|
|
第八章:网络客户服务
QUESTION 1/24:
There is a rogue set of users on the curriculum development team who insist on using their own equipment on their own network. Corporate wants to share information with their Windows-only network without having to retrain them. Which service should you install on Linux to "'join" with theirs?
A. Apache Web Services
B. FTP GUI Clients
C. Samba Services
D. There is nothing you can do
ANSWER:
C: Samba services provides transparent access to the Windows networking services for any Linux host.
QUESTION 2/24:
One of your Linux workstation clients needs to get at a file from one of the curriculum developers who has a basic Win98 machine and has created a shared service to the files that are to be retrieved. What utility would you introduce to the Linux user that she would probably know how to use if you showed her once?
A. smbmount
B. smbfs
C. smbclient
D. smb
ANSWER:
C: smbclient. The smbclient utility has an interface that mimics FTP. The average Linux user would be familiar with the interface and would only need to be shown the slightly different syntax needed to make the actual connection.
QUESTION 3/24:
The sales department wants to know if it can selectively give access to certain users to certain directories? Which FTP options could be used?
A. .htaccess
B. ftpaccess
C. rpm
D. hosts.allow
ANSWER:
B: ftpaccess. The file /etc/ftpaccess can be used to restrict user and group access to specific directories.
QUESTION 4/24:
When a user logs in anonymously, she cannot access any of the sales documents. There are no documents available at all, Why might that be?
A. Virtual host points to wrong system
B. DocumentRoot set incorrectly
C. Ftpaccess file does not point to correct directory
D. Anonymous FTP is separate from wu-ftp
ANSWER:
D: Anonymous FTP is separate from WU-FTP. Anonymous login has an empty /home/ftp/pub directory. You need to add files or provide proper logins for service users.
QUESTION 5/24:
The sales department wants to amalgamate its Web service with the HR department to save money. What is the easiest way to do this?
A. Virtual Host
B. .htaccess
C. DocumentRoot
D. memory
ANSWER:
A: Virtual Host. By creating a virtual host for the other machine, even with a completely different IP address, you can host their site with very little disruption of service
QUESTION 6/24:
The sales force complains occasionally they are refused an FTP connection even though their customers never see this. What may be set too low?
A. Access times
B. Local login limit
C. Limited number of daemons
D. System memory
ANSWER:
B: Local login limit. It is common to limit local logins as well as remote logins to keep the load balanced during the heavy day times and let many more access evenings. You may want to allow more but you do not have to, if the system is running fine, leave it alone.
QUESTION 7/24:
The sales department wants to make test results, FAQs, and new product data sheets available to resellers for their own sales literature. How would you make the material available to them for quick downloads?
A. Samba
B. Apache
C. FTP
D. Anonymous FTP
ANSWER:
D: Anonymous FTP. FTP is the fastest way to just get documents. These same documents can be viewed via an html document, but for download of a long document, a zipped up file is the fastest way to get it. You might use anonymous if you were not worried about who got the documents.
QUESTION 8/24:
The rogue curriculum people have set up an NT server to handle their printing and file services. It uses WINS for name resolution, and all users logins are at the domain server. You just want to make connections to some server-hidden shares and back up these files for them. What options would you configure in Samba?
A. BrowseMaster
B. WINS Server IP as Client
C. NT Server for Authentication
D. Special Backup share service from your machine to copy files to
ANSWER:
B: WINS Server IP as Client. You could become a WINS client so that your host name is resolved in the usual method by their hosts. You probably do not need to use NT authentication.
QUESTION 9/24:
When you view all system processes, you notice there are over 35 HTTP daemons running. You thought you configured 10, what has happened?
A. Spiraling out of control.
B. Each virtual service can call up to three times its base number of daemons.
C. There may be some FTP service requests.
D. Apache is dynamically configuring for current load needs.
ANSWER:
D: Apache is dynamically configuring for current load needs. The base is 10 but the limit is much higher and the server adds more as needed to keep a minimum available to listen at all times.
QUESTION 10/24:
A few other departments have been using their own DOS-based mailing systems. The company wants to use a standard service so both employees and customers can all use the same system. What would be the best choice?
A. Internet Explorer 53
B. DaVinci Mail
C. DaMail Mail
D. sendmail
ANSWER:
D: sendmail. The Internet primarily connects the whole world with sendmail mail services.
QUESTION 11/24:
Some of the salespeople are no longer local, and they need to be able to get their mail from any Web-based server in the world. What option would you configure for this?
A. sendmail-Web interface
B. POP3 daemon
C. IMAP daemon
D. Apache Mail interface
ANSWER:
C: IMAP daemon. Only the IMAP interface allows a web based system, not the server itself but the web programs, to provide mail services to users anywhere.
QUESTION 12/24:
The Windows users are complaining they cannot see the HR document share in their Network Neighborhood diagram. What option is missing from smb.conf?
