Professional Documents
Culture Documents
60q
Number: 303-200
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
303-200
Version 1.0
https://www.mycleverly.com/
A3A7746BA2926DC2200BC772EBDF1BF1
Exam A
QUESTION 1
Which command revokes ACL-based write access for groups and named users on the file afile?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://linuxcommand.org/man_pages/setfacl1.html
QUESTION 2
Which of the following authentication methods was added to NFS in version 4?
A. Kerberos authentication
B. SSH hostkey authentication
C. Winbind authentication
D. SSL certificate authentication
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-security.html
QUESTION 3
Which of the following access control models is established by using SELinux?
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
https://wiki.centos.org/HowTos/SELinux
QUESTION 4
SIMULATION
Which command is used to run a new shell for a user changing the SELinux context? (Specify ONLY the
command without any path or parameters.)
Explanation/Reference:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-admincontrol.html
A3A7746BA2926DC2200BC772EBDF1BF1
QUESTION 5
SIMULATION
What option of mount.cifs specifies the user that appears as the local owner of the files of a mounted CIFS
share when the server does not provide ownership information? (Specify ONLY the option name without
any values or parameters.)
Explanation/Reference:
http://linux.die.net/man/8/mount.cifs
QUESTION 6
What happens when the command getfattr afile is run while the file afile has no extended attributes set?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
How are SELinux permissions related to standard Linux permissions? (Choose TWO correct answers.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/SELinux_overview.html
QUESTION 8
Which of the following prefixes could be present in the output of getcifsacl? (Choose THREE correct
answers.)
A. ACL
B. GRANT
C. GROUP
D. OWNER
E. SID
Explanation/Reference:
https://www.mankier.com/1/getcifsacl
A3A7746BA2926DC2200BC772EBDF1BF1
QUESTION 9
Which of the following are differences between AppArmor and SELinux? (Choose TWO correct answers).
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
http://elinux.org/images/3/39/SecureOS_nakamura.pdf
QUESTION 10
Linux Extended File Attributes are organized in namespaces. Which of the following names correspond to
existing attribute namespaces? (Choose THREE correct answers.)
A. default
B. system
C. owner
D. trusted
E. user
Explanation/Reference:
https://en.wikipedia.org/wiki/Extended_file_attributes
QUESTION 11
Which of the following expressions are valid AIDE rules? (Choose TWO correct answers.)
A. !/var/run/.*
B. append: /var/log/*
C. /usr=all
D. #/bin/
E. /etc p+i+u+g
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=367337
http://aide.sourceforge.net/stable/manual.html
QUESTION 12
Which of the following commands defines an audit rule that monitors read and write operations to the file/
etc/firewall/rules and associates the rule with the name firewall?
A3A7746BA2926DC2200BC772EBDF1BF1
B. auditctl -A –f /etc/firewall/rules –o r –o w –l firewall
C. auditctl –w /etc/firewall/rules –p rw –k firewall
D. auditctl –-read /etc/firewall/rules –-write /etc/firewall/rules
--label firewall
E. echo “n: firewall r:/etc/firewall/rules: w:/
etc/firewall/rules:“ | auditctl ~
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-
Defining_Audit_Rules_and_Controls.html
QUESTION 13
Which of the following resources of a shell and its child processes can be controlled by the Bash build-in
command ulimit? (Choose THREE correct answers.)
Explanation/Reference:
http://ss64.com/bash/ulimit.html
QUESTION 14
Which of the following database names can be used within a Name Service Switch (NSS) configuration
file? (Choose THREE correct answers).
A. host
B. shadow
C. service
D. passwd
E. group
Explanation/Reference:
https://docs.oracle.com/cd/E26502_01/html/E29002/a12swit-89620.html#a12swit-84565
QUESTION 15
Which of the following types can be specified within the Linux Audit system? (Choose THREE correct
answers.)
A. Control rules
B. File system rules
C. Network connection rules
D. Console rules
E. System call rules
A3A7746BA2926DC2200BC772EBDF1BF1
Correct Answer: ABE
Section: (none)
Explanation
Explanation/Reference:
https://www.digitalocean.com/community/tutorials/how-to-write-custom-system-audit-rules-on-centos-7
QUESTION 16
SIMULATION
Which PAM module checks new passwords against dictionary words and enforces complexity? (Specially
the module name only without any path.)
Explanation/Reference:
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
QUESTION 17
SIMULATION
Which command installs and configures a new FreeIPA server, including all sub-components, and creates
a new FreeIPA domain? (Specially ONLY the command without any path or parameters).
