Assessment Test

1. You want to temporarily stop the postfix server while you make some changes to its configuration. Which of the following commands, when typed by root, will do this on at least some distributions? (Choose all that apply.)

   A. stop postfix

   B. kill -9 postfix

   C. xinetd postfix stop

   D. /etc/rc.d/postfix stop

2. How can you check for recent kernel messages related to the second Ethernet device (eth1) on a computer?

   A. Type cat /proc/sys/eth1/km.

   B. Type ifconfig eth1 --messages.

   C. Type dmesg | grep eth1.

   D. Type ifconfig eth1 show.

3. What is the purpose of the initrd line in a GRUB configuration?

   A. It tells the kernel that the disk uses the Initial Reduced Disk format, a type of compression common on Linux and some FreeBSD systems.

   B. It passes the name of the program the Linux kernel should launch as its first process (normally init) from GRUB to the kernel.

   C. It tells GRUB what initialization tools to use when writing its stage 0 boot loader to the hard disk, therefore affecting what types of disks it supports.

   D. It tells GRUB where to find the initial RAM disk, which holds kernel modules and configuration files used by the kernel before it has mounted its disk-based root filesystem.

4. Your computer's swap space is spread across two hard disks, one of which is significantly faster than the other. How can you adjust the /etc/fstab entries for the two swap partitions to optimize swap performance?

   A. Use the pri=priority option on each swap partition, giving a lower priority value to the disk with better performance.

   B. Use the pri=priority option on each swap partition, giving a higher priority value to the disk with better performance.

   C. List both devices together, as in /dev/sda2,/dev/sdb4, specifying the higher-performance disk first in the list.

   D. List both devices together, as in /dev/sda2,/dev/sdb4, specifying the higher-performance disk last in the list.

5. As part of a security check, you want to ensure that your Web server computer, www.pangaea.edu, runs only the Web server software (on TCP port 80) and a Secure Shell (SSH) login server (on TCP port 22). What command can you run from a remote computer to ensure that this is so? (Consider only TCP traffic.)

   A. tshark www.pangaea.edu

   B. nmap -sT www.pangaea.edu

   C. netstat -ap

   D. nc www.pangaea.edu 80

6. When configuring a source code package, you see the following error message:

   checking for Qt… configure: error: Qt (>= Qt 3.0) (headers and
   libraries) not found. Please check your installation!

   Which of the following actions is most likely to correct this problem?

   A. Locate and install an appropriate Qt binary library package.

   B. Locate and install an appropriate Qt development package.

   C. Type ./configure --ignore-qt to ignore the problem.

   D. Edit the Makefile by hand to eliminate the Qt dependence.

7. What uname parameter can you use to determine your currently running kernel's version number (such as 2.6.35.4)?

   A. -r or --kernel-release

   B. -v or --kernel-version

   C. -s or --kernel-name

   D. -o or --operating-system

8. An external disk with a single partition (/dev/sdb1) uses ReiserFS, and when it's automounted, it's given an ugly name based on the disk's UUID. You know that your automounter uses a disk's label when one is available, so you want to give the filesystem the label MyStuff. How can you do this without damaging existing data on the disk?

   A. mkreiserfs -l MyStuff /dev/sdb1

   B. tune2fs -L MyStuff /dev/sdb1

   C. reiserfstune -l MyStuff /dev/sdb1

   D. label -t reiserfs -n MyStuff /dev/sdb1

9. You're replacing an old PATA disk, /dev/hdb, with a new SATA disk, /dev/sdc. You use an LVM configuration with one physical volume, /dev/hdb2, on /dev/hdb. How can you transfer the data from /dev/hdb2 to its new home on /dev/sdc1, after adding /dev/sdc1 to the volume group?

   A. cp /dev/hdb2 /dev/sdc1

   B. vgconvert /dev/hdb2 /dev/sdc1

   C. vgextend /dev/sdc1

   D. pvmove /dev/hdb2 /dev/sdc1

10. What is the effect of the following command, assuming the device files have conventional meanings?

    # dd if=/dev/sdb3 of=/dev/dvd

    A. It performs a raw copy of the filesystem on /dev/sdb3 to a blank optical disc.

    B. It creates a tarball containing the files on /dev/sdb3 and stores that tarball on a blank optical disc.

    C. It performs an incremental backup of the contents of /dev/sdb3 to a blank optical disc.

    D. Nothing; it's an invalid use of the dd command.

11. What type of record is found in reverse zone files but not in forward zone files?

    A. SOA

    B. NS

    C. A

    D. PTR

12. A DNS server is running on a computer with two network interfaces, eth0 (192.168.7.92) and eth1 (172.24.21.19). You want the server to be accessible only to the eth1 network. What /etc/named.conf configuration will help accomplish this goal?

