exam hp0-p17 - hp-ux 11i v3 security administration

Exam : HP0-P17 Title : HP-UX 11i v3 Security Administration Ver : 02.27.08

HP0-P17

Actualtests.com - The Power of Knowing

QUESTION 1 After running /usr/sbin/pwck, the following output is displayed: smbnull:*:101:101::/home/smbnull:/sbin/sh Login directory not found What should you do to tighten the security? A. Nothing - it is a valid system user ID. B. Nothing - it is used by CIFS/Samba to represent "nobody" with a positive UID. C. Edit the /etc/passwd entry to specify a dummy login directory and a false login shell. D. Delete it from /etc/passwd. Opensource Samba installs it by default and it is not required on HP-UX. Answer: C

QUESTION 2 Which chatr syntax enables buffer overflow protection on a per-binary basis? A. chatr +b enable <binary> B. chatr -es enable <binary> C. chatr +es enable <binary> D. chatr +bo enable <binary> E. chatr +es default <binary> Answer: C

QUESTION 3 What is the effect of the coreadm -e global-setid command? A. edits the core dump file B. reads and interprets the core dump file C. enables the kernel for system crash dumps D. enables setuid/setgid core dumps system wide E. causes all running setuid programs to generate a core file Answer: D

QUESTION 4 Identify ways HP Process Resource Manager (PRM) can protect a system against poorly designed applications. (Select three.) A. PRM can limit the amount of memory applications may consume. B. PRM can limit the amount of swap space applications may consume. C. PRM can limit the amount of disk bandwidth applications may consume. D. PRM can limit the amount of CPU resources applications may consume. E. PRM can limit the amount of network bandwidth applications may consume.

HP0-P17


F. PRM can limit the number of inbound network connections to configured applications. Answer: A, C, D

QUESTION 5 What is a limitation of HP Process Resource Manager (PRM) as it applies to Denial of Service (DoS) attacks? A. Processes must be grouped before they can be managed. B. PRM does not perform memory capping; only entitlement and selection. C. PRM only applies to time-shared processes; real-time processes are not affected. D. PRM requires a separate configuration file for time-shared and real-time processes. Answer: C

QUESTION 6 After running kctune executable_stack=2, what happens if MyProg executes code from the stack? A. MyProg continues running without incident. B. MyProg is killed before a single instruction can be executed. C. MyProg continues, but logs a warning to /var/adm/syslog/syslog.log. D. MyProg continues, but a warning message is logged to the kernel message buffer. Answer: D

QUESTION 7 You used the dmesg command to display the warning shown in the exhibit.

Which kernel parameter setting makes this warning message appear? A. kill_overflow is set to 1 B. exc_stack_code is set to 0 C. buffer_overflow is set to 1 D. executable_stack is set to 0 Answer: D

QUESTION 8 Which benefits does chroot provide to an application from a security perspective? (Select three.) A. forces an application to start in a specified directory B. allows the users to do a cd above the specified directory C. prevents an application from starting in a specified directory D. prevents the users from doing a cd above the specified directory

HP0-P17


E. allows the users of the application access to the directory and the directories below it F. prevents the users of the application access to the directory and the directories below it Answer: A, D, E

QUESTION 9 Which commands configure an application to operate within a secure compartment? (Select two.) A. privrun B. privedit C. setrules D. cmdprivadm E. setfilexsec Answer: D, E

QUESTION 10 Some open source software tools use the /usr/local/sbin and /usr/local/src directories. What should you do with the /usr/local directory to maintain a secure system? A. Verify that /usr/local and its subdirectories are not world writable. B. Remove /usr/local/bin and /usr/local/sbin from the user's PATH variable. C. Set permissions on /usr/local and its subdirectories to 047 so all users have access. D. Use the swlist -l file | grep /usr/local command to see all files installed in those directories. Answer: A

QUESTION 11 Encrypted Volume and File System (EVFS) uses which type of key to encrypt data? A. digital certificate B. RSA-1024 bit public key C. RSA-2048 bit private key D. AES-128 bit symmetric key E. AES-256 bit asymmetric key Answer: D

