Click here to show toolbars of the Web Online Help System: show toolbars
 

Team LiB
Previous Section Next Section

Review Questions and Answers

1. 

You are the Solaris security administrator for your network. Aware of the possibility of hackers trying to use brute force to log into your network, you want to enable the logging of all failed login attempts. Which facility do you want to enable for tracking in the syslog.conf file?

  1. user

  2. kern

  3. auth

  4. sec

  5. login

  6. security

C. The correct facility for logging security-related events is auth . Although sec , login , and security are tempting choices, none of them are legitimate facilities.

2. 

You are configuring auditing for your Solaris 9 server. You want to find out information on the severity levels of entries located in your syslog.conf file. Which file can you look in to see how the severity levels are defined to the syslogd daemon?

  1. /etc/default/syslogd

  2. /etc/syslogd.conf

  3. /etc/syslog.conf

  4. sys/syslog.h

D. The file containing severity level information is sys/syslog.h . The /etc/default/syslogd and /etc/syslog.conf files contain configuration information for the syslog service. The /etc/syslogd.conf file does not exist.

3. 

You have recently configured role-based access control (RBAC) on your Solaris server. Three employees within your company have been assigned roles. You want to ensure that only these three employees have used their role accounts. What is the easiest way to check this, without seeing extraneous information?

  1. Examine the /var/adm/sulog file periodically.

  2. Examine the /var/log/syslog file periodically.

  3. Create a line in the /etc/syslog.conf file that reads su.* /var/su/log. Examine the /var/su/log file periodically.

  4. Create a line in the /etc/syslog.conf file that reads auth.* /var/su/log. Examine the /var/su/log file periodically.

A. The /var/adm/sulog file is built in and it logs all su activity. Users must use su to assume a role. The /var/log/syslog file collects system messages, not security information. In the syslog.conf file, su is not a valid facility; auth is, but it will log all information about security authorizations, which is far more than you want to log in this case.

4. 

You are the Solaris server administrator for your company. Your custom-designed accounting database recently crashed and will not open. The syslog.conf file on the server that hosts the database is configured with all facilities. Which of the following facilities will generate messages regarding your failed accounting database?

  1. user

  2. kern

  3. daemon

  4. app

  5. alert

  6. err

  7. debug

A. The user facility logs all user-generated messages, as well as messages from applications not expressly defined in the syslog.conf file. Databases are not defined by their own facility in syslog.conf ; therefore, the user facility is correct. The kern facility is for kernel errors, and daemon is for daemon errors. There is no app facility. alert , err , and debug are warning levels, not facilities.

5. 

Examine the following excerpt from a syslog.conf file:

*.err;kern.notice;auth.notice             /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit  /var/adm/messages
*.alert;kern.err;daemon.err               operator
*.alert                                   root
*.emerg                                   *
mail.debug                                /var/spool/mqueue/logfile
auth.*                                    @server1

Based on the information provided, which of the following are possible destinations for daemon-generated messages? (Choose all that apply.)

  1. /dev/sysmsg

  2. /var/adm/messages

  3. operator

  4. root

  5. All logged-in users

  6. /var/spool/mqueue/logfile

  7. server1

A, B, C, D, E. Messages generated by daemons will use the daemon facility. The /var/adm/ messages file and operator user are expressly mentioned as daemon message recipients in the file. However, a daemon.alert could go to the root user, a daemon.emerg message could be written to all logged-in users, and a daemon.err could be written to /dev/sysmsg .

6. 

You are configuring logging for all computers on your Solaris 9 network. You want one of your servers to collect logged messages for all computers on the network. Which file do you edit to find the LOG_FROM_REMOTE option to set it to YES?

  1. /etc/syslog.conf

  2. /etc/default/syslogd

  3. /etc/inetd.conf

  4. /etc/default/inetd

B. The LOG_FROM_REMOTE=YES option is set within the /etc/default/syslogd file.

7. 