    A. zone { 172.24.21.19; };

    B. allow-transfer { 172.24.21.19; };

    C. listen-on { 172.24.21.19; };

    D. forwarders { 172.24.21.19; };

13. You're preparing to compile a Linux kernel. Before proceeding, you want to ensure that you've removed all the old configuration and temporary files. What would you type to do so?

    A. make clean

    B. make modules

    C. make mrproper

    D. make bzImage

14. After assembling a RAID array on /dev/md0 from /dev/sda1, /dev/sdb1, and /dev/sdc1, you use fdisk to create four primary partitions on this device. What device filenames will they have?

    A. /dev/md1, /dev/md2, /dev/md3, and /dev/md4

    B. /dev/md0p1, /dev/md0p2, /dev/md0p3, and /dev/md0p4

    C. /dev/sdd1, /dev/sdd2, /dev/sdd3, and /dev/sdd4

    D. None of the above; you can't partition a RAID array

15. You want to connect a laptop computer to a public Wi-Fi network, but you don't know its name or other relevant data. What command can you type as root to find this information? (Assume that your wireless network interface is wlan0.)

    A. iwlist wlan0 search

    B. iwlist wlan0 find

    C. iwlist wlan0 discover

    D. iwlist wlan0 scanning

16. In which of the following situations does it make the most sense to use NAT?

    A. Computers on your network need to be able to run client programs and access the Internet, but you run no servers that should be accessible from the Internet.

    B. You have obtained a large block of IPv6 addresses, and you want to use them to host a large number of servers for several protocols.

    C. You run a small and highly secure private network with internal servers and no need for external Internet access except from one system that runs a Web server.

    D. None of the above; NAT is a dangerous and insecure protocol that should be avoided whenever possible.

17. What types of information can a DHCP server deliver to clients, in addition to their IP addresses? (Select all that apply.)

    A. A suggested default Web page for Web browsers

    B. A gateway computer's IP address

    C. The IP address of a Windows NetBIOS name server

    D. The client's Ethernet hardware address

18. Your outgoing mail server runs Postfix, and you find the following line in its configuration file. What is the effect of this line?

    myorigin = luna.edu

    A. Postfix will accept mail addressed to users in the luna.edu domain and reject or forward mail addressed to other domains.

    B. If a mail client omits the hostname in the return address of an outgoing email message, @luna.edu will be appended to the username in the address.

    C. All return addresses in outgoing email messages are changed so that they appear to come from the specified user but in the luna.edu domain.

    D. Postfix checks the current computer's domain name and refuses to run if that domain name is not luna.edu.

19. You're configuring Dovecot for a site that uses the maildir format for incoming mail, storing email in the Mail folder in users' home directories. What option can you set in its configuration file to tell Dovecot to use this directory?

    A. mail_location = maildir:~/Mail

    B. set_directory = ~/Mail

    C. mail_directory = ~/Mail;format=maildir

    D. inmail: ~/Mail=maildir

20. You're taking over administration of a computer that runs Pure-FTPd and launches the server via a local startup script. You discover the --chrooteveryone option, among others, as an option to the Pure-FTPd binary in the local startup script. What is the effect of this option?

    A. The server locks itself into a chroot jail for all users except for root.

    B. The server locks itself into a chroot jail for all users including root.

    C. The server locks itself into a chroot jail for all users except for anonymous users.

    D. The server locks itself into a chroot jail for all users except for the account used to run the server.

21. What is the filename of the Xorg-X11 X server's log file?

    A. /var/log/X11.log

    B. /var/log/Xorg.0.log

    C. /var/log/Xorg-X11.log

    D. /var/log/Xorg.X11.log

22. What can you expect to find in the /etc/profile.d directory?

    A. Configuration options for the ProFile file manager software

    B. Extended information (“profiles”) about users

    C. Scripts to supplement the main global login bash script

    D. Filesystem mount points and mount options

23. How is the login process handled on text-mode virtual terminals on a computer that uses the SysV initialization system?