QUESTION 12 Identify where Encrypted Volume and File System (EVFS) protects data. A. in transit B. in the kernel C. over the network D. on the storage device

HP0-P17


Answer: D

QUESTION 13 Which tool is recommended for providing file integrity information? A. hash B. cksum C. crypt D. md5sum Answer: D

QUESTION 14 How can you grant NFS filesystem access to specific users as opposed to all users? (Select two.) A. Specify the desired users to the /etc/dfs/sharetab entry for the mount point using the format "-access=user1:user2:user3". B. Add the desired users to an ACL and set the permissions of the shared filesystem such that only members of the ACL can access the data. C. Add the desired users to a group and set the permissions of the shared filesystem such that only members of the group can access the data. D. Add the desired users to a netgroup and specify the netgroup in the /etc/dfs/sharetab entry for the mount point using the format "-access=netgroup". Answer: B, C

QUESTION 15 Which product encrypts data on zx2-based Integrity servers? A. HP-UX VxFS filesystem B. HP-UX Encryption Module C. HP-UX Trusted Computing Services D. HP-UX Integrity Trusted Platform Module Answer: C

QUESTION 16 Where can an HP-UX 11i v3 EVFS-encrypted backup tape from an HP Integrity rx7640 Server be restored and decrypted? A. only on the HP-UX system where the tape was created B. on any HP-UX system where the symmetric encryption key resides C. on any HP-UX system where the backup owner's public key resides D. on any HP-UX system where the backup owner's public/private key pair resides

HP0-P17


Answer: D

QUESTION 17 Where are Trusted Computing Services (TCS) protected EVFS keys stored? A. HP-UX kernel B. EVFS volume C. system stable storage D. HP-UX root file system E. Trusted Platform Module Answer: D

QUESTION 18 Which statement is true regarding an HP-UX VxFS filesystem using ACLs? A. Default ACLs can only be placed on a file. B. Default ACLs have the same owner as the owner of the file the ACL controls. C. A directory's ACL can have default entries that are applied to files subsequently. D. An ACL has an owner that can be different from the owner of the file the ACL controls. Answer: C

QUESTION 19 In order to restrict the access to the /etc/group file through FTP, which statement should be included in the /etc/ftpd/ftpaccess file? A. noaccess /etc/group B. noretrieve /etc/group C. accessdeny /etc/group D. suppressaccess /etc/group Answer: B

QUESTION 20 Identify the features of the TCP Wrappers product. (Select three.) A. enhances cryptographic authentication B. provides protection against IP address spoofing C. provides protection against hostname spoofing D. provides data encryption on TCP "wrapped" connections E. provides enhanced protection for RPC daemons using TCP/IP connections F. provides enhanced security for daemons managed by inetd using TCP/IP connections G. may be configured to provide enhanced security for any daemon using TCP/IP connections

HP0-P17


Answer: B, C, F

QUESTION 21 Select the IPFilter rule that will help protect the system from a Denial of Service attack against SMTP (sendmail) from the 14.13.45 network. A. pass in proto tcp from 14.13.45.0-14.13.45.255 to any port 25 keep limit 10 cumulative B. pass in proto tcp from 14.13.45.0-14.13.45.255 to any port 25 keep allow 10 cumulative C. pass in quick proto tcp from 14.13.45.0-14.13.45.255 to any port 25 keep limit 10 cumulative D. pass in quick proto tcp from 14.13.45.0-14.13.45.255 to any port 25 keep max_conn 10 cumulative Answer: C

QUESTION 22 Based on the netstat -in output below, which IPFilter rule disables incoming telnet connections to 192.1.1.8? Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll lan3 1500 193.1.1.0 193.1.1.8 6543 0 2 0 0 lan1 1500 192.1.1.0 192.1.1.8 12892 0 124 0 0 lan0 1500 10.10.1.0 10.10.1.8 45023151 0 394005 0 0 lo0 32808 127.0.0.0 127.0.0.1 1138975 0 1138978 0 0 A. deny in telnet log quick on lan1 proto tcp from any to any B. grant all,!telnet in log quick on lan1 proto tcp from any to any C. disable in log quick on 192.1.1.8 proto tcp from any to any telnet D. block return-rst in log quick on lan1 proto tcp from any to any port = 23 Answer: D

QUESTION 23 In order to avoid including the system's hostname and ftpd version in the FTP login banner, which file should be edited? A. /etc/inetd.conf B. /etc/ftpd/ftp-exec C. /etc/ftpd/ftpaccess D. /etc/ftpd/ftpservers Answer: C

QUESTION 24 Which service should be disabled to prevent a remote user from gathering user names on the local system?