You are the primary Solaris administrator for your company. You have recently hired two new network administrators and you need to explain the severity levels of system logging. Which of the following is the correct order of severity, from most severe to least severe?

  1. emerg, crit, alert, err, warning, notice

  2. emerg, crit, err, alert, warning, notice

  3. emerg, alert, crit, err, warning, notice

  4. emerg, alert, err, crit, warning, notice

C. From most severe to least, the levels are emerg , alert , crit , err , warning , notice , info , debug , and none .

8. 

Examine the following excerpt from a syslog.conf file:

*.err;kern.notice;auth.notice             /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit  /var/adm/messages
*.alert;kern.err;daemon.err               operator
*.alert                                   root
*.emerg                                   *
auth.*                                    @server1
*.debug;mail.none                         /var/adm/messages
sendmail.*                                /var/spool/mqueue/log

Based on the information provided, where will messages from the sendmail service be logged?

  1. /dev/sysmsg

  2. /var/adm/messages

  3. server1

  4. /var/spool/mqueue/log

  5. sendmail messages will not be logged.

E. Because of the mail.none setting in the seventh line of the excerpt, sendmail messages will not be logged. The word sendmail is not a valid facility.

9. 

You are the Solaris administrator for your company. You want to use system logging and you currently have a default syslog.conf file on your computer. You've heard that the logger command can be used to manually enter comments into the system log file. You execute the following command:

# logger Testing to see if this logger thing works

Where should you look to see your logged message?

  1. /dev/sysmsg

  2. /var/adm/messages

  3. /var/log/syslog

  4. The console from which you issued the command.

  5. The message will not be logged.

E. The correct answer is that the message will not be logged. But why? The default priority for the logger command is user.notice , which is not defined in the default syslog.conf file. Therefore, the message will be written nowhere, and the attempted message write will silently fail. You need to either write the message with an already defined selector (with the -p option) or change the syslog.conf file to recognize user.notice messages.

10. 

You are configuring system logging on your Solaris server. Which of the following pairs are valid selectors? (Choose all that apply.)

  1. news.info

  2. auth.warning

  3. daemon.err

  4. lpr.alert

A, B, C, D. All of the provided answers are legitimate selector pairs. The possible facilities are user , kern , mail , daemon , auth , lpr , news , uucp , cron , local 0-7 , mark , and * (meaning all). The levels, from most severe to least, are emerg , alert , crit , err , warning , notice , info , debug , and none .

11. 

You are the Solaris server administrator for your company. You are configuring your external e-mail server, and you want it to record a log of all incoming TCP and UDP connections. Which file and option do you need to configure? (Choose two.)

  1. /etc/default/syslogd

  2. /etc/default/inetd

  3. /etc/syslog.conf

  4. /etc/inetd.conf

  5. LOG_FROM_REMOTE=YES

  6. ENABLE_CONNECTION_LOGGING=YES

B, F. The option you need to configure is ENABLE_CONNECTION_LOGGING , which is located in the /etc/default/inetd file.

12. 

You are the Solaris administrator for your network. You are concerned that your log files generated by syslog are getting too large and unmanageable, and you want to rotate the logs more frequently. Which file is responsible for holding the configuration for log file rotation?

  1. /usr/lib/newsyslog

  2. /etc/logadm.conf

  3. /etc/syslog.conf

  4. /etc/inetd.conf

B. The /etc/logadm.conf file contains configuration information for log file rotation. The old mechanism for rotating log files was the /usr/lib/newsyslog script, but that method is no longer used.

13. 

Examine the following excerpt from a syslog.conf file:

*.err;kern.notice;auth.notice             /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit  /var/adm/messages
*.alert;kern.err;daemon.err               operator
*.alert                                   root
*.emerg                                   *
lpr.*                                     /var/adm/log1
cron.warning                              /var/adm/log2
info.alert                                /var/adm/log3
auth.*                                    /var/adm/log4

Based on this information, which log file or files will never receive any messages? (Choose all that apply.)

