Lpic 303-200

303-200.prepaway.premium.exam.
60q
Number: 303-200
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
303-200
LPIC-3 Exam 303: Security
Version 1.0
https://www.mycleverly.com/
A3A7746BA2926DC2200BC772EBDF1BF1
Exam A
QUESTION 1
Which command revokes ACL-based write access for groups and named users on the file afile?
A. setfacl –x group: * : rx, user:*: rx afile

B. setfacl –x mask: : rx afile
C. setfacl ~m mask: : rx afile
D. setfacl ~m group: * : rx, user :*: rx afile
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://linuxcommand.org/man_pages/setfacl1.html
QUESTION 2
Which of the following authentication methods was added to NFS in version 4?
A. Kerberos authentication
B. SSH hostkey authentication
C. Winbind authentication
D. SSL certificate authentication
Correct Answer: A
Section: (none)
Explanation
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-security.html
QUESTION 3
Which of the following access control models is established by using SELinux?
A. Security Access Control (SAC)

B. Group Access Control (GAC)
C. User Access Control (UAC)
D. Discretionary Access Control (DAC)
E. Mandatory Access Control (MAC)
Correct Answer: E
Section: (none)
Explanation
https://wiki.centos.org/HowTos/SELinux
QUESTION 4
SIMULATION
Which command is used to run a new shell for a user changing the SELinux context? (Specify ONLY the
command without any path or parameters.)
Correct Answer: newrole

Section: (none)
Explanation
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-admincontrol.html
QUESTION 5
SIMULATION
What option of mount.cifs specifies the user that appears as the local owner of the files of a mounted CIFS
share when the server does not provide ownership information? (Specify ONLY the option name without
any values or parameters.)
Correct Answer: uid=arg

Section: (none)
Explanation
http://linux.die.net/man/8/mount.cifs
QUESTION 6
What happens when the command getfattr afile is run while the file afile has no extended attributes set?
A. getfattr prints a warning and exits with a values of 0.

B. getfattr prints a warning and exits with a value of 1.
C. No output is produced and getfattr exits with a value of 0.
D. No outputs is produced and getfattr exits with a value of 1.
Correct Answer: C
Section: (none)
Explanation
QUESTION 7
How are SELinux permissions related to standard Linux permissions? (Choose TWO correct answers.)
A. SELinux permissions override standard Linux permissions.

B. Standard Linux permissions override SELinux permissions.
C. SELinux permissions are verified before standard Linux permissions.
D. SELinux permissions are verified after standard Linux permissions.
Correct Answer: BD
Section: (none)
Explanation
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/SELinux_overview.html
QUESTION 8
Which of the following prefixes could be present in the output of getcifsacl? (Choose THREE correct
answers.)
A. ACL
B. GRANT
C. GROUP
D. OWNER
E. SID
Correct Answer: ACE

Section: (none)
Explanation
https://www.mankier.com/1/getcifsacl
QUESTION 9
Which of the following are differences between AppArmor and SELinux? (Choose TWO correct answers).
A. AppArmor is implemented in user space only. SELinux is a Linux Kernel Module.

B. AppArmor is less complex and easier to configure than SELinux.
C. AppArmor neither requires nor allows any specific configuration. SELinux must always be manually
configured.
D. SELinux stores information in extended file attributes. AppArmor does not maintain file specific
information and states.
E. The SELinux configuration is loaded at boot time and cannot be changed later on. AppArmor provides
user space tools to change its behavior.
Correct Answer: BD
Section: (none)
Explanation
http://elinux.org/images/3/39/SecureOS_nakamura.pdf
QUESTION 10
Linux Extended File Attributes are organized in namespaces. Which of the following names correspond to
existing attribute namespaces? (Choose THREE correct answers.)
A. default
B. system
C. owner
D. trusted
E. user
Correct Answer: BDE