HP0-P17


A. rup B. rwho C. rusers D. finger Answer: D

QUESTION 25 Which feature set does Nessus offer for securing HP-UX systems? A. a packet sniffer, packet logger, and network intrusion detection system B. a tool that provides limited root privileges to specified users, and logs the root activity C. a remote scanner tool used to automate the testing and discovery of known security problems D. a security and data integrity tool used to monitor and alert administrators of specific file changes Answer: C

QUESTION 26 In order to avoid including the ftpd version in the FTP login banner, which statement should be included in the /etc/ftpd/ftpaccess file? A. suppresssysinfo yes B. suppressversion yes C. avoidftpdversion yes D. suppressftpdversion yes E. DO_NOT_PRINT_VERSION yes Answer: B

QUESTION 27 When using HP Secure Shell, what should be used whenever possible to ensure the most secure communication? A. ~.rhosts B. SSH protocol v1 C. SSH protocol v2 D. SSH X11 forwarding E. SSH agent forwarding F. /etc/hosts.equiv Answer: C

QUESTION 28 Which command configures NIS clients so that they bind to a list of specified NIS servers in a specific order rather than send UDP broadcasts to locate available servers?

HP0-P17


A. ypset B. ypinit -c C. ypbind -ypset D. ypbind -ypsetme Answer: B

QUESTION 29 When configuring an LDAP-UX client, which option enables authenticated access and encrypted traffic to the LDAP Server? A. 3DES/PKI B. TLS/SHA1 C. AES/Public Key D. TLS/SASL Digest MD5 Answer: D

QUESTION 30 Which HP-UX 11i v3 daemon implements the nfsauth service, which is responsible for handling NFS authentication requests? A. nfsd B. nfsauthd C. rpc.statd D. nfsmapid E. rpc.mountd Answer: E

QUESTION 31 Given the following contents of the PAM_AUTHZ config file: deny:unix_group:groupB allow:unix_user:user1,user2,user3,user4 allow:unix_group:groupA deny:unix_group:groupC allow:unix_local_user If user1 is a member of groupA and groupC and user2 is a member of groupB, which statement is true? A. user1 and user2 are both denied access. B. user1 and user2 are both granted access. C. user1 is denied access and user2 is granted access. D. user1 is granted access and user2 is denied access.

HP0-P17


Answer: D

QUESTION 32 Which non-secure server-side components can you replace with the HP-UX Secure Shell product? (Select three.) A. ftpd B. rcpd C. rpcd D. rlogind E. fingerd F. remshd Answer: A, D, F

QUESTION 33 Which feature of BIND helps prevent DNS cache poisoning? A. disabling TTL B. using TXT records C. enabling DNSSEC D. authenticated SOA records Answer: C

QUESTION 34 HP Secure Internet Services provides which feature? A. SSL enabled webserver B. SSL enabled ARPA commands C. Kerberos versions of ARPA commands D. secure remote login services based on OpenSSH Answer: C

QUESTION 35 Which file specifies which NIS clients are permitted to bind to an NIS server? A. /etc/secureclients B. /var/yp/securenets C. /etc/secureservers D. /var/yp/securebinds E. /var/yp/secureclients Answer: B

HP0-P17


QUESTION 36 Match each tool with the correct functionality.

Answer:

QUESTION 37 If you must have a guest account, which steps can you take to limit system access for the account? (Select three.) A. Use a restricted shell for the account. B. Assign permissions with chmod -R 555 /home/guest. C. Assign permissions with chmod -R 666 /home/guest.