A. Hidden = no
B. Browseable = yes
C. NetworkDisplay = on
D. Viewable = no
ANSWER:
B: Browseable = yes. This option must be set in each share declaration that is to be made visible to
QUESTION 13/24:
Finally, you accessed your site, late at night, from your home office. Too bad you have a slow modem connection. How can you test the Web site without a graphical interface?
A. SWAT
B. lynx
C. linuxconf
D. netscape -text
ANSWER:
B: lynx. The lynx web browser works on any terminal interface.
QUESTION 14/24:
Suddenly, many more users are requesting access to the curriculum development files because they are need to make some technical changes on a regular basis. If they are all connecting to just one server host, how could you make the service "'local"?
A. smbclient-all
B. smbmount
C. smbfs
D. /etc/rc.d/init.d/smbstatus
ANSWER:
B: smbmount. You could smbmount it (using smbfs, this is not a command) on a local directory for all users to access easily.
QUESTION 15/24:
Which is not a component of the Samba File Sharing Service?
A. /usr/bin/smbd
B. /usr/bin/nmbd
C. /usr/bin/smbclient
D. /etc/smb.conf
ANSWER:
C: /usr/bin/smbclient. The service consists of the 2 daemons and the configuration file. smbclient is a client application, with an FTP like interface, used to connect to an SMB share anywhere on the network
QUESTION 16/24:
You made a couple of quick changes to your Samba configuration file and you need to test it quickly for syntax errors. Which utility should you run?
A. smbmount
B. smbclient
C. smbfs
D. testparm
ANSWER:
D: testparm. The testparm utility is a quick syntax check.
QUESTION 17/24:
The human resource department wants to restrict access to its Web site. What features of the Apache Web Server could you incorporate?
A. Virtual Host
B. Port 4001
C. access.conf
D. All of the above
ANSWER:
D: All of the above. Using all these techniques would provide the most secure control.
QUESTION 18/24:
You notice no ftpd service running when you randomly check your system, but no complaints have been made. Why is there no daemon?
A. Awakened by inetd as needed
B. Only runs at designated intervals of day
C. Nobody uses it, system cleans house regularly
D. Run out of memory
ANSWER:
A: Awakened by inetd as needed. The supernet daemon inetd listens for the incoming requests and launches the service as needed.
QUESTION 19/24:
The sales department wants to keep detailed and separate log files about page hits and error messages. Which options should it use?
A. Virtual Host
B. CustomLog
C. DocumentRoot
D. ErrorLog
ANSWER:
B, D: CustomLog and ErrorLog.Within the Virtual Host, you can identify the ErrorLog. You can also use CustomLog to separate Referrer and Sender info if required.
QUESTION 20/24:
You are asked to share the HR downloadable documents to Windows users who are not that familiar with FTP and want a shared drive connection. How do you force the Samba service to reread the configuration file immediately?
A. testparm
B. /etc/smb.conf
C. /etc/rc.d/init.d/smb
D. /etc/samba/restart
ANSWER:
C: /etc/rc.d/init.d/smb. The control script is /etc/rc.d/init.d/smb. You can start, stop, restart, or display status of the services with this script.
QUESTION 21/24:
The HR and sales departments want to restrict the users who can print to their printers. What file can be used to restrict access to print services?
A. printtool
B. /etc/printcap
C. /etc/lpraccess
D. /etc/hosts.lpd
ANSWER:
D: /etc/hosts.lpd. This file can be used to restrict hosts or networks from accessing print services locally.
QUESTION 22/24:
Your system has become very large. You want to look at your current printer configuration in X Windows. What utility might you use?
A. smbclient
B. /etc/printcap
C. printtool
D. lprsetup
ANSWER:
C: printtool. The printtool X window interface is a quick overview of your printer setup but not your current queue status. Use lpq or 'lpc status' to see current print job and spooling status.
QUESTION 23/24:
You copy over the Windows-based Web site to your site, set up the virtual host, and try to hit the homepage, but it fails. Which of these could be the problem if this was a straightforward Web site copy of existing files that worked?
A. DocumentRoot
B. Port Number
C. index.html
D. Wrong browser settings
ANSWER:
C: index.html. Windows uses 3 character extensions. Check the file name expected for the default page, it is usually .html in Linux/UNIX.
QUESTION 24/24:
What service would you use to provide human resource documents to any or selected users on the network?
A. Samba
B. Apache
C. X Windows
D. FTP
ANSWER:
B: Apache. The Apache web server is the best choice here. You could use FTP or Samba to share the resources, but the easiest retrieval would be through a web browser interface.
第九章:网络管理
QUESTION 1/20:
DHCP has been installed and configured properly. The network is responding. There are no firewalls or extraneous server processes. Clients are not getting their network information, though. What could be the cause?
A. Not enough disk space.
B. The dhcpd.leases file was not created.
C. DHCP is in loopback mode.
D. DHCP has phased the multicast server array.
ANSWER:
B: Make sure the dhcp.leases file is created before DHCP is started.
