|
Question 1.
After using the Solaris Security Toolkit on a system, some of your users have complained that they are no longer able to connect to the system through telnet.
Which option will allow users to connect to the system without impacting security?
A. Re-enable the telnet service.
B. Re-enable the telnet service, but force users to use Kerberos passwords.
C. Re-enable the telnet service, but force users to use IP Filter.
D. Leave telnet disabled and suggest that users use SSH instead.
Answer: D
Question 2.
An application file system stores unchanging data only.
How should this file system be mounted defensively in /etc/vfstab?
A. /dev/dsk/c0t3d0s6 /dev/rdsk/c0t3d0s6 /data ufs 2 yes nodevices,noexec,ro
B. /dev/dsk/c0t3d0s6 /dev/rdsk/c0t3d0s6 /data ufs 2 yes ro,nosuid,anon=0
C. /dev/dsk/c0t3d0s6 /dev/rdsk/c0t3d0s6 /data ufs 2 yes noexec,nosuid,nodevices
D. /dev/dsk/c0t3d0s6 /dev/rdsk/c0t3d0s6 /data ufs 2 yes nosuid,noxattr,noexec
Answer: A
Question 3.
To harden a newly installed Solaris OS, an administrator needs to disable the sendmail service.
Which command will disable the sendmail service, even if the system is rebooted, patched, or upgraded, while still allowing email to be sent?
A. rm /etc/rc2.d/S88sendmail
B. svcadm disable -t svc:/network/smtp:sendmail
C. svcadm disable svc:/network/smtp:sendmail
D. pkgrm SUNWsndmr SUNWsndmu
Answer: C
Question 4.
The Solaris 10 cryptographic framework provides a set of end user commands. One of these new commands allows the encryption and decryption of a file.
In encryption, a file named clear_file with this utility gives this error:
# encrypt -a 3des -k 3_des.key -i clear_file -o encrypt_file encrypt: failed to generate a key: CKR_ATTRIBUTE_VALUE_INVALID
What is the cause?
A. The 3des algorithm can NOT be used to encrypt a file.
B. The file clear_file is too big to be encrypted.
C. The encryption key can NOT be stored in a file.
D. The key length in 3_des.key is wrong.
Answer: D
Question 5.
A small newspaper company has problems, because one of their servers was modified by someone. Before this incident, they didn't bother about security. After a new installation, they now want to restrict access to the system.
Which two options will enhance their access control? (Choose two.)
A. Enable auditing for login and logout activities.
B. Use Role Based Access Control (RBAC) for administrative tasks.
C. Create a wheel group and list the admin accounts in this group to limit the su command to only
those people.
D. Disable services without authentication.
Answer: B, D
Question 6.
A ITCertKeys.com system administrator wants to remove most of the basic privileges for ordinary users and adds the following line to the appropriate configuration file to achieve this:
PRIV_DEFAULT=basic,!proc_info,!proc_session,!file_link_any
It would be shorter to list the two remaining privileges specified in Solaris 10.
Should the administrator have written this instead? PRIV_DEFAULT=proc_exec,proc_fork
A. Yes, both forms will always be equivalent.
B. No, the basic set might change in future releases.
C. No, both forms are wrong. You cannot remove basic privileges.
D. Yes, the shorter form is preferred.
Answer: B
Question 7.
The digital signature of a patch provides an integrity check of the patch.
Which is a requirement for signed patches?
A. The system administrator needs to sign the patch.
B. All patches need to be signed by Sun Microsystems.
C. Signed patches need to be downloaded through SSL.
D. Vendors can sign patches only with approval from Sun Microsystems.
E. The system administrator can specify which Certification Authorities are trusted for signed
patches.
Answer: E
Question 8.
Which two steps have to be performed to configure systems so that they are more resilient to attack? (Choose two.)
A. Perform system auditing.
B. Perform system minimization.
C. Perform a full system backup.
D. Perform system replication.
E. Perform system hardening.
Answer: B, E
Question 9.
ITCertKeys.com you work for is leasing zones to customers to run their applications in. You want each customer to be able to run the zoneadm command to start their zone in case of accidental shutdown, and also zlogin so they can access the console of their zone.
Which are three reasons why you should NOT create accounts for them in the global zone and grant them the Zone Management profile? (Choose three.)
A. They will be able to reboot the global zone.
B. They will be able to see processes in other customers' zones.
C. They will be able to reboot other customers' zones.
D. They will be able to disable auditing in other customers' zones.
E. They will be able to log in to other customers' zones.
Answer: B, C, E
Question 10.
The Key Distribution Center (KDC) is a central part of the Kerberos authentication system.
How should the system running the KDC be configured?
A. The KDC implementation employs cryptography and can therefore run securely on an ordinary
multi-user system.
B. For improved security, users must log in to the KDC before authenticating themselves, so it
must be a multi-user system.
C. It should be a hardened, non-networked system.
D. It should be a hardened, minimized system.
Answer: D
Question 11.
You maintain a minimized and hardened web server. The exhibit shows the current credentials that the web server runs with. You receive a complaint about the fact that a newly installed web-based application does not function. This application is based on a /bin/ksh cgi-bin script.
What setting prevents this cgi-bin program from working?
A. Some of the libraries needed by /bin/ksh are NOT present in the webserver's chroot
environment.
B. The system might NOT have /bin/ksh installed.
C. The server should run with uid=0 to run cgi-bin scripts.
D. The server is NOT allowed to call the exec system call.
Answer: D
Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.