HP0-P17


D. Assign permissions with chmod 444 /home/guest/.profile. E. Assign ownership with chown -R guest:guest /home/guest. Answer: A, B, D

QUESTION 38 Which features does Bastille provide? (Select two.) A. encrypts filesystems B. installs latest security patches C. searches for and deletes SUID files D. disables unsecure network services E. checks the system and provides an assessment report Answer: D, E

QUESTION 39 If an HP-UX system has Standard Mode Security Extension (SMSE) in use, which directory contains the individual settings for a user ( e.g. PASSWORD_MINDAYS)? A. /etc/passwd B. /tcb/files/auth C. /var/adm/userdb D. /etc/default/security Answer: C

QUESTION 40 What is the security risk of the following entries in /etc/passwd? root:x:0:3:John Doe:/:/sbin/sh oper:x:101:3:Operators:/:/sbin/sh A. Both users have the same UID. B. Both users have the same shell. C. These users do not have passwords. D. The root user does not have a unique home directory. Answer: D

QUESTION 41 Which functions does the HP-UX Host Intrusion Detection System (HIDS) perform? (Select two.) A. provides a Java-free system for greater security B. prevents attacks by blocking configured suspicious activity C. takes action against the intrusion as programmed with customized response scripts D. sends an alert to the HIDS administrator when HIDS detects a possible intrusion attempt

HP0-P17


E. detects system security flaws such as illegitimate accounts in the password file when HIDS was installed Answer: C, D

QUESTION 42 Which statements are true regarding the user's roles determined by HP-UX Role-Based Access Control (RBAC) authorization? (Select two.) A. Roles can be assigned to multiple users. B. Roles should be aligned with job responsibilities. C. Roles are configurable using the rbacadm command. D. The administrator should only assign one role per user. E. The administrator can create roles but they cannot be deleted. Answer: A, B

QUESTION 43 What does mounting a file system using the nosuid option do? A. prevents SUID files from being seen B. disables the SUID functionality of files C. prevents a user from creating SUID files D. configures the filesystem to mount successfully if there are no SUID files Answer: B

QUESTION 44 Based on the information in the exhibit, what is the outcome of this user failing their third login attempt? A. The terminal the user is on will be locked until administratively released. B. The user can continue with login attempts because u_lock is set to @. C. The user will not get a third try because u_numunsuclog is set to two (2). D. The user account will be administratively disabled until administratively reinstated. Answer: D

QUESTION 45 What will occur if the HP-UX Host Intrusion Detection System (HIDS) System Manager agent stops working for any reason and intrusion events occur on a monitored host? A. The HIDS Client agent will convert to the HIDS System Manager by default. B. The HIDS Client agent will signal looking for the alternate HIDS System Manager. C. The HIDS Client agent records the events in the /var/opt/ids/alert.log file on the monitored node.

HP0-P17


D. The HIDS Client agent records the events in the /tmp/ids/alerts.log file and waits for the HIDS System Manger agent to return. Answer: C

QUESTION 46 After installing Tripwire, which configuration steps are required to use it? (Select two.) A. Install the Tripwire license. B. Configure the files to be monitored in the twpol.txt file. C. Configure the files to be monitored in the twconf.txt file. D. Create the site and local keys to prevent unauthorized changes to Tripwire. E. Enable the tripwired daemon so file changes will be reported just-in-time. Answer: B, D

QUESTION 47 The following is part of the /etc/pam.conf file. Using these settings, in which situation is login successful? lauth required libpam_hpsec.so.1 debug login auth required libpam_unix.so.1 debug login auth optional libpam_inhouse.so.1 A. if the authentication was successful for the hpsec module only B. if the authentication was successful for the inhouse module only C. if the authentication was successful for the hpsec and the unix module D. if the authentication was successful for the unix and inhouse modules, but unsuccessful for the hpsec module Answer: C

QUESTION 48 Match the Install-Time Security options with their descriptions.