Section: (none)
Explanation
https://en.wikipedia.org/wiki/Extended_file_attributes
QUESTION 11
Which of the following expressions are valid AIDE rules? (Choose TWO correct answers.)
A. !/var/run/.*
B. append: /var/log/*
C. /usr=all
D. #/bin/
E. /etc p+i+u+g
Correct Answer: AE
Section: (none)
Explanation
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=367337
http://aide.sourceforge.net/stable/manual.html
QUESTION 12
Which of the following commands defines an audit rule that monitors read and write operations to the file/
etc/firewall/rules and associates the rule with the name firewall?
A. auditctl -N firewall –r r: /etc/firewall/rules –r w:

etc/firewall/rules
B. auditctl -A –f /etc/firewall/rules –o r –o w –l firewall
C. auditctl –w /etc/firewall/rules –p rw –k firewall
D. auditctl –-read /etc/firewall/rules –-write /etc/firewall/rules
--label firewall
E. echo “n: firewall r:/etc/firewall/rules: w:/
etc/firewall/rules:“ | auditctl ~
Correct Answer: C
Section: (none)
Explanation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-
Defining_Audit_Rules_and_Controls.html
QUESTION 13
Which of the following resources of a shell and its child processes can be controlled by the Bash build-in
command ulimit? (Choose THREE correct answers.)
A. The maximum size of written files

B. The maximum number of open file descriptors
C. The maximum number of newly created files
D. The maximum number of environment variables
E. The maximum number of user processes
Correct Answer: ABE

Section: (none)
Explanation
http://ss64.com/bash/ulimit.html
QUESTION 14
Which of the following database names can be used within a Name Service Switch (NSS) configuration
file? (Choose THREE correct answers).
A. host
B. shadow
C. service
D. passwd
E. group
Correct Answer: ACE

Section: (none)
Explanation
https://docs.oracle.com/cd/E26502_01/html/E29002/a12swit-89620.html#a12swit-84565
QUESTION 15
Which of the following types can be specified within the Linux Audit system? (Choose THREE correct
answers.)
A. Control rules
B. File system rules
C. Network connection rules
D. Console rules
E. System call rules
Correct Answer: ABE
Section: (none)
Explanation
https://www.digitalocean.com/community/tutorials/how-to-write-custom-system-audit-rules-on-centos-7
QUESTION 16
SIMULATION
Which PAM module checks new passwords against dictionary words and enforces complexity? (Specially
the module name only without any path.)
Correct Answer: pam_cracklib

Section: (none)
Explanation
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
QUESTION 17
SIMULATION
Which command installs and configures a new FreeIPA server, including all sub-components, and creates
a new FreeIPA domain? (Specially ONLY the command without any path or parameters).
Correct Answer: ipa-server-install

Section: (none)
Explanation
https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf
QUESTION 18
Which of the following sections are allowed within the Kerberos configuration file krb5.conf? (Choose
THREE correct answers.)
A. [plugins]
B. [crypto]
C. [domain]
D. [capaths]
E. [realms]
Correct Answer: ADE

Section: (none)
Explanation
http://linux.die.net/man/5/krb5.conf
QUESTION 19
Which of the following components are part of FreeIPA? (Choose THREE correct answers.)
A. DHCP Server
B. Kerberos KDC
C. Intrusion Detection System
D. Public Key Infrastructure
E. Directory Server
Correct Answer: BDE

Section: (none)
Explanation
https://www.freeipa.org/page/Documentation
QUESTION 20
Which of the following commands disables the automatic password expiry for the user usera?
A. chage --maxdays none usera

B. chage --maxdays 99 usera
C. chage --maxdays -1 usera
D. chage --lastday none usera
E. chage --lastday 0 usera
Correct Answer: C
Section: (none)
Explanation
http://www.tutorialspoint.com/unix_commands/chage.htm
QUESTION 21
Given a proper network and name resolution setup, which of the following commands establishes a trust
between a FreeIPA domain and an Active Directory domain?
A. ipa trust-add --type ad addom --admin Administrator --password