Explanation/Reference:
https://www.freeipa.org/images/2/2b/Installation_and_Deployment_Guide.pdf
QUESTION 18
Which of the following sections are allowed within the Kerberos configuration file krb5.conf? (Choose
THREE correct answers.)
A. [plugins]
B. [crypto]
C. [domain]
D. [capaths]
E. [realms]
Explanation/Reference:
http://linux.die.net/man/5/krb5.conf
QUESTION 19
Which of the following components are part of FreeIPA? (Choose THREE correct answers.)
A. DHCP Server
B. Kerberos KDC
C. Intrusion Detection System
D. Public Key Infrastructure
E. Directory Server
A3A7746BA2926DC2200BC772EBDF1BF1
Explanation/Reference:
https://www.freeipa.org/page/Documentation
QUESTION 20
Which of the following commands disables the automatic password expiry for the user usera?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://www.tutorialspoint.com/unix_commands/chage.htm
QUESTION 21
Given a proper network and name resolution setup, which of the following commands establishes a trust
between a FreeIPA domain and an Active Directory domain?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.freeipa.org/page/Active_Directory_trust_setup
QUESTION 22
In which path is the data, which can be altered by the sysctl command, accessible?
A. /dev/sys/
B. /sys/
C. /proc/sys/
D. /sysctl/
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://linux.about.com/library/cmd/blcmdl8_sysctl.htm
QUESTION 23
Which of the following statements is true about chroot environments?
A. Symbolic links to data outside the chroot path are followed, making files and directories accessible
B. Hard links to files outside the chroot path are not followed, to increase security
C. The chroot path needs to contain all data required by the programs running in the chroot environment
D. Programs are not able to set a chroot path by using a function call, they have to use the command
chroot
A3A7746BA2926DC2200BC772EBDF1BF1
E. When using the command chroot, the started command is running in its own namespace and cannot
communicate with other processes
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://www.computerhope.com/unix/chroot.htm
http://www.computerhope.com/jargon/c/chroot.htm
QUESTION 24
Which of the following commands adds a new user usera to FreeIPA?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/adding-users.html
QUESTION 25
SIMULATION
Which command included in the Linux Audit system provides searching and filtering of the audit log?
(Specify ONLY the command without any path or parameters.)
Explanation/Reference:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-
Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-
Searching_For_and_Viewing_Denials.html
QUESTION 26
Which of the following commands adds users using SSSD’s local service?
A. sss_adduser
B. sss_useradd
C. sss_add
D. sss-addlocaluser
E. sss_local_adduser
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-
Level_Authentication_Guide/managing-sssd.html
QUESTION 27
Which of the following DNS record types can the command dnssec-signzone add to a zone? (Choose
A3A7746BA2926DC2200BC772EBDF1BF1
THREE correct answers.)
A. ASIG
B. NSEC
C. NSEC3
D. NSSIG
E. RRSIG
Explanation/Reference:
http://linux.die.net/man/8/dnssec-signzone
QUESTION 28
What effect does the configuration SSLStrictSNIVHostCheck on have on an Apache HTTPD virtual host?
A. The clients connecting to the virtual host must provide a client certificate that was issued by the same
CA that issued the server’s certificate.
B. The virtual host is served only to clients that support SNI.
C. All of the names of the virtual host must be within the same DNS zone.
D. The virtual host is used as a fallback default for all clients that do not support SNI.
E. Despite its configuration, the virtual host is served only on the common name and Subject Alternative
Names of the server certificates.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://serverfault.com/questions/510132/apache-sni-namevhosts-always-route-to-first-virtualhost-entry
QUESTION 29
How does TSIG authenticate name servers in order to perform secured zone transfers?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/
QUESTION 30
Which of the following statements are true regarding the certificate of a Root CA? (Choose TWO correct
answers.)
A. It is a self-signed certificate.
B. It does not include the private key of the CA.
C. It must contain a host name as the common name.
D. It has an infinite lifetime and never expires.
E. It must contain an X509v3 Authority extension.
A3A7746BA2926DC2200BC772EBDF1BF1
Correct Answer: ABE
Section: (none)
Explanation
Explanation/Reference:
https://en.wikipedia.org/wiki/Root_certificate
QUESTION 31
Which of the following parameters to openssl s_client specifies the host name to use for TLS Server Name
Indication?
A. -tlsname
B. -servername
C. -sniname
D. -vhost
E. -host
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.openssl.org/docs/manmaster/apps/s_client.html
QUESTION 32
An X509 certificate contains the following information:
Which of the following statements are true regarding the certificate? (Choose THREE correct answers.)