HP0-P17


Answer:

QUESTION 49 Why should the "sticky bit" be set for directories containing temporary files (like /tmp)? drwxrwxrwt 9 root root 8192 Sep 10 16:58 /tmp A. to allow only the owner of a file in the directory to read it B. to allow only the owner of a file in the directory to delete it C. to allow only the owner of a file in the directory to execute it D. to allow only the owner of a file in the directory to write to it Answer: B

HP0-P17


QUESTION 50 To restrict root login to the console, which file must be configured? A. /etc/services B. /etc/securetty C. /etc/inetd.conf D. /etc/default/security Answer: B

QUESTION 51 HP-UX Role-Based Access Control (RBAC) can be configured using which command? A. privrun B. rbacdvck C. authadm D. rbacadm Answer: C

QUESTION 52 Which iLO 2 security features can be utilized to help harden an HP-UX system? (Select three.) A. Kerberos authentication B. user-defined TCP/IP ports C. user accounts and access management D. encrypted communication using SSL and SSH E. account lockout after maximum incorrect logins F. synchronization of iLO 2 user accounts with /etc/passwd G. NIS-based directory services authentication and authorization Answer: B, C, D

QUESTION 53 You want to configure the password history mechanism to prevent users from re-using any of their previous 3 passwords. In which file should you set the following configuration line? PASSWORD_HISTORY_DEPTH=3 A. /etc/tcb/default B. /etc/tcb/security C. /etc/default/security D. /etc/default/password Answer: C

HP0-P17


QUESTION 54 What is the recommended command to configure sudo? A. visudo B. sudoadm C. visudoer D. vi /etc/sudo Answer: A

QUESTION 55 In an HP-UX 11i v3 system, what is the recommended way to restrict the login time for a single user? A. Edit the parameter LOGIN_TIMES in /var/adm/security. B. Use the userdbset command with the LOGIN_TIMES parameter. C. Write a shell script to lock/unlock the user account and add it as a cronjob. D. Convert the system to a Trusted System and use the modprpw command with the timeod parameter. Answer: B

QUESTION 56 You are trying to secure a system that is equipped with a Management Processor (MP). Assuming default values are applied, how can physical access to the console be accomplished? (Select two.) A. auxiliary port B. MP LAN port C. USB console D. serial console Answer: B, D

QUESTION 57 If you install a new system, which steps should you take to secure the iLO 2 Management Processor (MP)? (Select two.) A. Disable the telnet protocol using the SA command. B. Connect the MP LAN port to the corporate intranet network. C. Change the password for the root user using the UC command. D. Change the password for the Admin user using the UC command. Answer: A, D

HP0-P17


QUESTION 58 Which feature does HP-UX Boot Authenticator provide? A. provides SSH access to the boot console B. blocks access to boot console for the iLO Management Processor (MP) C. prevents unauthorized users from booting the system into single-user mode D. prevents unauthorized users from logging into the system in single-user mode Answer: D

QUESTION 59 When trying to control and monitor physical access to your data center, what are good practices? (Select two.) A. Install surveillance cameras at the entrances and exits. B. Keep logs of all persons entering and exiting your facility. C. Change passwords every 60 - 90 days on enterprise systems. D. Make sure all exterior dumpsters and trash receptacles are locked. Answer: A, B

QUESTION 60 How does Trusted Platform Module (TPM) on zx2-based Integrity servers mitigate the security exposure to EVFS encrypted data? (Select two.) A. protects data against theft of the system B. protects data against theft of the system root disk C. protects data against theft of the root user password D. protects data against theft of the system mother board E. protects data against theft of a configured storage device Answer: B, E

QUESTION 61 Which general guidelines does HP offer regarding security auditing procedures? (Select two.) A. Periodically revise the list of audited users. B. Use a fixed pattern for selecting audited users. C. Use a fixed pattern for selecting audited events. D. Retain audit logs for two years to allow time for review if necessary. E. Use audsys to switch log files and backup the previous log file to tape. Answer: A, E

QUESTION 62 Which command configures HP-UX Host Intrusion Detection System (HIDS) for monitoring a

HP0-P17


remote host? A. /opt/ids/bin/idsgui B. /opt/ids/bin/hbdgui C. /opt/ids/bin/idsmgr D. /opt/ids/bin/hbdmgr Answer: A

QUESTION 63 Which Install-Time Security option is the most secure? A. Sec00Tools B. Sec10Host C. Sec20DMZ D. Sec30DMZ Answer: D

