functions. Option B is wrong because Titan is a collection of programs used to fix or tighten up one or more potential security problems associated with the setup or configuration of a UNIX system. It’s not the tool to use to probe system network services to make sure they are secure. Option C is wrong because COPS is a set of programs that attempts to automate security checks that are often performed manually. COPS checks various files and software configurations to see if they have been compromised and checks to see that files have the appropriate modes and permissions set to maintain the integrity of your security level. COPS checks for things such as poor passwords, file and directory permissions and FTP. It’s not the tool to use to probe system network services to make sure they are secure. Option D is wrong because SAINT is the second-generation version of the SATAN network probe. SAINT is more up-to-date, more advanced and has better reporting than SATAN. For more information on the SAINT scanning engine, visit www.saintcorporation.com/products/saint_engine.html.
4. Option B is correct because it is the only framework mentioned that uses runtime-pluggable modules to support program development independent of the authentication scheme in use. Option A is wrong because Kerberos is a security system that authenticates a connection between a client and a server. In addition, Kerberos encrypts data communication across an unsecure network connection. Kerberos supports network-based client-server authentication and integrates with PAM. Option C is wrong because Solaris Secure Shell provides more secure versions of well-known administration commands (e.g., telnet, rlogin, etc.), but does not support development of runtime-pluggable modules independent from the authentication scheme. Option D is wrong because Sunscreen is an enterprise firewall product and does not support development of runtime-pluggable modules independent from the authentication scheme. For more information on using PAM to make login services independent of the operating system’s authentication scheme, visit java.sun.com/security/jaas/doc/pam.html.
5. Options A, C, B and D are correct because to create a custom banner using TCP wrappers, you’ll first create a directory to store the banners (option A). Next, create a banner named in.telnetd in the /etc/tcpd.deny directory (option C). The Banners.Makefile is included in the TCP wrappers installation directory. Copy the make file to the banners message directory and name it Makefile (option B). Finally, to create the custom telnet banner, run the make utility (option D). Option E is wrong because you would make an entry in the /etc/default/telnetd file to create a simple banner without implementing TCP wrappers. Option F is wrong because the spawn command is used to run commands and scripts. For example, you could set up a script to send a page or e-mail a message when a client connects or attempts to connect. For additional information on configuring TCP wrappers in Solaris, refer to the IP Services section of Sun’s System Administration Guide at docs.sun.com.
For more information on the Solaris Security Admi