IT 352 Security Administration of Linux Systems Spring 2025 Final Exam Study Guide

Flashcards to assist students in reviewing the course content in preparation for the final exam.

What is the Linux kernel?

The core of the Linux operating system, with other components added as modules.

Where are kernel log messages usually written?

A section of memory called the kernel ring buffer, viewed using the dmesg command.

How can configuration options be set for the kernel?

At boot time using parameters passed by the bootloader (e.g., GRUB) or by loading kernel modules dynamically at runtime.

Why is the uname command useful?

For displaying system information, including the Linux kernel version and operating system type.

How is a typical Linux system started, and what is the boot process?

By starting a service management process like init (older systems) or systemd (newer systems, especially Red Hat-style). systemd is the first process started.

Who builds a kernel?

Kernels are usually built and maintained by the maintainers of the distribution. A typical Linux administrator does not need to build the kernel.

Name some Linux commands commonly used for network management tasks.

iptables, firewalld, ufw, gufw, ping, and ssh.

What are common names for network interfaces in different versions of Linux?

Older systems used eth0, eth1, and lo. Modern systems use predictable names like enp0s3, ens33, or eno1.

What is a loopback network interface? Why is it useful?

A special interface (lo) used only for testing, internally connected to itself.

What does ping do? Why is it useful?

Uses ICMP to test connectivity by sending a message to another system and waiting for a response.

What systemctl command might you use to check if networking is currently running?

systemctl status networking

What is a potential problem if you stop networking?

You can no longer communicate over the network (ssh, web browsing, etc.).

Is a server typically using a static IP address or an address assigned by DHCP? Why?

Static IP address, to ensure the server is always at the same address.

Why is computer networking typically implemented as a stack of different layers?

To break communication into smaller, understandable pieces, following the divide-and-conquer idea.

Why is most Internet traffic carried over TCP, rather than UDP, at the Transport layer?

TCP provides reliability through session creation and error handling.

What is an ephemeral port number? Why is it used? What type of device would use it?

A port number ranging from 1024 to 65535, used to separate different connections or sessions, especially on the client side.

What is a network socket? What is a socket address?

A software endpoint of a network connection. A socket address is an IP address and a port number.

What is a private IP address? What is another name for it? Why is it used?

An IP address from a reserved range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), also called a non-routable address, used for internal networks.

What is network address translation (NAT)? Why is it used?

A router-level technology that translates private socket addresses to public ones, allowing private networks to access the internet.

What is a DMZ in the networking context? Why is it used? What is typically in it?

A neutral subnetwork between a trusted internal network and the untrusted internet, typically containing public-facing servers.

In a typical "T configuration" firewall arrangement, which inter-zone forwarding should be allowed?

From the outside to the DMZ, from the DMZ to the outside, from the internal to the DMZ, and from the DMZ to the internal.

Can you name and briefly describe some common firewall applications or components in Linux?

netfilter, iptables, firewalld, ufw, and gufw.

What is a package in the Linux context?

A grouping of software components that belong together.

What does the wget command do?

A non-interactive network downloader that retrieves files from a URL.

What are some common package managers used in Linux?

Debian-style: dpkg, apt, aptitude, Synaptic. Red Hat-style: rpm, yum, dnf.

What are log files? Why are they used?

Text records maintaining a history of significant system events, important for tracking what has happened over time.

Why is rsyslog useful (compared to some simpler tool)?

rsyslog supports remote logging; If a host system fails, logs can still be reviewed from another system.

What is a service in the Linux admin context?

A process that runs constantly in the background, often without a console interface.

Can you give examples of commands used to manage services?

Debian-style: service [name] [option]. Red Hat-style: systemctl [option] [name].

What is the Web? Is it the same as the Internet? Explain.

The Web is an application that uses the Internet. The Internet is a network that carries packets of data for different application.

What is the client-server model? What is a Web client? What is a Web server?