QUESTION 64 The Bastille utility asks which measures should be applied on the administrator's system, then records the administrator's responses in an ASCII file, called /etc/opt/sec_mgmt/bastille/config by default. Which command can then be run to automatically apply the requested changes? A. /etc/opt/sec_mgmt/bastille/config_fix B. /etc/opt/sec_mgmt/bastille/config_app C. /opt/sec_mgmt/bastille/bin/bastille -b D. /opt/sec_mgmt/bastille/bin/bastille -r Answer: C

QUESTION 65 Temporary usage of specific root privileges for non-root users can be accomplished using which commands? (Select two.) A. sudo B. rbac C. runas D. privadm E. privrun F. cmdprivadm Answer: A, E

HP0-P17


QUESTION 66 The Management Processor (MP) password file is stored in which location on an Integrity HP-UX system? A. /etc/passwd B. EFI boot partition C. /etc/mp/passwd D. MP non-volatile RAM Answer: D

QUESTION 67 Which actions restrict access from terminals attached to the system using a serial interface? A. Edit /etc/inittab and run init q. B. Edit /etc/inittab and run init c. C. Edit /etc/inetd.conf and run inetd q. D. Edit /var/adm/inetd.sec and run inetd c. Answer: A

QUESTION 68 Using HP-UX Role-Based Access Control (RBAC), a user has been assigned a role with the authorization hpux.security.password,*. What does this allow the user to do? (Select two.) A. Modify the root password if it is known. B. Modify the password of any non-root user. C. Add a new local account and set its password. D. Use the -f option to expire the password of any user. E. Use the -s option to display the password attributes of any user. Answer: B, E

QUESTION 69 What is a disadvantage of using lastb as an intrusion detection tool? A. It does not display root logins. B. A hacker could modify the file. C. It only uses the /var/adm/utmp file. D. It only uses the /var/adm/btmp file. Answer: B

QUESTION 70 Identify the correct method to restrict the number of users who can su to root.

HP0-P17


A. Use the userdbset command with the ALLOW_SU_ROOT parameter for the users require to become root. B. Assign the users who need to become root to a group and edit the ALLOW_SU_ROOT parameter in /etc/security.dsc. C. Assign the users who need to become root to a group and edit the SU_ROOT_GROUP parameter in /etc/default/security. D. Assign the users who need to become root to a group and edit the SU_ROOT_GROUP parameter in /etc/default/security.dsc. Answer: C

QUESTION 71 Based on the information in the exhibit:

What is the outcome of this user failing their third login attempt? A. The terminal the user is on will be locked until administratively released. B. The user can not login until the administrator uses passwd to modify the account. C. The user can not login until the administrator uses userdbset to modify the account. D. The user will not get a third try because NUMBER_OF_LOGINS_ALLOWED is set to two (2). Answer: C

QUESTION 72 Match each HP Role-Based Access Control (RBAC) component with the file where the data is stored.

HP0-P17


Answer:

QUESTION 73 Which tool configures security parameters on a system? A. /usr/sbin/secmgr B. /usr/sbin/secweb C. /usr/lbin/secconf D. /usr/lbin/secadm Answer: B

QUESTION 74 You executed the following command: # find / -perm -2000 -type f > original.txt

HP0-P17


and then a week later, excuted these additional commands: # find / -perm -2000 -type f > current.txt # diff original.txt current.txt What result is displayed? A. a list of new SGID programs B. a list of new SUID and SGID programs C. a list of new programs with write privilege for root D. a list of new programs with read and write privilege for root Answer: A

QUESTION 75 To enforce a password strength policy, which file needs to be configured? A. /etc/passwd B. /etc/shadow C. /etc/securetty D. /etc/default/security Answer: D

QUESTION 76 When using HP-UX Trusted Computing Services (TCS), which command creates an Encrypted Volume and File System (EVFS) private key that is encrypted with the Trusted Platform Module (TPM) roaming key? A. tpmadm keygen B. evfsvol keygen C. evfspkey keygen D. tpmencrypt private_keyname Answer: C

QUESTION 77 What can you use to enable the Trusted Platform Module (TPM) onzx2-based Integrity servers? (Select two.) A. EFI Boot Manager B. command line EFI shell C. secenable command D. tpmconfig command E. System Management Homepage Answer: A, B