B. ipa-ad –add-trust --account ADDOM\Administrator--query-password
C. net ad ipajoin addom –U Administrator -p
D. trustmanager add –-domain ad: //addom --user Administrator –w
E. ipa ad join addom -U Administrator -w
Correct Answer: A
Section: (none)
Explanation
https://www.freeipa.org/page/Active_Directory_trust_setup
QUESTION 22
In which path is the data, which can be altered by the sysctl command, accessible?
A. /dev/sys/
B. /sys/
C. /proc/sys/
D. /sysctl/
Correct Answer: C
Section: (none)
Explanation
http://linux.about.com/library/cmd/blcmdl8_sysctl.htm
QUESTION 23
Which of the following statements is true about chroot environments?
A. Symbolic links to data outside the chroot path are followed, making files and directories accessible
B. Hard links to files outside the chroot path are not followed, to increase security
C. The chroot path needs to contain all data required by the programs running in the chroot environment
D. Programs are not able to set a chroot path by using a function call, they have to use the command
chroot
E. When using the command chroot, the started command is running in its own namespace and cannot
communicate with other processes
Correct Answer: C
Section: (none)
Explanation
http://www.computerhope.com/unix/chroot.htm
http://www.computerhope.com/jargon/c/chroot.htm
QUESTION 24
Which of the following commands adds a new user usera to FreeIPA?
A. useradd usera --directory ipa --gecos “User A”

B. idap- useradd –H Idaps://ipa-server CN=UserA --attribs
“Firstname: User: Lastname: A”
C. ipa-admin create user --account usera –-fname User --iname A
D. ipa user-add usera --first User --last A
E. ipa-useradd usera --name “User A”
Correct Answer: D
Section: (none)
Explanation
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/adding-users.html
QUESTION 25
SIMULATION
Which command included in the Linux Audit system provides searching and filtering of the audit log?
(Specify ONLY the command without any path or parameters.)
Correct Answer: ausearch

Section: (none)
Explanation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-
Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-
Searching_For_and_Viewing_Denials.html
QUESTION 26
Which of the following commands adds users using SSSD’s local service?
A. sss_adduser
B. sss_useradd
C. sss_add
D. sss-addlocaluser
E. sss_local_adduser
Correct Answer: B
Section: (none)
Explanation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-
Level_Authentication_Guide/managing-sssd.html
QUESTION 27
Which of the following DNS record types can the command dnssec-signzone add to a zone? (Choose
THREE correct answers.)
A. ASIG
B. NSEC
C. NSEC3
D. NSSIG
E. RRSIG
Correct Answer: BCE

Section: (none)
Explanation
http://linux.die.net/man/8/dnssec-signzone
QUESTION 28
What effect does the configuration SSLStrictSNIVHostCheck on have on an Apache HTTPD virtual host?
A. The clients connecting to the virtual host must provide a client certificate that was issued by the same
CA that issued the server’s certificate.
B. The virtual host is served only to clients that support SNI.
C. All of the names of the virtual host must be within the same DNS zone.
D. The virtual host is used as a fallback default for all clients that do not support SNI.
E. Despite its configuration, the virtual host is served only on the common name and Subject Alternative
Names of the server certificates.
Correct Answer: B
Section: (none)
Explanation
http://serverfault.com/questions/510132/apache-sni-namevhosts-always-route-to-first-virtualhost-entry
QUESTION 29
How does TSIG authenticate name servers in order to perform secured zone transfers?
A. Both servers mutually verify their X509 certificates.