A server is an unattended background process that listens for new connections. A client is user-controlled. A Web client is a browser. A web server is a software process lets Web clients interact with Web resources using HTTP or HTTPS.

What is HTML? What is HTTP?

HTML is a language used to mark up text. HTTP is a client-server application-layer protocol that typically sits on top of TCP.

Why are cookies needed in web browsing?

Since HTTP is stateless, cookies are used to maintain state, like when a user logs in or adds items to a shopping cart.

What ports are typically used by a Web server? by a Web client?

Web server: port 80 (HTTP) and port 443 (HTTPS). Web client: ephemeral port (50,000 or higher).

How are resources uniquely identified in the Web?

By a Uniform Resource Locator (URL).

What does HTTPS provide that HTTP does not?

Authentication of the Web server's identity, origin, and integrity of the data. Confidentiality of the request/response data using encryption

How does HTTPS use shared keys? public keys? private keys?

Shared keys are used to compute HMACs and perform symmetric encryption. Public/private key pairs are used to establish these shared keys via asymmetric techniques.

How are public keys managed in most applications? What tool is often used in Linux?

Public keys are managed using X.509 certificates. OpenSSL is used on Linux.

What is needed to verify an X.509 certificate? Where do you get that data?

The public key of the Issuer, obtained from another certificate in the chain.

Why is a "certificate" usually a certificate chain?

Because it contains a certificate for the Subject, a certificate for the Issuer, and continuing upward until a root CA.

What is Apache? What is httpd?

Apache is a popular open-source Web server. httpd was the original process name for Apache

How is Apache configured by a sysadmin?

Through human-readable text configuration files, with a main file and a configuration directory.

How can a sysadmin obtain a certificate for an Apache server?

Use the default self-signed certificate or generate a new certificate and Certificate Signing Request (CSR), send it to a Certificate Authority (CA), receive a certificate chain, and install it into Apache.

How does a browser verify a certificate?

Using the public key of the Issuer from a certificate chain, and checking the digital signature and validity period.

What does the user of a browser see if a certificate is verified? Not verified?

Verified: https with a padlock icon. Not verified: a warning saying the site is "not secure" or "not trusted."

What does LAMP usually represent? Why is it useful?

Linux, Apache, MySQL, PHP. It provides a standard opensource platform for building and running web applications.

What are options for the "P" in LAMP?

Python, Perl, Ruby.

What are some variants on LAMP?

WIMP (Windows, IIS, MySQL, PHP), LAPP (Linux, Apache, PostgreSQL, PHP).

What is the database component of a typical LAMP server?

MySQL.

Who typically administers security for databases in a large organization?

A Database Administrator (DBA), working with security administrators.

Why is PHP popular for programming Web applications?

PHP is designed for server-side Web development, integrates well with HTML, and allows dynamic content generation.

How are Web pages typically built when some of the content needs to be retrieved from a database?

Using a server-side programming language like PHP to interact with the database and generate HTML.

Is "hacking" a positive term today? Explain.

Can have both positive and negative connotations. Ethical hacking helps organizations. However, because the same tools and techniques can be misused, the term still carries negative baggage in some contexts.

What is "ethical hacking"? What are some other terms for it?

Acting as an outsider to hack into a system to test defenses. Other terms: penetration testing, digital forensics, security research.

What is necessary to make it "ethical"?

Written permission clearly stating what you're allowed to do and following the written scope exactly.

What is Kali Linux? Who are likely users of it?

A Linux distribution designed for digital forensics and penetration testing. Likely users include security researchers, computer forensics professionals.

What different methods can be used to run Kali Linux?

Downloading and installing the image, using pre-built virtual machines, on ARM platforms, as NetHunter on Android, in the cloud, in Docker, as a live boot, on WSL.

How should you protect your system when experimenting with vulnerable software?

Use VMware and set the network to host-only to keep everything contained.

What is reconnaissance in the network context? Who does it? Why?

Gathering information about systems on a network. Done by penetration testers, vulnerability testers, and potentially attackers to discover IP addresses, open ports, etc.