    A. A master SysV startup script for all virtual terminals exists in /etc/init.d, with runlevel-specific directories holding links to this file.

    B. Each virtual terminal has its own SysV startup script in /etc/init.d, with runlevel-specific directories holding links to these files.

    C. Lines in /etc/inittab associate getty programs with each virtual terminal, and these getty processes launch the login program.

    D. The kernel controls each virtual terminal directly; boot loader options tell it how many virtual terminals to activate and what login program to use.

24. You're adding a Samba server to an existing Windows (NetBIOS) domain called PICTURE. What smb.conf line will you use to inform Samba of the name of the Windows domain?

    A. workgroup = PICTURE

    B. domain PICTURE.COM

    C. domain = PICTURE

    D. security = PICTURE

25. What is a consequence of the following configuration, found in /etc/exports, assuming that an NFS server is running on the computer?

    /home helpman(no_root_squash,rw)

    A. The root user on the computer called helpman will be unable to mount the /home export from the server.

    B. The root user on the computer called helpman will be able to read and write every file in the server's /home directory tree.

    C. All users on the computer called helpman will be able to read and write every file in the server's /home directory tree.

    D. The computer called helpman may only mount the server's /home export directly on its own root (/) directory (that is, as /home).

26. An individual has an account, samuel, on the computer langhorne.example.com and another account, mark, on the computer tesla.luna.edu. Once logged into langhorne.example.com, how can this user log into his account on tesla.luna.edu using SSH, assuming an SSH server is running on the latter system?

    A. ssh tesla.luna.edu

    B. ssh [email protected]

    C. ssh user=mark tesla.luna.edu

    D. ssh tesla.luna.edu --user mark

27. What type of computer is least likely to use an unmodified version of GRUB Legacy?

    A. A PC with an Intel x-86 CPU, SATA hard disk, and BIOS

    B. A PC with an AMD x86-64 CPU, SATA hard disk, and BIOS

    C. A PC with an Intel x86-64 CPU, PATA hard disk, and BIOS

    D. A PC with an Intel x86-64 CPU, SATA hard disk, and EFI

28. What is the difference between the stop and graceful-stop options to apache2ctl?

    A. The stop option terminates Apache under all circumstances, whereas graceful-stop terminates the server only if all network devices are operational.

    B. The stop option terminates Apache without cleaning up log files, whereas graceful-stop writes extra shutdown data to log files.

    C. The stop option terminates Apache immediately, whereas the graceful-stop option permits in-progress transfers to complete.

    D. The stop option terminates all Apache subprocesses, whereas graceful-stop terminates only those subprocesses you specify.

29. You're creating a PAM auth stack for authenticating users using several different authentication methods (standard Unix logins, LDAP, and so on). You want each PAM module to use the password collected by the first module, without attempting to collect its own password under any circumstances. What option can you pass to all but the first module in the stack to accomplish this goal?