B. Both servers use a secret key that is shared between the servers.
C. Both servers verify appropriate DANE records for the labels of the NS records used to delegate the
transferred zone.
D. Both servers use DNSSEC to mutually verify that they are authoritative for the transferred zone.
Correct Answer: B
Section: (none)
Explanation
http://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/
QUESTION 30
Which of the following statements are true regarding the certificate of a Root CA? (Choose TWO correct
answers.)
A. It is a self-signed certificate.
B. It does not include the private key of the CA.
C. It must contain a host name as the common name.
D. It has an infinite lifetime and never expires.
E. It must contain an X509v3 Authority extension.
Correct Answer: ABE
Section: (none)
Explanation
https://en.wikipedia.org/wiki/Root_certificate
QUESTION 31
Which of the following parameters to openssl s_client specifies the host name to use for TLS Server Name
Indication?
A. -tlsname
B. -servername
C. -sniname
D. -vhost
E. -host
Correct Answer: B
Section: (none)
Explanation
https://www.openssl.org/docs/manmaster/apps/s_client.html
QUESTION 32
An X509 certificate contains the following information:
X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0
Which of the following statements are true regarding the certificate? (Choose THREE correct answers.)
A. This certificate belongs to a certification authority.

B. This certificate may be used to sign certificates of subordinate certification authorities.
C. This certificate may never be used to sign any other certificates.
D. This certificate may be used to sign certificates that are not also a certification authority.
E. This certificate will not be accepted by programs that do not understand the listed extension.
Correct Answer: ABD

Section: (none)
Explanation
https://en.wikipedia.org/wiki/X.509
QUESTION 33
A LUKS device was mapped using the command:
cryptsetup luksOpen/dev/sdal crypt-vol
Given that this device has three different keys, which of the following commands deletes only the first key?
A. cryptsetup luksDelKey /dev/sda 1 0

B. cryptsetup luksDelkey /dev/sda 1 1
C. cryptsetup luksDelKey / dev /mapper/crypt- vol 1
D. cryptsetup luksDelKey / dev /mapper/crypt- vol 0
Correct Answer: A
Section: (none)
Explanation
https://help.ubuntu.com/community/EncryptedFilesystemHowto3
QUESTION 34
Which of the following lines in an OpenSSL configuration adds an X 509v3 Subject Alternative Name
extension for the host names example.org and www.example.org to a certificate?
A. subjectAltName = DNS: www.example.org, DNS:example.org

B. extension= SAN: www.example.org, SAN:example.org
C. subjectAltName: www.example.org, subjectAltName: example.org
D. commonName = subjectAltName= www.example.org,
subjectAltName = example.org
E. subject= CN= www.example.org, CN=example.org
Correct Answer: A
Section: (none)
Explanation
https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
QUESTION 35
SIMULATION
Which option in an Apache HTTPD configuration file enables OCSP stapling? (Specify ONLY the option
name without any values or parameters.)
Correct Answer: httpd-ssl.conf

Section: (none)
Explanation
https://wiki.apache.org/httpd/OCSPStapling
QUESTION 36
Which of the following statements is true regarding eCryptfs?
A. For every file in an eCryptfs directory there exists a corresponding file that contains the encrypted
content.
B. The content of all files in an eCryptfs directory is stored in an archive file similar to a tar file with an
additional index to improve performance.
C. After unmounting an eCryptfs directory, the directory hierarchy and the original file names are still
visible, although, it is not possible to view the contents of the files.
D. When a user changes his login password, the contents of his eCryptfs home directory has to be re-
encrypted using his new login password.
E. eCryptfs cannot be used to encrypt only directories that are the home directory of a regular Linux user.
Correct Answer: E
Section: (none)
Explanation
https://help.ubuntu.com/lts/serverguide/ecryptfs.html
QUESTION 37
Which of the following information, within a DNSSEC- signed zone, is signed by the key signing key?
A. The non-DNSSEC records like A, AAAA or MX.