What is nmap? Can you describe some of its capabilities?

Nmap (Network Mapper) is a network exploration tool and security port scanner. Its target specification using hostnames, IPs, or files; Host discovery; port scanning; OS detection; Service/version detection by probing open ports.

What is Metasploit? Who might use it? Why?

A free tool that includes hundreds of known vulnerabilities and exploits. It is used by both ethical testers and hackers to exploit vulnerabilities.

What is an "intruder" in the information security context?

Someone who gains or attempts to gain access to a system or resource without authorization.

What are different types of intrusion?

"Trespass": Gaining physical access to a secure area or system; "Penetration": Gaining logical access ; "Reverse engineering"; "Cryptanalysis": Converting encrypted data to plain text without the decryption key, often by exploiting weaknesses in the system.

What is intrusion detection? What is extrusion detection?

Intrusion detection: sensing and analyzing system events to notice unauthorized access attempts.

Extrusion detection: monitoring for unauthorized outbound transfers from inside the system.

What is an IDS? What is an IPS?

IDS: Intrustion Detection System : a system that automates monitoring events and analyzing them for signs of security problems;

IPS: Intrusion Prevention System: aims to block intrusions in real time, but it does not guarantee prevention.

How does misuse detection (signature-based analysis) work?

Compares observed events against a database of known attack signatures. It's fast and accurate for known threats but cannot detect new or unknown attacks

How does anomaly detection (profile-based analysis) work?

Builds a profile of normal behavior and triggers an alert when activity deviates significantly from that profile.

In the analysis process, what is a false negative? What is a false positive? What happens if you get false negatives? What happens if you get false positives? Why can't you eliminate all false negatives and all false positives?

A false negative occurs when the system fails to detect a real intrusion; A false positive (or false alarm) occurs when the system reports an intrusion that didn’t happen. It's not possible to eliminate both entirely because there is always a trade-off.

What is a passive response in an IDS? What is an active response?

Passive: writing to a log file or sending an alert. Active: altering the system's operation automatically to defend against a potential intrusion.

Why should you NOT take automated counter-offensive action against a possible intruder's system?

Counter-offensive action is discouraged because it may irritate the intruder, prompting a more aggressive attack. Also, the action will be illegal.

What is a host-based IDS? What is a network-based IDS?

Host-based IDS: runs directly on an end-user device. Network-based IDS: a standalone device inserted into a network link.

What is Snort? What does a Snort subscription provide?

Snort is a widely used open-source IDS/IPS that runs on Linux and uses human-readable rule files for configuration. A subscription provides access to these rules with a delay or immediate access.

What are the important components of a Snort rule?

Header (action, protocol, IP addresses, ports, direction) and options (content matching, offset, message).

Can you describe some Snort rule options?

content, msg, offset, nocase, flags, pcre.

What types of networking have been used in the past?

Bus topology, ring topology, and computer-to-computer connections using crossover cables.

What types of networking are commonly used today?

Star topology (hub and spoke).

How is a wired local area network (LAN) typically configured?

Star topology with a central switch connecting all computers.

How is a wireless local area network (LAN) typically configured?

Using Wi-Fi access points (APs). which often act as DHCP servers.

·       Clients connect using the SSID (network name) and a pre-shared key (PSK) (password).

·       Clients typically receive IP addresses via DHCP, unless manually assigned.

·       APs connect to switches, which then connect to a router, or in smaller setups, clients connect directly to a router/AP combo device.

What is a loopback interface?

A special internal interface used for testing the system's own networking stack, with IP 127.0.0.1.

How are network interfaces configured in Linux?

Automatically during system boot, manually by editing config files, or using NetworkManager.

What are some useful commands to check the network configuration and status?

ip a, ping, uname -a, ss or netstat, ifconfig, iftop.

What are some different ways an interface can be assigned a name in Linux?

Original kernel-based naming, persistent naming (udev rules), and predictable naming based on hardware location.