    A. use_first_pass

    B. likeauth

    C. try_first_pass

    D. auth_like_first

30. Which of the following is an advantage of iptables over TCP Wrappers as a security tool?

    A. You can write iptables rules that restrict access by username; TCP Wrappers doesn't support this feature.

    B. You can write iptables rules that shut down attackers' computers; TCP Wrappers can't do this.

    C. You can write iptables rules that restrict the activities of clients; TCP Wrappers affects only servers.

    D. You can write iptables rules that work on privileged ports; TCP Wrappers works only on unprivileged ports.

Answers to Assessment Test

1. A, D. Option A presents the syntax for stopping a service that is controlled via the Upstart system. If the postfix server is controlled in this way, option A should temporarily stop it. Option D will work on systems that use SysV startup scripts, with the main scripts stored in /etc/rc.d. (Some SysV systems put the main scripts elsewhere, but /etc/rc.d is used on some systems, making this option valid.) Option B is incorrect because the kill command takes a process ID (PID) number, not a process name. It's also generally preferable to use a SysV or Upstart script to shut down a service started via this system, rather than killing it directly. Option C is incorrect because, although xinetd is a super server that manages certain other servers, it's not invoked in this way to shut down one of the servers it manages. Also, postfix is normally run directly, not via a super server.
2. C. The kernel ring buffer, which can be viewed by typing dmesg, contains kernel messages, most of which relate to hardware, including network devices. Using grep to scan the output for messages related to eth1, as in option C, will do as the question asks. Option A presents a fictitious file in the real /proc filesystem, and so is incorrect. Options B and D both deploy ifconfig in incorrect ways; this tool cannot display kernel messages related to an Ethernet device.
3. D. Option D correctly describes the purpose of the initrd line. Options A, B, and C are all fictitious. In particular, there is no such thing as an Initial Reduced Disk format, and the GRUB configuration file doesn't affect the tools used to write the stage 0 boot loader. Option B, although incorrect in reference to the initrd line, describes the function of the init= kernel argument, as in init=/bin/bash to launch bash as the initial process—a useful trick in certain recovery situations.
4. B. The pri=priority option in /etc/fstab sets the priority for swap space, with higher-priority swap areas being used first. Thus, option B is correct. (The -p or --priority command-line option to swapon can achieve the same effect.) Option A is exactly backwards. Options C and D are both incorrect because /etc/fstab requires specifying one device filename (or other device specifier, such as a label or UUID value) per line; you can't list two devices on a single line.
5. B. The Nmap utility is used to scan another computer for the presence of open ports, which usually indicate servers. Option B presents the correct syntax for scanning www.pangaea.edu's TCP ports for servers, as the question specifies. If anything but ports 22 and 80 are open, they should be shut down. The tshark utility of option A is part of the Wireshark package, which is a packet sniffer. This utility doesn't perform a port scan, so it won't do as the question specifies. Option C's netstat utility could be used on the target server computer to scan for unwanted open ports, but the question specifies that you're using another computer to do the scanning, so option C is incorrect. The nc tool of option D is a general-purpose network connection utility. Although you could write a script using nc to do as the question asks, the specific command in option D is insufficient to the task.
6. B. In most cases, a message such as this one can be overcome only by installing an appropriate development package, as option B specifies. Such a package contains the headers needed to compile the software, and it usually includes -dev, -devel, or a similar string in its name. Installing a binary library package, as option A specifies, will probably do no good since such packages usually lack the header files that are missing. (You may need such a package to run the software once it's compiled, though.) Option C specifies a fictitious option to configure; however, it is sometimes possible to use a --without-PACKAGE option (as in --without-qt) to work around such problems. This will work only if the software uses the library optionally, however, so even --without-qt would be far from guaranteed to be supported or work. If a configure script exists, the Makefile is likely to be very difficult to edit by hand; and even if you managed the task, chances are the software would fail to compile because the source code relies on the library at a fairly fundamental level. Thus, option D is incorrect.
7. A. The -r or --kernel-release parameter to uname produces the kernel version number, as the question specifies, so option A is correct. Counterintuitively, the -v or --kernel-version parameter does not produce this information; instead, it produces some additional data, such as whether the kernel includes symmetric multi-processing (SMP) support and the date and time it was compiled. Thus, option B is incorrect. The -s or --kernel-name parameter to uname produces the output Linux for a Linux kernel, so option C is incorrect. The -o or --operating-system parameter to uname normally displays GNU/Linux on a Linux system, so option D is incorrect.