QUESTION 2/20:
You've set up a PPP dialup for your small company's Internet connection. The dialup server is connected to the network so that all may share the connection. You can see the Internet from the dialup server, and you can see your internal network as well. However, the users are unable to access the Internet. What's wrong?
A. The users each need their own modems.
B. Be sure routed or gated is running on the dialup server.
C. Check to see that the network card knows about the modem.
D. Make sure IP forwarding is turned on.
ANSWER:
D: IP forwarding passes packets from one network to another. You don't need to have the server setup up as a router, but it needs to know that it can forward packets from the network to the modem, and vice versa.
QUESTION 3/20:
You have added several new servers into your primary DNS server. The zone files are formatted properly, and you've restarted named. You advertise the new servers, and your help desk immediately starts getting calls that no one outside your domain can see the new servers. What is the most likely cause?
A. Your servers are not connected to the network.
B. The serial number was not incremented in the zone file.
C. Someone has changed the zone files without your knowledge.
D. The users at the other end are having ISP problems.
ANSWER:
B: Make absolutely sure that the serial number at the top of the zone file is incremented each time you change a zone file. If it is not changed, external DNS servers will think that nothing changed in your domain, and they will not bother to pull new RRs.
Answers in Depth ..
QUESTION 4/20:
Which program checks the DNS setup?
A. dnscheck
B. BIND
C. nslookup
D. resolve
ANSWER:
C: nslookup. Nslookup checks the configuration of the nameserver based on the resolv.conf file.
QUESTION 5/20:
Which is not a variant of NFS?
A. KNFSd
B. PCNFS
C. MacNFS
D. UNFSd
ANSWER:
C: There is no such thing as NFS for the Mac.
QUESTION 6/20:
You wish to configure a new IPX user to share a printer. What line should be inserted into the nwserv.conf file?
A. User roger Pass changeme
B. 100 roger changeme
C. roger changeme
D. 13 roger changeme
ANSWER:
D: The '13' directive should be followed by the username and password.
QUESTION 7/20:
In the /etc/exports file, if we want to export /data as read-only, but grant write permission to the supervisor, the proper line is:
A. /data (rw) superv.domain.com(ro)
B. /data (ro) superv.domain.com(rw)
C. /data (ro) *.domain.com(rw)
D. /data superv.domain.com(rw)
ANSWER:
B: export the file system as a general read-only, and then specify the machines that have read-write permission.
QUESTION 8/20:
/var fills up. What will restore operation of News?
A. Remove /var/spool/news/articles/alt/binaries.
B. Remove /var/lib/news/history.pag.
C. Expire aging news articles.
D. Make more inodes.
ANSWER:
C: Run "/usr/bin/news.daily delayrm" as the news user. This should be run daily by /etc/cron.daily/inn-cron-expire.
QUESTION 9/20:
Which are proper keywords that can be used in a ntp.conf file?
A. server
B. client
C. peer
D. child
ANSWER:
A, C: server denotes a lower stratum server and peer denotes an equal stratum machine.
QUESTION 10/20:
You add a new workstation to your dhcpd.conf file. You're in a hurry to finish, so you save and go to lunch. When you return, your phone mail is full of user complaints that they can't access the Internet, but the local network is fine. You surmise that you accidentally changed something in the dhcpd.conf file that you shouldn't have. What is the most likely cause?
A. The absence of a "routers" line.
B. The subnet mask was changed.
C. The IP range was thrown off.
D. The broadcast address was changed.
ANSWER:
A: The lack of a router declaration would cause an Internet outage. Any of the other choices would probably cause a general network outage.
QUESTION 11/20:
You work at a large company. Every day at about noon, the network slows to a crawl. The CEO just noticed he has trouble reading and sending email at that time and wants answers. What should you do?
A. Reconfigure your DNS servers to increase their local cache.
B. Upgrade your network.
C. Route all web surfing through a Squid server.
D. Route the CEO's mail over a different subnet.
ANSWER:
C: The users are most likely surfing the web on their lunch hour. All 500 of them just hit their favorite stock quote site. A great deal of bandwidth can be recovered by routing web traffic through a Squid server.
QUESTION 12/20:
What naming scheme describes a serial port on a Linux system?
A. /modem
B. /dev/modem
C. /dev/ttyS0
D. COM1
ANSWER:
B, C: /dev/modem can be a symbolic link to /dev/ttys0 (or ttyS1 and so forth) which is the main hardware designator for a serial port.
QUESTION 13/20:
The driftfile in NTP serves as:
A. A calculation of the average drift from true UTC of the local system clock.
B. A random constant used to synchronize the clock with itself.
C. A measure of the Earth's rotational drift.
D. The "zero" from which system time is determined.
ANSWER:
A: NTP takes about a day to calculate the contents of the driftfile. This assures accurate restart if the daemon is shut down for some reason.
QUESTION 14/20:
Squid serves as a caching server for which Internet protocols?
A. FTP
B. News
C. HTTP
D. DNS
ANSWER:
A, C: HTTP and FTP sessions are cached by squid.