  1. /var/adm/log1

  2. /var/adm/log2

  3. /var/adm/log3

  4. /var/adm/log4

C. The /var/adm/log3 file will never receive any messages. This is because the keyword info is a level, not a facility. Therefore, the word info will always appear after the period in the selector.

14. 

You are configuring the syslog service for your Solaris 9 server. Which of the following are valid destinations for logged messages? (Choose all that apply.)

  1. A filename on the local computer

  2. A remote computer, in the form of @computer

  3. The console of all logged-in users

  4. The console of a specific user or list of users

A, B, C, D. The answers represent all four valid options for the destination of logged messages. These are defined in the action field of the syslog.conf file.

15. 

Examine the following excerpt from a syslog.conf file:

*.emerg                                   *

Based on the provided information, where will emergency messages be written?

  1. To all known log files on the computer

  2. To the default system log file on the computer

  3. To the console of the operator logged into the computer

  4. To all logged-in users on the computer

D. The asterisk ( * ) in the action field tells syslog to write the message to the console of all logged-in users. Most of the time, emergency situations will be the result of the computer (or at least a critical component) failing, and all logged-in users will need to be warned.

16. 

You are configuring your Solaris server to support logging. When you boot your Solaris server, which run level starts the syslog service?

  1. 1

  2. 2

  3. 3

  4. S

B. The syslog service is started by the /etc/rc2.d/S74syslog script, which means that it's started by run level 2.

17. 

You are the Solaris administrator for your network. You are running a routine security audit and want to see who was the last user logged into the computer that you are on. You run the last command. From which database does the last command pull its data?

  1. /var/adm/wtmpx

  2. /var/adm/utmpx

  3. /var/log/syslog

  4. /var/adm/messages

A. The last command gets its information from the /var/adm/wtmpx file. The who command gets its information from the /var/adm/utpmx file.

18. 

Examine the following excerpt from a syslog.conf file:

*.err;kern.notice;auth.notice             /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit  /var/adm/messages
*.alert;kern.err;daemon.err               operator
*.alert                                   root
*.emerg                                   *
mail.debug                                /var/spool/mqueue/logfile
auth.*                                    /var/adm/authlog
user.*                                    /var/adm/userlog

You want to start tracking user logins as part of your normal security procedures. Which of the following files will contain information about user logins?

  1. /dev/sysmsg

  2. /var/adm/messages

  3. /var/adm/authlog

  4. /var/adm/userlog

C. Anything involving security processes will be logged under the auth facility. So, in this case, logins will be logged to /var/adm/authlog .

19. 

The purpose of this daemon is to collect system messages. It also interfaces with the m4 macro processor and writes system messages to the console if necessary. Which daemon is it?

  1. sysd

  2. msgd

  3. syslogd

  4. inetd

C. The explanation describes the syslogd daemon. The inetd daemon is responsible for listening for incoming network connections. The sysd and msgd daemons do not exist.

20. 

Examine the following excerpt from a syslog.conf file:

*.err;kern.notice;auth.notice             /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit  /var/adm/messages
*.alert;kern.err;daemon.err               operator
*.alert                                   root
*.emerg                                   *
mail.*                                    /var/spool/mqueue/logfile
auth.*                                    @server1

You have recently implemented the sendmail service on the server by using this syslog.conf file. You have included an option to log all mail messages to the /var/spool/mqueue/logfile file. However, this file does not exist. Which of the following will happen when a sendmail message is generated?

  1. The syslog service will attempt to write the message and silently fail.

  2. The syslog service will attempt to write the message and will create the file as necessary.

  3. The syslog service will attempt to write the message and write an error to the console when the file is not found.

  4. The syslog service will write the message to the /var/adm/messages file instead of /var/spool/mqueue/logfile.

  5. The syslog service will write the message to the /var/log/syslog file instead of/var/spool/mqueue/logfile.

A. If the log file specified in /etc/syslog.conf does not exist, the syslog service will silently fail when attempting to write the message. The file will not be automatically created, nor will an alternate log file be used.