8. C. The reiserfstune program adjusts features of ReiserFS, including the filesystem label, and option C presents the correct syntax to do as the question describes. Option A will create a new filesystem on the partition with the label MyStuff; however, because this option creates a new filesystem, existing data will be destroyed, which the question forbids. Option B presents the correct syntax to do the requested job on a partition containing an ext2, ext3, or ext4 filesystem, but the question specifies that the disk uses ReiserFS. Option D's label command is fictitious.
9. D. Option D performs the specified task. Option A is inappropriate because the cp command operates on regular filesystem files; and even if it could copy the contents of /dev/hdb2 to /dev/sdc1, this would be a low-level copy that would corrupt the existing physical volume data on /dev/sdc1. The vgconvert command converts an old LVM version 1 volume group into the newer version 2 format. The syntax in option B is wrong, too. Option C presents the correct syntax to prepare volume group data on /dev/sdc1, but the question specified that this had already been done.
10. D. The dd command cannot write directly to an optical disc; to write to an optical disc, you need a tool such as cdrecord, growisofs, or the kernel's packet-writing support and UDF driver. Thus, option D is correct. The dd utility can't write directly to optical discs, so option A is incorrect. Furthermore, dd doesn't create tarballs by itself; you'd need to involve tar to do this, so option B is incorrect. The incremental backups mentioned in option C would require specific options to tar or some other backup tool, and dd is ill-equipped to perform incremental backups.
11. D. Pointer (PTR) records allow a DNS server to return a hostname when it's given an IP address, which is the function of reverse zone files. Thus, these records are found in reverse zone files but not in forward zone files, and option D is correct. Start of Authority (SOA) and name server (NS) records are required in both zone file types, so options A and B are both incorrect. Address (A) records are found in forward zone file but not in reverse zone files, so option C is incorrect.
12. C. The listen-on directive does as the question specifies, so option C is correct. (Of course, the server might remain accessible to the other network if a router connects the two networks. If so, iptables rules might be useful to further secure the server.) Option A misuses the zone directive, which normally identifies a zone for which the server is authoritative and points the server at the relevant zone file. Option B presents the correct syntax for the allow-transfer directive, which is used to enable transfers to slave servers; it makes little sense to allow transfers to the server's own IP address. Option D also makes no sense; this forwarders statement tells the server that it should forward DNS requests to itself!
13. C. The mrproper target to make in the Linux kernel cleans out old temporary files and removes the configuration file, as the question specifies, so option C is correct. The clean target removes old temporary files, as the question specifies, but it doesn't remove the old configuration files, as the question also specifies, so option A is incorrect. The modules target builds kernel modules but not the main kernel file, so option B is incorrect. The bzImage target builds the kernel in the common bzImage format but does not build kernel modules, so option D is incorrect.
14. B. Option B shows the form of device filenames used by partitions of a RAID array and so is correct. Option A shows the filenames that would traditionally be used by the second, third, fourth, and fifth RAID arrays, not partitions of the first RAID array. Option C specifies the device filenames for a fourth physical hard disk, if one is present. Contrary to option D's assertion, it is legal to partition a software RAID array.
15. D. The iwlist utility can scan for available Wi-Fi networks. To do so, you pass it the interface name and the sub-command name scan or scanning, as in option D. The remaining options present incorrect sub-commands; search, find, and discover are all invalid names.
16. A. Network Address Translation (NAT) is a way to connect multiple computers to a larger network using a single IPv4 address on the larger network. It prevents outside systems from being able to access servers on the protected network, except by special configuration, but it enables protected systems to access the wider network. This set of features makes it a good fit for the scenario described in option A. Because option B involves IPv6 addresses and servers running in that address block, it's a poor fit for use of NAT, so option B is incorrect. Because the highly secure network requires no incoming or outgoing network access except for one computer, it would be better served by having no Internet access at all except for the Web server computer; thus, option C is incorrect. Contrary to option D, NAT can be a great boon to security.
17. B, C. DHCP servers commonly deliver the client's IP address, network mask, gateway (router) address, DNS server address, hostname, and domain name. DHCP servers can also deliver more obscure data including the IP addresses of NetBIOS name servers and Network Time Protocol (NTP) servers. Options B and C are among this information and so are correct. DHCP doesn't deliver suggestions on default Web pages for Web browsers, so option A is incorrect. A computer's Ethernet hardware address is set at the factory and is not normally changed. Although DHCP relies on this address for initial communications, the protocol provides no means to change it, so option D is incorrect.
18. B. Option B describes the effect of the myorigin option in the main Postfix configuration file, so option B is correct. Option A describes the effect of the mydestination option. Option C describes the effects of masquerading, for which Postfix offers various options. Option D describes a fictitious feature and so is incorrect.