QUESTION 15/20:
Your company has just suffered an external security breach. As a result, the security department has tightened the screws on all the servers, routers and firewalls. Up until this point, all user data had been mounted over NFS, but now, nothing works. What happened?
A. The hackers erased the NFS data, and they got the backups too.
B. The NFS ports are no longer allowed through the necessary firewalls.
C. The two are unrelated, check your disk space.
D. The file system is no longer shared from the server.
ANSWER:
B: Ports 111, 745, 747, and 2049 must be allowed through the network security to function. Consider the possibility that NFS may have been to blame for the break-in, and restrict its use to isolated or protected subnets.
QUESTION 16/20:
You have the printer in your office set up as a NetWare printer for all to share. Your hard drive crashes and you have to restore from backup. Everything works from your console, and all the users use a default password, but no one can print but you. What is the fix?
A. Hook the printer directly to the network.
B. Have everyone reboot his or her machine to reestablish the connection.
C. Make sure the last backup caught the "21" directive in the nwserv.conf file.
D. Add in each individual user instead of using a default password.
ANSWER:
C: Double-check the print queue (21) in the nwserv.conf file. You may have added the printer after your last backup.
QUESTION 17/20:
No new traffic has come in but innd is running.
A. Your ISP has dropped you.
B. TCP/IP link is down.
C. The Internet has vanished and no one is posting.
D. innd is overloaded
ANSWER:
D: Use ctlinnd mode to confirm this. The reason can then be traced through the error logs.
QUESTION 18/20:
Which is an example of a properly formatted MX record?
A. MX 10.mail.domain.com.
B. MX mail.domain.com.
C. MX 10 mail.domain.com
D. MX 10 mail.domain.com.
ANSWER:
D: Make sure the preference is defined, and the trailing '.' is included at the end of the record.
QUESTION 19/20:
On bootup, the system will check what file for NFS shares to mount?
A. /etc/exports
B. /etc/nfs.conf
C. /etc/fstab
D. /nfs/conf
ANSWER:
C: /etc/fstab contains all the necessary information for NFS to mount its file shares.
QUESTION 20/20:
A message pops up that News is out of space, but df -k shows plenty remaining on /var. What's wrong?
A. Out of inodes on file system.
B. Hackers.
C. Invisible files on file system.
D. df is broken.
ANSWER:
A: No more inodes. Run mkfs with a smaller -i (bytes-per-nodes) option or use cycbuffs. Confirm this diagnosis with df -i.
第十章:系统安全管理
QUESTION 1/20:
A user on of the NIS workstations calls you and tells you that she is having trouble changing her password using the passwd command. What should you tell her?
A. You'll change her password for her.
B. Try picking a more secure password.
C. Make sure the CAPS LOCK key isn't on.
D. She must use the yppasswd to change her NIS password.
ANSWER:
D: You must use the NIS yppasswd command to change your NIS password.
A, B, and C are all incorrect because the user's account is a NIS account; therefore, the only valid choice is D.
QUESTION 2/20:
Which of the following are correct ways to specify a source address or a destination address when configuring IP chains?
A. 192.168.188.0/255.255.255.0
B. 192.168.188.0/24
C. 192.168.188.5
D. server1.xyz.org
E. 0/0
ANSWER:
A, B, C, D, E: All are correct.
QUESTION 3/20:
You have a network consisting of 50 Linux workstations and 5 Linux servers. Most of the workstations are in public areas, and your users need to be able to log in from any workstation on the network. How might you satisfy this requirement?
A. Keep a master copy of /etc/passwd on one of the servers, and do a backup and restore of that copy to all of the workstations every evening,
B. Set one of the servers up to be a NIS server. Set another server up to be a NIS slave server. Make the workstations NIS clients.
C. Set the workstations up to be NIS clients.
D. Create a common account on every workstation and give everyone the password to this account.
ANSWER:
B: This would be an ideal situation for NIS.
A is incorrect because it is labor intensive and would lead to many password database inconsistencies. C is incorrect because you need at least one NIS server. D is incorrect because this is obviously an insecure way to run a network.
QUESTION 4/20:
You are trying to connect to a remote system, but you can't make a connection. You are using the ping command to troubleshoot, and you notice that you can ping your own system and you can ping other systems that are on the same subnet as you. When you try to ping a system outside your subnet, however, you get no response. What steps can you take to resolve the problem?
A. Contact the system administrator for the remote system and tell him to remove the ipchains DENY rule he has for your system.
B. Disable tcp_wrappers for on your system.
C. Use the route -n command and check to see that you have a default gateway set.
D. Reconfigure your network setup.
ANSWER:
C: C. In this situation, the first thing you should check is that you have a default route (or default gateway) set and that the system is up. Any packet you send that is addressed to a network other than your system's subnet must go through the router to get to its destination. If the router is down, or your system doesn't have an entry for it in its routing table, then your packets aren't going anywhere.