Explanation/Reference:
https://en.wikipedia.org/wiki/X.509
QUESTION 33
A LUKS device was mapped using the command:
Given that this device has three different keys, which of the following commands deletes only the first key?
Correct Answer: A
Section: (none)
Explanation
A3A7746BA2926DC2200BC772EBDF1BF1
Explanation/Reference:
https://help.ubuntu.com/community/EncryptedFilesystemHowto3
QUESTION 34
Which of the following lines in an OpenSSL configuration adds an X 509v3 Subject Alternative Name
extension for the host names example.org and www.example.org to a certificate?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
QUESTION 35
SIMULATION
Which option in an Apache HTTPD configuration file enables OCSP stapling? (Specify ONLY the option
name without any values or parameters.)
Explanation/Reference:
https://wiki.apache.org/httpd/OCSPStapling
QUESTION 36
Which of the following statements is true regarding eCryptfs?
A. For every file in an eCryptfs directory there exists a corresponding file that contains the encrypted
content.
B. The content of all files in an eCryptfs directory is stored in an archive file similar to a tar file with an
additional index to improve performance.
C. After unmounting an eCryptfs directory, the directory hierarchy and the original file names are still
visible, although, it is not possible to view the contents of the files.
D. When a user changes his login password, the contents of his eCryptfs home directory has to be re-
encrypted using his new login password.
E. eCryptfs cannot be used to encrypt only directories that are the home directory of a regular Linux user.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
https://help.ubuntu.com/lts/serverguide/ecryptfs.html
QUESTION 37
Which of the following information, within a DNSSEC- signed zone, is signed by the key signing key?
A3A7746BA2926DC2200BC772EBDF1BF1
D. The NSEC or NSEC3 records of the zone.
E. The DS records pointing to the zone.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://grepular.com/Understanding_DNSSEC
QUESTION 38
Which of the following configuration options makes Apache HTTPD require a client certificate for
authentication?
A. Limit valid-x509
B. SSLRequestClientCert always
C. Require valid-x509
D. SSLVerifyClient require
E. SSLPolicy valid-client-cert
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://linuxconfig.org/apache-web-server-ssl-authentication
QUESTION 39
Which of the following practices are important for the security of private keys? (Choose TWO correct
answers.)
A. Private keys should be created on the systems where they will be used and should never leave them.
B. Private keys should be uploaded to public key servers.
C. Private keys should be included in X509 certificates.
D. Private keys should have a sufficient length for the algorithm used for key generation.
E. Private keys should always be stored as plain text files without any encryption.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-
keys-and-csrs
QUESTION 40
Which DNS label points to the DANE information used to secure HTTPS connections to https://
www.example.com/?
A. example.com
B. dane.www.example.com
C. soa.example.com
D. www.example.com
E. _443_tcp.www.example.com
Correct Answer: E
Section: (none)
Explanation
A3A7746BA2926DC2200BC772EBDF1BF1
Explanation/Reference:
http://paginas.fe.up.pt/~jmcruz/ssi/ssi.1112/trabs-als/final/G7T12-digit.cert.altern-final.pdf
QUESTION 41
SIMULATION
Which command, included in BIND, generates DNSSEC keys? (Specify ONLY the command without any
path or parameters.)
Explanation/Reference:
http://ripe60.ripe.net/presentations/Damas-BIND_9.7_-_DNSSE_for_humans.pdf
QUESTION 42
Which of the following openssl commands generates a certificate signing request (CSR) using the already
existing private key contained in the file private/keypair.pem?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.openssl.org/docs/manmaster/apps/req.html#EXAMPLES
QUESTION 43
Which of the following commands makes the contents of the eCryptfs encrypted directory ~/Private
available to the user?
A. ecryptfsclient
B. ecryptfs.mount
C. ecryptfs-mount-private
D. decryptfs
E. ecryptfs-manage-directory
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://help.ubuntu.com/lts/serverguide/ecryptfs.html
QUESTION 44
What is the purpose of the program snort-stat?
Correct Answer: E
Section: (none)
Explanation
A3A7746BA2926DC2200BC772EBDF1BF1
Explanation/Reference:
http://manpages.ubuntu.com/manpages/trusty/man8/snort-stat.8.html
QUESTION 45
Which of the following commands changes the source IP address to 192.0.2.11 for all IPv4 packets which
go through the network interface eth0?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
QUESTION 46
Which of the following command lines sets the administrator password for ntop to testing 123?
A. ntop --set-admin-password=testing123
B. ntop --set-password=testing123
C. ntop --reset-password=testing123
D. ntop --set-new-password=testing123
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://linux.die.net/man/8/ntop
QUESTION 47
Which of the following commands displays all ebtable rules contained in the table filter including their
packet and byte counters?