19. A. You use the mail_location setting to tell Dovecot where to store incoming mail and what format to use, and option A presents the correct syntax for the question's details, so option A is correct. Options B, C, and D all present fictitious option names and syntaxes and so are incorrect.
20. A. The --chrooteveryone option to Pure-FTPd does as option A specifies; root is the one exception to the chroot rule when this option is used. Because option A is correct, option B cannot be correct. Anonymous users and the account used to launch the server are not exceptions to the rule, contrary to options C and D.
21. B. The Xorg-X11 X server stores its current log file in /var/log/Xorg.0.log, so option B is correct. The remaining options are all fictitious files.
22. C. The main global login bash script is /etc/profile, and this script frequently executes scripts found in /etc/profile.d, enabling packages to add features to bash defaults by adding startup scripts to this directory. Thus, option C is correct. Options A and B describe fictitious software or features and so are incorrect. Option D is a partial description of the contents of the /etc/fstab file.
23. C. On a SysV-based distribution, text-mode virtual terminals are managed as described in option C. Virtual terminals are not managed via SysV startup scripts, so options A and B are incorrect. (GUI logins are sometimes managed via SysV startup scripts, though.) Although the kernel is ultimately responsible for input/output on each virtual terminal, kernel options do not tell the kernel how to use them in the way that option D specifies.
24. A. The workgroup option in smb.conf sets the NetBIOS workgroup or domain name. (Note that the NetBIOS domain name is unrelated to the DNS domain name.) Thus, option A is correct. Option B might be a correct entry in /etc/resolv.conf, to set the computer's DNS domain name, if that domain name is picture.com; however, the question is about Samba and Windows/NetBIOS domains, not DNS domains. Thus, option B is incorrect. Option C is a corruption of the correct answer, but you must use the workgroup parameter, not domain, when setting either the workgroup or the domain name, so option C is incorrect. To tell the server to use a domain controller, you must use the security parameter; however, it takes options of Server, Domain, or ADS, not the domain's name, so option D is incorrect.
25. B. The no_root_squash option causes root's privileges on the client to be preserved on the server (ordinarily root is given restricted rights on the server). Thus, the client's (that is, helpman's) root will be able to read and write all the files in /home on the server, as option B specifies. Option A is incorrect because none of the specified options prevents root (or any other authorized user) from mounting the export. Option C is incorrect because ordinary users' permissions are preserved by the NFS server; its permissions will remain applicable. (UIDs and GIDs may shift, however, which can change how permissions are applied.) None of the specified options affects where the client may mount the export, so option D is incorrect.
26. B. Option B presents the correct syntax for logging in using a different username than on the client system. (Alternatively, ssh tesla.luna.edu -l mark would work.) Option A would have the effect of attempting to use the username samuel on tesla.luna.edu, which would not work. Option C would attempt to log into the computer user=mark and run the command tesla.luna.edu, which would not work. Option D is close to an alternative method of specifying a username, but it's not quite right (you'd use -l rather than --user).
27. D. GRUB Legacy works with any 32- or 64-bit x86 or x86-64 CPU from any manufacturer and with any type of disk that can be read by the firmware. The only factor mentioned in any of the questions that is not compatible with GRUB Legacy is the Extensible Firmware Interface (EFI); GRUB Legacy is designed to work with the older (and more common) Basic Input/Output System (BIOS) firmware. Thus, option D is correct; such a computer can't use an unmodified GRUB Legacy. (The newer GRUB 2 is compatible with both BIOS and EFI.) GRUB Legacy will work with any of the systems described by options A, B, and C, provided no unmentioned factor causes problems.
28. C. Option C correctly describes the difference between these two apache2ctl subcommands. The remaining options are all fictitious explanations.
29. A. The use_first_pass option is recognized by most modules that perform password-based authentication in an auth stack. It does as the question specifies, so option A is correct. The likeauth option is recognized by many modules and causes the module to return the same information when called as part of a password stack as it would in an auth stack. This isn't what the question specifies, so option B is incorrect. Option C is an option that does something very similar to what the question asks, but if the password collected by an earlier module fails, the module will collect a new password. Because of this variance from what was asked, this option is incorrect. Option D describes a fictitious option.
30. C. The iptables program accepts packet identifications that can apply to incoming or outgoing packets to or from clients or servers. TCP Wrappers, by contrast, works only on the initial incoming connection to servers. Thus, option C is correct. Option A is backwards; iptables has no ability to match based on usernames, but TCP Wrappers does. Contrary to option B, neither TCP Wrappers nor iptables can cause an attacker's computer to shut down—and using such a feature if it did exist would be dubious at best from an ethical and legal point of view. Both iptables and TCP Wrappers can restrict access to both privileged and unprivileged ports, so option D is incorrect.