A, B, and D are all incorrect because anytime you experience this type of situation, the most likely cause is a routing problem.
QUESTION 5/20:
You work at the headquarters of a company that has several divisions. Each division is part of the headquarters LAN, but each division has its own logical subnet and its own domain. You would like to set up an internal ftp server for each division, but you don't want to have to configure and manage multiple systems. What solution can you devise?
A. Set up a user's workstation in each division to be the ftp server and delegate the management of that server to the user of that workstation.
B. Use NIS and set up shared virtual ftp directories.
C. Use IP aliasing and set up virtual host services for each division.
D. Edit /etc/inetd.conf and change all occurrences of tcpd with virtuald.
ANSWER:
C: Since each network has its own domain and its own subnet, this is the perfect situation for IP aliasing. With IP aliasing, you can use one system as the server for multiple domains.
A is incorrect because this is an insecure way to accomplish this and would require knowledgeable users. B is incorrect because this isn't what NIS is used for. D is incorrect because you should only need to virtualize the ftp daemon.
QUESTION 6/20:
You are setting up a small office and you would like to provide Internet access to a small number of users, but you don't want to pay for a dedicated IP address for each system on the network. How could Linux help with the problem?
A. Assign the official IP address to a Linux system, and create accounts on that system for all of the office personnel.
B. Install Linux and configure it for IP forwarding.
C. Install a Linux router.
D. Use the Linux system to connect to the Internet, and then use IP chains to set up IP masquerading.
ANSWER:
D: If you need to connect several systems to the Internet, but only have one official IP address to use, IP masquerading is the perfect solution.
A is incorrect unless your users want to telnet to a single system and use a command-line interface. B and C are essentially the same answer and are both incorrect because a router will not help in this situation.
QUESTION 7/20:
Which of the following are correct?
A. Only routers need to maintain route tables.
B. You enter static routes manually.
C. The system bases its decision on where to route a packet by looking at the packet's destination address.
D. You don't need to worry about changing your routing tables when your network changes.
ANSWER:
B, C: B and C are correct. A is incorrect because every system must maintain some routing information. D is incorrect because when your network changes is when you really need to make sure your routing tables are correct.
QUESTION 8/20:
You have just recently connected your organization's network to the Internet, and you are a little worried because there is nothing other than your router standing in the way between your network and the Internet. You have a spare 200MHz PC lying around doing nothing that just happens to have two Ethernet cards. You also have a mixture of systems on your network that includes Macintosh, Windows 95, and Linux. What might you do to ease your mind?
A. Nothing, you're not advertising the systems on your LAN via DNS, so no one will ever find them.
B. Install Red Hat Linux 6.0 on the 200MHz PC and use ipchains to set it up as a firewall.
C. Install Red Hat Linux 6.0 on the 200MHz PC and use tcp_wrappers to set it up as a firewall.
D. Install Linux on all systems on your network.
ANSWER:
B: Your best choice would be to take the unused PC and turn it into a firewall using Linux and IP chains. If you use a router to connect to the Internet, then your firewall system sits between your LAN and the router. This results in a two-node network consisting of the router and one of the network interfaces in your firewall that serves as a buffer zone between the Internet and your LAN. You assume that any traffic on this side of the firewall is potentially unsafe. This buffer network is sometimes referred to as the "demilitarized zone," or DMZ.
A is incorrect because this is a poor way to secure a network. C is incorrect because although you might also want to use tcp_wrappers as part of your security strategy, it is designed to secure individual machines, not an entire network. Although D might be a good option in general, it won't necessarily make your network more secure.
QUESTION 9/20:
You would like to have your system page you when certain events occur. How could you do this?
A. Configure the paging feature of the logrotate utility.
B. Install the swatch utility and set it up to do this.
C. Not possible.
D. Install the GNUpage utility.
ANSWER:
B: B. The swatch utility monitors system log files. Among its capabilities is the ability to page you when certain events that you have specified occur.
QUESTION 10/20:
Consider the following command:
ipchains -A input -s 192.168.77.77 -j REJECT
What effect will this have when the client with an IP of 192.168.77.77 tries to connect to your system?
A. No effect at all.
B. Access will be denied, and the client application will not receive any indication of what happened.
C. Access will be denied, and the client application will receive a message about the target destination being unreachable.
D. You will receive a notification message on the system console.
ANSWER:
C: Because of the REJECT target, the client will receive an ICMP error message. If the target was DENY, the client would receive no indication of what happened to the packet.
QUESTION 11/20:
You experience a moment of forgetfulness and try to log in to the root account of your server via telnet from your Internet connection at home. Why doesn't this work?
A. You are using IP chains to filter out telnet access to the root account.
B. You miskeyed your password.
C. Login to the root account is never allowed from any terminal other than the console.
D. The network terminal device that you are trying to log in from is not listed in /etc/securettys; therefore, the root account will not be allowed to log in from that terminal.