Answers

1. 

C. The correct facility for logging security-related events is auth. Although sec, login, and security are tempting choices, none of them are legitimate facilities.

2. 

D. The file containing severity level information is sys/syslog.h. The /etc/default/syslogd and /etc/syslog.conf files contain configuration information for the syslog service. The /etc/syslogd.conf file does not exist.

3. 

A. The /var/adm/sulog file is built in and it logs all su activity. Users must use su to assume a role. The /var/log/syslog file collects system messages, not security information. In the syslog.conf file, su is not a valid facility; auth is, but it will log all information about security authorizations, which is far more than you want to log in this case.

4. 

A. The user facility logs all user-generated messages, as well as messages from applications not expressly defined in the syslog.conf file. Databases are not defined by their own facility in syslog.conf; therefore, the user facility is correct. The kern facility is for kernel errors, and daemon is for daemon errors. There is no app facility. alert, err, and debug are warning levels, not facilities.

5. 

A, B, C, D, E. Messages generated by daemons will use the daemon facility. The /var/adm/ messages file and operator user are expressly mentioned as daemon message recipients in the file. However, a daemon.alert could go to the root user, a daemon.emerg message could be written to all logged-in users, and a daemon.err could be written to /dev/sysmsg.

6. 

B. The LOG_FROM_REMOTE=YES option is set within the /etc/default/syslogd file.

7. 

C. From most severe to least, the levels are emerg, alert, crit, err, warning, notice, info, debug, and none.

8. 

E. Because of the mail.none setting in the seventh line of the excerpt, sendmail messages will not be logged. The word sendmail is not a valid facility.

9. 

E. The correct answer is that the message will not be logged. But why? The default priority for the logger command is user.notice, which is not defined in the default syslog.conf file. Therefore, the message will be written nowhere, and the attempted message write will silently fail. You need to either write the message with an already defined selector (with the -p option) or change the syslog.conf file to recognize user.notice messages.

10. 

A, B, C, D. All of the provided answers are legitimate selector pairs. The possible facilities are user, kern, mail, daemon, auth, lpr, news, uucp, cron, local0-7, mark, and * (meaning all). The levels, from most severe to least, are emerg, alert, crit, err, warning, notice, info, debug, and none.

11. 

B, F. The option you need to configure is ENABLE_CONNECTION_LOGGING, which is located in the /etc/default/inetd file.

12. 

B. The /etc/logadm.conf file contains configuration information for log file rotation. The old mechanism for rotating log files was the /usr/lib/newsyslog script, but that method is no longer used.

13. 

C. The /var/adm/log3 file will never receive any messages. This is because the keyword info is a level, not a facility. Therefore, the word info will always appear after the period in the selector.

14. 

A, B, C, D. The answers represent all four valid options for the destination of logged messages. These are defined in the action field of the syslog.conf file.

15. 

D. The asterisk (*) in the action field tells syslog to write the message to the console of all logged-in users. Most of the time, emergency situations will be the result of the computer (or at least a critical component) failing, and all logged-in users will need to be warned.

16. 

B. The syslog service is started by the /etc/rc2.d/S74syslog script, which means that it's started by run level 2.

17. 

A. The last command gets its information from the /var/adm/wtmpx file. The who command gets its information from the /var/adm/utpmx file.

18. 

C. Anything involving security processes will be logged under the auth facility. So, in this case, logins will be logged to /var/adm/authlog.

19. 

C. The explanation describes the syslogd daemon. The inetd daemon is responsible for listening for incoming network connections. The sysd and msgd daemons do not exist.

20. 

A. If the log file specified in /etc/syslog.conf does not exist, the syslog service will silently fail when attempting to write the message. The file will not be automatically created, nor will an alternate log file be used.

Team LiB
Previous Section Next Section
This HTML Help has been published using the chm2web software.