B. The zone signing key of the zone.
C. The RRSIG records of the zone.
D. The NSEC or NSEC3 records of the zone.
E. The DS records pointing to the zone.
Correct Answer: B
Section: (none)
Explanation
https://grepular.com/Understanding_DNSSEC
QUESTION 38
Which of the following configuration options makes Apache HTTPD require a client certificate for
authentication?
A. Limit valid-x509
B. SSLRequestClientCert always
C. Require valid-x509
D. SSLVerifyClient require
E. SSLPolicy valid-client-cert
Correct Answer: D
Section: (none)
Explanation
https://linuxconfig.org/apache-web-server-ssl-authentication
QUESTION 39
Which of the following practices are important for the security of private keys? (Choose TWO correct
answers.)
A. Private keys should be created on the systems where they will be used and should never leave them.
B. Private keys should be uploaded to public key servers.
C. Private keys should be included in X509 certificates.
D. Private keys should have a sufficient length for the algorithm used for key generation.
E. Private keys should always be stored as plain text files without any encryption.
Correct Answer: CD
Section: (none)
Explanation
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-
keys-and-csrs
QUESTION 40
Which DNS label points to the DANE information used to secure HTTPS connections to https://
www.example.com/?
A. example.com
B. dane.www.example.com
C. soa.example.com
D. www.example.com
E. _443_tcp.www.example.com
Correct Answer: E
Section: (none)
Explanation
http://paginas.fe.up.pt/~jmcruz/ssi/ssi.1112/trabs-als/final/G7T12-digit.cert.altern-final.pdf
QUESTION 41
SIMULATION
Which command, included in BIND, generates DNSSEC keys? (Specify ONLY the command without any
path or parameters.)
Correct Answer: dnssec-keygen

Section: (none)
Explanation
http://ripe60.ripe.net/presentations/Damas-BIND_9.7_-_DNSSE_for_humans.pdf
QUESTION 42
Which of the following openssl commands generates a certificate signing request (CSR) using the already
existing private key contained in the file private/keypair.pem?
A. openssl req –key private/keypair.pem –out req/csr.pem

B. openssl req – new -key private/keypair.pem –out req/csr.pem
C. openssl gencsr -key private/keypair.pem –out req/csr.pem
D. openssl gencsr –new- key private/keypair.pem –out req/csr.pem
Correct Answer: B
Section: (none)
Explanation
https://www.openssl.org/docs/manmaster/apps/req.html#EXAMPLES
QUESTION 43
Which of the following commands makes the contents of the eCryptfs encrypted directory ~/Private
available to the user?
A. ecryptfsclient
B. ecryptfs.mount
C. ecryptfs-mount-private
D. decryptfs
E. ecryptfs-manage-directory
Correct Answer: C
Section: (none)
Explanation
https://help.ubuntu.com/lts/serverguide/ecryptfs.html
QUESTION 44
What is the purpose of the program snort-stat?
A. It displays statistics from the running Snort process.

B. It returns the status of all configured network devices.
C. It reports whether the Snort process is still running and processing packets.
D. It displays the status of all Snort processes.
E. It reads syslog files containing Snort information and generates port scan statistics.
Correct Answer: E
Section: (none)
Explanation
http://manpages.ubuntu.com/manpages/trusty/man8/snort-stat.8.html
QUESTION 45
Which of the following commands changes the source IP address to 192.0.2.11 for all IPv4 packets which
go through the network interface eth0?
A. iptables ~t nat ~A POSTROUTING ~o eth0 ~j SNAT --to~source 192.0.2.11

B. iptables ~t nat ~A PREROUTING ~i eth0 ~j SNAT --to~source 192.0.2.11
C. iptables ~t nat ~A POSTROUTING ~i eth0 ~j DNAT --to~source 192.0.2.11
D. iptables ~t mangle ~A POSTROUTING ~i eth0 ~j SNAT –to~source 192.0.2.11
E. iptables ~t mangle ~A POSTROUTING ~0 eth0 ~j SNAT –to~source 192.0.2.11
Correct Answer: A
Section: (none)
Explanation
https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
QUESTION 46
Which of the following command lines sets the administrator password for ntop to testing 123?
A. ntop --set-admin-password=testing123
B. ntop --set-password=testing123
C. ntop --reset-password=testing123
D. ntop --set-new-password=testing123
Correct Answer: A
Section: (none)
Explanation
http://linux.die.net/man/8/ntop
QUESTION 47
Which of the following commands displays all ebtable rules contained in the table filter including their
packet and byte counters?
A. ebtables -t nat –L -v
B. ebtables -L -t filter -Lv
C. ebtables -t filter –L --Lc
D. ebtables -t filter –Ln -L
E. ebtables –L –Lc –t filter
Correct Answer: C
Section: (none)
Explanation
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
QUESTION 48
Which of the following keywords are built-in chairs for the iptables nat table? (Choose THREE correct
answers.)
A. OUTPUT
B. MASQUERADE
C. PROCESSING
D. POSTROUTING
E. PREROUTING
Correct Answer: ADE