ANSWER:
D: The root account is only allowed to log in from terminals listed in /etc/securettys. A is incorrect because this is not a typical firewall function. B is obviously incorrect. C is incorrect because of answer D.
QUESTION 12/20:
You are editing the PAM configuration file by adding a module. How would you indicate that the authentication process should immediately terminate and fail if the module fails?
A. Make sure the module is either an auth module or a password module, since these must always succeed.
B. Use the required control flag.
C. Use the requisite control flag.
D. It doesn't matter, the authentication process always stops as soon as a module fails.
ANSWER:
C: The requisite flag is used to indicate that the authentication process should end immediately if the module fails.
A is incorrect because any PAM module can fail and the authorization process will continue. B is incorrect because required is not a valid flag. D is incorrect because the control flag determines when the authorization process terminates.
QUESTION 13/20:
How would you set up the workstations to be NIS clients?
A. Edit /etc/passwd and add the line USE_NIS at the end of the file.
B. Start the ypbind daemon.
C. Add a line to start ypbind to /etc/inetd.conf.
D. Run authconfig and enable NIS.
ANSWER:
D: Although you can configure NIS clients manually, the easier way is to use either the authconfig utility or the linuxconf utility.
A is incorrect because this is invalid syntax. B is incorrect because you need to do more than start ypbind. C is incorrect because ypbind should be started from /etc/rc.d/init.d.
QUESTION 14/20:
Which of the following are not good basic host security measures?
A. Jotting down the root password on your desk blotter.
B. Checking system log files regularly for unusual activity.
C. Hanging on to unused accounts in case their original users want to reactivate them.
D. Providing users with adequate training so they know how to properly use the tools at their disposal.
ANSWER:
A, C: A and C are both not recommended. B and D are both good security practices.
QUESTION 15/20:
You are using the tcpd program to start services in inetd.conf. How could you restrict telnet access to be available only to clients on the 192.168.170.0 network? Assume that no other configuration has been done for tcpd.
A. Edit inetd.conf and add -DENY EXCEPT 192.168.170.0 to the entry for the telnet daemon.
B. Edit /etc/hosts.allow and add the line:
in.telnetd : 192.168.170.0/255.255.255.0
C. Edit /etc/hosts.deny and add the line:
in.telnetd : 192.168.170.0/255.255.255.0
D. Edit /etc/hosts.deny and add the line:
in.telnetd : ALL EXCEPT 192.168.170.0/255.255.255.0
ANSWER:
D: Although B would allow the requested access, since no other configuration has been done for tcp_wrappers, /etc/hosts.deny will be empty, so other clients will be allowed access by default. The best choice is to restrict all access to the telnet daemon and then make an exception for clients in the requested subnet. A is incorrect because the syntax is wrong. C is incorrect because it would result in telnet access being denied to the 192.168.170.0 network.
QUESTION 16/20:
Below is a configuration line from inetd.conf :
smtp tcp nowait root /usr/sbin/in.smtpd
What is missing from the line?
A. The arguments for the smtp service.
B. The type of socket the service will use.
C. Nothing.
D. The type of protocol the service will use.
ANSWER:
B: The second field in the configuration line should contain the type of socket the server application will use. Since the service is using TCP, the socket type should be stream.
QUESTION 17/20:
What are the four steps that PAM breaks the authentication process into?
A. Authentication management, account management, session management, and password management.
B. Authentication management, account management, network management, and password management.
C. Authentication management, account logging, session management, and password management.
D. Authentication management, account management, session management, and firewall management.
ANSWER:
A: PAM breaks the authentication process into these four steps.
QUESTION 18/20:
You have a server application that is only used about once a day. How would you configure this service to start so that it didn't have to run continuously?
A. Add an entry in the system cron table to start the service at about the time you think that service will be needed. Add another entry to stop the service a few minutes later.
B. Write a shell script to start the service at boot time with a file in /ect/rc.d, but use a sleep command to put the process to sleep until it's needed.
C. Start the service by adding an entry for it in /etc/services.
D. Add an entry for the application in /etc/inetd.conf.
ANSWER:
D: Inetd is used to start services on an as-needed basis. You tell inetd which services to start by placing them in inetd.conf.
A and B obviously won't work very well. C is incorrect because the /etc/services file is used to associate a service name with a port number.
QUESTION 19/20:
Assume you normally work from a user account called sysadm. How might you configure your Red Hat Linux System to notify you whenever there is a serious problem with the kernel?
A. Edit /etc/syslog.conf and add an entry such as
kern.err root,sysadm
B. Recompile the kernel to include error notification and specify sysadm as the user to be notified.
C. Write a C program to monitor the /proc/err directory and send any messages that appear there to sysadm.
D. Edit /etc/syslog.conf and add an entry such as:
*.* root,sysadm
ANSWER:
A: Although D might seem like a good choice, this would also show you all messages from every facility. It would be very difficult to pick out just the kernel messages from everything else that would be coming to your screen. B and C are obviously incorrect because there is too much effort involved.