A. ebtables -t nat –L -v
B. ebtables -L -t filter -Lv
C. ebtables -t filter –L --Lc
D. ebtables -t filter –Ln -L
E. ebtables –L –Lc –t filter
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://www.microhowto.info/troubleshooting/troubleshooting_ethernet_bridging_on_linux.html
QUESTION 48
Which of the following keywords are built-in chairs for the iptables nat table? (Choose THREE correct
answers.)
A. OUTPUT
B. MASQUERADE
A3A7746BA2926DC2200BC772EBDF1BF1
C. PROCESSING
D. POSTROUTING
E. PREROUTING
Explanation/Reference:
http://linux.die.net/man/8/ebtables
QUESTION 49
Which of the following methods can be used to deactivate a rule in Snort? (Choose TWO correct answers.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 50
What is the purpose of IP sets?
A. They group together IP addresses that are assigned to the same network interfaces.
B. They group together IP addresses and networks that can be referenced by the network routing table.
C. They group together IP addresses that can be referenced by netfilter rules.
D. They group together IP and MAC addresses used by the neighbors on the local network.
E. They group together IP addresses and user names that can be referenced from /etc/hosts.allow and /
etc/hosts.deny
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://ipset.netfilter.org/
QUESTION 51
Which of the following statements describes the purpose of ndpmon?
A. It monitors the network for neighbor discovery messages from new IPv6 hosts and routers.
B. It monitors remote hosts by periodically sending echo requests to them.
C. It monitors the availability of a network link by querying network interfaces.
D. It monitors the network for IPv4 nodes that have not yet migrated to IPv6.
E. It monitors log files for failed login attempts in order to block traffic from offending network nodes.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://en.wikipedia.org/wiki/NDPMon
A3A7746BA2926DC2200BC772EBDF1BF1
QUESTION 52
Which of the following terms refer to existing scan techniques with nmap? (Choose TWO correct answers.)
A. Xmas Scan
B. Zero Scan
C. FIN Scan
D. IP Scan
E. UDP SYN Scan
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
https://nmap.org/book/man-port-scanning-techniques.html
QUESTION 53
SIMULATION
Which directive is used in an OpenVPN server configuration in order to send network configuration
information to the client? (Specify ONLY the option name without any values or parameters.)
Explanation/Reference:
https://community.openvpn.net/openvpn/wiki/RoutedLans
QUESTION 54
Which of the following statements are valid wireshark capture filters? (Choose TWO correct answers.)
Correct Answer: CE
Section: (none)
Explanation
Explanation/Reference:
https://wiki.wireshark.org/CaptureFilters
QUESTION 55
Which option of the openvpn command should be used to ensure that ephemeral keys are not written to the
swap space?
A. --mlock
B. --no-swap
C. --root-swap
D. --keys-no-swap
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
A3A7746BA2926DC2200BC772EBDF1BF1
QUESTION 56
Which of the following stanzas is a valid client configuration for FreeRADIUS?
A. client private-network-1 {
ipaddr = 192.0.2.0/24
password = testing123-1
}
B. client private-network-1 {
ip = 192.0.2.0/24
password = testing123-1
}
C. client private-network-1 {
ip = 192.0.2.0/24
passwd = testing123-1
}
D. client private-network-1 {
ip = 192.0.2.0/24
secret = testing123-1
}
E. client private-network-1 {
ipaddr = 192.0.2.0/24
secret = testing123-1
}
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
http://linux.die.net/man/5/clients.conf
QUESTION 57
What effect does the following command have on TCP packets?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
https://help.ubuntu.com/community/IptablesHowTo
QUESTION 58
When OpenVPN sends a control packet to its peer, it expects an acknowledgement in 2 seconds by
default. Which of the following options changes the timeout period to 5 seconds?
A. -- tls-timeout 5
B. -- tls- timeout 500
C. -- tls- timer 5
D. -- tls- timer 500
Correct Answer: A
Section: (none)
A3A7746BA2926DC2200BC772EBDF1BF1
Explanation
Explanation/Reference:
https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
QUESTION 59
Which of the following statements is used in a parameter file for setkey in order to create a new SPD entry?
A. spd
B. addspd
C. newspd
D. spdnew
E. spdadd
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
https://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8
QUESTION 60
SIMULATION
What command is used to update NVTs from the OpenVAS NVT feed? (Specify ONLY the command
without any path or parameters).
Explanation/Reference:
http://www.openvas.org/openvas-nvt-feed.html
A3A7746BA2926DC2200BC772EBDF1BF1