Section: (none)
Explanation
http://linux.die.net/man/8/ebtables
QUESTION 49
Which of the following methods can be used to deactivate a rule in Snort? (Choose TWO correct answers.)
A. By placing a # in front of the rule and restarting Snort.

B. By placing a pass rule in local.rules and restarting Snort.
C. By deleting the rule and waiting for Snort to reload its rules files automatically.
D. By adding a pass rule to /etc/snort/rules.deactivated and waiting for Snort to reload its rules files
automatically.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 50
What is the purpose of IP sets?
A. They group together IP addresses that are assigned to the same network interfaces.
B. They group together IP addresses and networks that can be referenced by the network routing table.
C. They group together IP addresses that can be referenced by netfilter rules.
D. They group together IP and MAC addresses used by the neighbors on the local network.
E. They group together IP addresses and user names that can be referenced from /etc/hosts.allow and /
etc/hosts.deny
Correct Answer: C
Section: (none)
Explanation
http://ipset.netfilter.org/
QUESTION 51
Which of the following statements describes the purpose of ndpmon?
A. It monitors the network for neighbor discovery messages from new IPv6 hosts and routers.
B. It monitors remote hosts by periodically sending echo requests to them.
C. It monitors the availability of a network link by querying network interfaces.
D. It monitors the network for IPv4 nodes that have not yet migrated to IPv6.
E. It monitors log files for failed login attempts in order to block traffic from offending network nodes.
Correct Answer: A
Section: (none)
Explanation
https://en.wikipedia.org/wiki/NDPMon
QUESTION 52
Which of the following terms refer to existing scan techniques with nmap? (Choose TWO correct answers.)
A. Xmas Scan
B. Zero Scan
C. FIN Scan
D. IP Scan
E. UDP SYN Scan
Correct Answer: AC
Section: (none)
Explanation
https://nmap.org/book/man-port-scanning-techniques.html
QUESTION 53
SIMULATION
Which directive is used in an OpenVPN server configuration in order to send network configuration
information to the client? (Specify ONLY the option name without any values or parameters.)
Correct Answer: push

Section: (none)
Explanation
https://community.openvpn.net/openvpn/wiki/RoutedLans
QUESTION 54
Which of the following statements are valid wireshark capture filters? (Choose TWO correct answers.)
A. port range 10000:tcp-15000:tcp

B. port-range tcp 10000-15000
C. tcp portrange 10000-15000
D. portrange 10000/tcp-15000/tcp
E. portrange 10000-15000 and tcp
Correct Answer: CE
Section: (none)
Explanation
https://wiki.wireshark.org/CaptureFilters
QUESTION 55
Which option of the openvpn command should be used to ensure that ephemeral keys are not written to the
swap space?
A. --mlock
B. --no-swap
C. --root-swap
D. --keys-no-swap
Correct Answer: A
Section: (none)
Explanation
https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
QUESTION 56
Which of the following stanzas is a valid client configuration for FreeRADIUS?
A. client private-network-1 {
ipaddr = 192.0.2.0/24
password = testing123-1
}
B. client private-network-1 {
ip = 192.0.2.0/24
password = testing123-1
}
C. client private-network-1 {
ip = 192.0.2.0/24
passwd = testing123-1
}
D. client private-network-1 {
ip = 192.0.2.0/24
secret = testing123-1
}
E. client private-network-1 {
ipaddr = 192.0.2.0/24
secret = testing123-1
}
Correct Answer: E
Section: (none)
Explanation
http://linux.die.net/man/5/clients.conf
QUESTION 57
What effect does the following command have on TCP packets?
iptables- A INPUT –d 10.142.232.1 –p tcp --dport 20:21 –j ACCEPT
A. Forward all TCP traffic not on port 20 or 21 to the IP address 10.142.232.1