QUESTION 20/20:
You would like to restrict access to your ftp site to clients in a particular subnet. How can you do this?
A. Use ipchains to filter out ftp requests for all but the given subnet.
B. Comment out the configuration line for the ftp service in /etc/inetd.conf.
C. Edit /etc/ftp.conf and add a reject line for all networks other than the given subnet.
D. Use tcp_wrappers and add the appropriate lines to /etc/hosts.allow and /etc/hosts.deny.
ANSWER:
D: This is a good situation for tcp_wrappers.
A is incorrect because ipchains is better used to filter entire protocols. B is incorrect because this would disable ftp completely. C is incorrect because there is no ftp.conf file.
第十章:灾难恢复和安全
QUESTION 1/20:
How can you boot a damaged Linux system to perform repairs?
A. Boot from your systems custom boot floppy
B. Boot into rescue mode
C. Boot into single-user mode using the command linux s
D. Boot into runlevel 4
ANSWER:
A, B, C: A, B, and C are all correct.
QUESTION 2/20:
How would you set the setgid bit on the /home/developer directory? Assume that you have already issued the command chown nobody.developgrp /home/developer.
A. chmod 2775 /home/developer
B. chgrp 2775 /home/developer
C. chmod 775 /home/developer
D. chmod g+s /home/developer
ANSWER:
A, D: Both commands will set the setgid bit. The advantage to D is that you don't have to worry about affecting the other permission settings.
QUESTION 3/20:
Where are some likely places for configuration errors that can prevent your system from booting?
A. /etc/lilo.conf
B. /etc/fstab
C. /etc/passwd
D. /boot
ANSWER:
A, B, D: The omission of a single character in /etc/lilo.conf or /etc/fstab can mean the difference between a bootable system and one that will not boot. Any time you make changes that affect the files in /boot, you should rerun lilo to ensure that the boot loader can locate the files in that directory in needs.
QUESTION 4/20:
Which of the following are not true?
A. System time is stored in a hardware clock.
B. Some systems store the time value in 24 hour GMT format.
C. You cannot change your system's timezone offset once you have installed Linux.
D. The timeconfig utility can be used to change your system's time offset.
ANSWER:
C: C is false.
QUESTION 5/20:
What should you remember to do when running lilo from rescue mode?
A. Use the -r option to tell lilo to use an alternate root location
B. Use the correct path to locate the lilo utility
C. Use the sync command to flush changes you make to disk
D. All of the above
ANSWER:
D: You should keep all of these in mind when using lilo in rescue mode. You should always remember to use the sync command when you are running in rescue mode or single-user mode to make sure your changes are written to disk.
QUESTION 6/20:
You are trying to boot a system and keep receiving a message about a corrupted partition. You have booted into rescue mode. Now what might you do to fix the problem?
A. Use fdisk and delete the partition, then add it back
B. Use the fdisk -l command
C. Run lilo to rebuild the boot block
D. Run the command e2fsck -b 8193
ANSWER:
D: Try running a file system check using an alternate superblock. A might fix the problem, but would have the unfortunate side effect of deleting all of the data on the partition.
QUESTION 7/20:
How would you ensure that all files that are created by your users are automatically created with full access for the owner and group owner of the file?
A. Have your users type the command umask 002 whenever they create a file.
B. Place the command umask 002 in /etc/profile.
C. Have your users type the command chmod 002 whenever they create a file.
D. Place the command umask in /etc/profile.
ANSWER:
B: Placing the command umask 002 will set the default umask for all users. Typing the umask command without any arguments displays the current umask setting for your process.
QUESTION 8/20:
When you boot your Linux system, the boot process gets as far as displaying the word LIL on the screen. What should you do?
A. Boot into rescue mode, and run e2fsck,
B. Boot into rescue mode, and check /etc/fstab for errors
C. Boot into rescue mode, and check /etc/lilo.conf for errors
D. Reinstall Linux
ANSWER:
A, B, C: LILO is telling you that it got part of the way through the boot process, but couldn't continue because of errors in lilo.conf or possible disk errors. If you suspect disk problems, you might run e2fsck on the /boot partition. If your disk isn't having problems, then you should investigate lilo.conf for errors. The boot process has not gotten far enough at this point for /etc/fstab to have anything to do with the problem.
QUESTION 9/20:
What should you do to a shared directory to ensure that all user accounts who are members of the group that owns the directory will have access to files created in that directory?
A. Make sure the root account owns the directory.
B. Make sure the nobody account owns the directory.
C. Make sure directory is in every user's PATH.
D. Make sure the setgid bit is set on the directory.
ANSWER:
D: When the setgid bit is enabled for a directory, all files that are created in that directory are created with the same group owner as that of the directory.
QUESTION 10/20:
What emergency repair items should you always have on hand?
A. A custom boot floppy for your system
B. A repair boot disk
C. Documentation on the partition layouts for the disk drives on your system
D. Documentation on using the repair utilities
ANSWER:
A, B, C, D: All of the above are good to have on hand if you have to perform a system rescue.