B. Drop all TCP traffic coming from 10.142.232.1 destined for port 20 or 21.
C. Accept only TCP traffic from 10.142.232.1 destined for port 20 or 21.
D. Accept all TCP traffic on port 20 and 21 for the IP address 10.142.232.1
Correct Answer: C
Section: (none)
Explanation
https://help.ubuntu.com/community/IptablesHowTo
QUESTION 58
When OpenVPN sends a control packet to its peer, it expects an acknowledgement in 2 seconds by
default. Which of the following options changes the timeout period to 5 seconds?
A. -- tls-timeout 5
B. -- tls- timeout 500
C. -- tls- timer 5
D. -- tls- timer 500
Correct Answer: A
Section: (none)
Explanation
https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
QUESTION 59
Which of the following statements is used in a parameter file for setkey in order to create a new SPD entry?
A. spd
B. addspd
C. newspd
D. spdnew
E. spdadd
Correct Answer: E
Section: (none)
Explanation
https://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8
QUESTION 60
SIMULATION
What command is used to update NVTs from the OpenVAS NVT feed? (Specify ONLY the command
without any path or parameters).
Correct Answer: openvas-nvt-sync

Section: (none)
Explanation
http://www.openvas.org/openvas-nvt-feed.html

Lpic 303-200

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lpic 303-200

Uploaded by

Copyright:

Available Formats

303-200.prepaway.premium.exam.

LPIC-3 Exam 303: Security

A. setfacl –x group: * : rx, user:*: rx afile

A. Security Access Control (SAC)

Correct Answer: newrole

Correct Answer: uid=arg

A. getfattr prints a warning and exits with a values of 0.

A. SELinux permissions override standard Linux permissions.

Correct Answer: ACE

A. AppArmor is implemented in user space only. SELinux is a Linux Kernel Module.

Correct Answer: BDE

A. auditctl -N firewall –r r: /etc/firewall/rules –r w:

A. The maximum size of written files

Correct Answer: ABE

Correct Answer: ACE

Correct Answer: pam_cracklib

Correct Answer: ipa-server-install

Correct Answer: ADE

Correct Answer: BDE

A. chage --maxdays none usera

A. ipa trust-add --type ad addom --admin Administrator --password

A. useradd usera --directory ipa --gecos “User A”

Correct Answer: ausearch

Correct Answer: BCE

A. Both servers mutually verify their X509 certificates.

X509v3 Basic Constraints: critical

A. This certificate belongs to a certification authority.

Correct Answer: ABD

cryptsetup luksOpen/dev/sdal crypt-vol

A. cryptsetup luksDelKey /dev/sda 1 0

A. subjectAltName = DNS: www.example.org, DNS:example.org

Correct Answer: httpd-ssl.conf

A. The non-DNSSEC records like A, AAAA or MX.

Correct Answer: dnssec-keygen

A. openssl req –key private/keypair.pem –out req/csr.pem

A. It displays statistics from the running Snort process.

A. iptables ~t nat ~A POSTROUTING ~o eth0 ~j SNAT --to~source 192.0.2.11

Correct Answer: ADE

A. By placing a # in front of the rule and restarting Snort.

Correct Answer: push

A. port range 10000:tcp-15000:tcp

iptables- A INPUT –d 10.142.232.1 –p tcp --dport 20:21 –j ACCEPT

A. Forward all TCP traffic not on port 20 or 21 to the IP address 10.142.232.1

Correct Answer: openvas-nvt-sync

You might also like