QUESTION 11/20:
Your manager has asked you for a report of all the system reboots in the past week. How will you obtain this information?
A. Check the /var/log/messages file
B. Issue the command last reboot >reboot.rpt
C. Check the /var/log/reboot file
D. Issue the command lastb >reboot.rpt
ANSWER:
B: The last reboot command will list the times your system has been rebooted. Edit the file reboot.rpt and remove all but the last week's entries.
QUESTION 12/20:
You are a consultant and are helping a client who has managed to render his system unbootable. You have booted into rescue mode, but the client doesn't have any documentation on the partition layout on his disk drive. What can you do?
A. Use the fdisk -l command to display the partition table for the drive
B. Reinstall Linux
C. Use the e2fsck command and look for the superblock
D. Use the fdisk command in interactive mode
ANSWER:
A, D: A and D will both work.
QUESTION 13/20:
How would you obtain a rescue disk if you don't have one?
A. Order one from Red Hat.
B. Run the mkrescuedisk utility.
C. Place a floppy in the floppy drive, mount the Red Hat distribution CD-ROM, and issue the command cp /mnt/cdrom/images/rescue.img /dev/fd0.
D. Place a floppy in the floppy drive, mount the Red Hat distribution CD-ROM, and issue the command cat /mnt/cdrom/images/rescue.image >/dev/fd0.
ANSWER:
D: D is the correct way to make a rescue disk.
QUESTION 14/20:
The junior system administrator at your site has just come to you to report a suspected bad hard drive on the system he was working on. Whenever he tries to boot the system, he gets a kernel panic with a message saying the root partition cannot be found. What do you suspect the problem is?
A. The hard drive has crashed.
B. The I/O bus is going bad.
C. Intermittent RAM problems are masquerading as disk problems.
D. The junior system administrator was modifying a system configuration file and has managed to configure the system so it will not boot.
ANSWER:
D: In a situation like this, the cause is most likely human error.
QUESTION 15/20:
You installed the psacct process accounting RPM and issued the command /sbin/accton, but nothing shows up when you issue the ac command or the sa command. You've checked and you have a /var/log/pacct file, but its size is 0 bytes. What is wrong?
A. You will have to reboot to start the accounting process.
B. Nothing is happening on your system, so nothing is being logged.
C. You turned accounting off.
D. The /var/log/pacct file is corrupt.
ANSWER:
C: By default, when you issue the accton command without any arguments, accounting is disabled. To enable accounting, you need to specify the accounting log file to use: /sbin/accton /var/log/pacct.
QUESTION 16/20:
You are setting up a Red Hat Linux system and are configuring several network services. What can you do to make sure your system is more secure from outside attack?
A. Set up individual user accounts to run the services under.
B. Pick a really secure password for the root account.
C. Run the services under the user nobody account.
D. Make sure the system is locked away in a machine room somewhere.
ANSWER:
A, C: You should run network services under their own accounts or the nobody account. If someone does succeed in exploiting a security hole in the server application, his actions will be limited to those of a normal user.
QUESTION 17/20:
You have trouble remembering all of the dozens of different commands and options required to administer a system. What can you do?
A. Become adept at using the man pages and info utility
B. Make copious notes to remind you how things work
C. Use linuxconf to manage your system
D. Write a shell script menu program for the tasks you most commonly perform
ANSWER:
C: The linuxconf utility provides you with an easy-to-use interface for system management.
QUESTION 18/20:
You are concerned about the security of your system and would like some way to ensure you haven't overlooked some minor configuration setting that could result in a potential toehold for a cracker. What could you do to check the security of your system?
A. Publish an invitation on the Internet for crackers to attempt to break into your system as a test of your security measures.
B. Hire a security consultant.
C. Download and install the Computer Oracle and Password System.
D. Assume your system was secure enough, and hope for the best.
ANSWER:
C: The COPS package will perform a scan of your system and look for configuration settings that could potentially compromise your system's security.
QUESTION 19/20:
What would you use the tmpwatch command for?
A. To monitor the system for break-in attempts
B. To clean up unused user account directories
C. To scan system-wide temporary directories and clean up old temporary files
D. To monitor the /tmp directory for the appearance of certain files
ANSWER:
C: The tmpwatch command is usually run as a cron job. It is used to recursively search through temporary directories and remove files that have not been accessed within a specified time frame.
QUESTION 20/20:
You suspect someone has been trying to break into several accounts on your system. How could you check on this?
A. Configure system logging to notify you whenever a failed login attempt occurs
B. Use the sa command to get a summary of failed login attempts
C. Use the command cat /var/log/btmp
D. Use the lastb command to display failed login attempts
ANSWER:
D: The lastb command is used to display failed login attempts. You must have a /var/log/btmp file in order to record failed login attempts. |
|
IP卡
狗仔卡
发表于 2003-2-21 16:17:27
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2003-2-21 17:54:08