HP0-P17


QUESTION 78 Using the exhibit:

What can you determine regarding the security enhancements or settings? A. EVFS is used B. umask is set to 067 C. sticky bit is set on 'data' D. access control lists are used E. security containment is enabled Answer: D

QUESTION 79 Using the exhibit:

What can you determine regarding the security of the directory? A. The SGID bit is set. B. The sticky bit is set. C. Access control lists are used. D. Security containment is enabled. Answer: B

QUESTION 80 Which commands must be executed against an HP-UX 11i v3 EVFS-encrypted filesystem prior to creating an encrypted data backup tape? (Select two.) A. mount B. umount C. evfsadm map D. evfsvol enable E. evfsvol disable Answer: B, E

QUESTION 81 On HP-UX 11i v3, which NFS version or versions support management of ACLs from the NFS client system? A. version 2 only B. version 3 only

HP0-P17


C. version 4 only D. versions 2 and 3 E. versions 3 and 4 F. versions 2, 3 and 4 Answer: F

QUESTION 82 HP-UX Security Containment (compartments) enforces which feature? A. secure attestation B. principal of least privilege C. mandatory access control D. encrypted file system access Answer: C

QUESTION 83 Which HP-UX tool allows you to disable the ability to generate a core dump from a setuid/setgid program? A. coreadm B. safecore C. coreopts D. dumpcore E. coreprotect Answer: A

QUESTION 84 What is a benefit of configuring SSH in a chroot environment? A. prevents users from seeing processes run by other users B. limits processing resources available to the user's workload C. restricts users from accessing connected network resources D. prevents users from accessing files outside their assigned environment Answer: D

QUESTION 85 Which privilege can be set on a program to allow it to bind to port 80 instead of running the program with an effective UID of 0? A. PRIV_BIND B. PRIV_EXEC C. PRIV_NETADMIN

HP0-P17


D. PRIV_NETPRIVPORT Answer: D

QUESTION 86 Which kernel parameter globally controls the buffer overflow protection mechanisms in HP-UX? A. overflow_stack B. buffer_overflow C. overflow_protect D. executable_stack E. executable_protect Answer: D

QUESTION 87 Match each administrative security action with its effect.

Answer:

HP0-P17


QUESTION 88 A program needs to bind on port 80. Instead of running the program with an effective UID of 0, the program can be configured to execute with the NETPRIVPORT privilege. Which command is used to set this privilege on the program? A. setacl B. privadm C. setparms D. setfilexsec Answer: D

QUESTION 89 Which command activates Secure Internet Services? A. /sbin/sis start B. /sbin/init.d/inetsvcs start C. /usr/sbin/inet enable sis D. /usr/sbin/inetsvcs_sec enable Answer: D

QUESTION 90 Which feature set does Snort offer for securing HP-UX systems? A. a packet sniffer, packet logger, and network intrusion detection system B. a program that provides limited root privileges to specified users, and logs the root activity C. a security and data integrity tool used to monitor and alert administrators of specific file

HP0-P17


changes D. a remote security scanner tool used to automate the testing and discovery of known security problems Answer: A

QUESTION 91 Which actions can help prevent discovery of running applications using a port scanner? (Select two.) A. disable inetd B. configure a firewall C. configure TCPWrapper D. disable unnecessary services E. configure /etc/hosts.deny Answer: B, D

QUESTION 92 Which statements regarding HP-UX IPSec are true? (Select two.) A. HP-UX IPSec supports Entrust Certificates. B. HP-UX IPSec can act as an IPSec gateway. C. IP traffic is always encrypted when using HP-UX IPSec. D. All IP traffic between the two IPSec systems are encrypted. E. HP-UX IPSec uses symmetric keys for AH and ESP encryption. Answer: A, E

QUESTION 93 Which types of access does the following NFS share syntax allow for the /var filesystem? (Select three.) # share -F nfs -o sec=krb5,rw,sec=sys,rw=hosta /var A. read/write access to any clients authenticated via AUTH_SYS B. read/write access to any clients authenticated via Kerberos v5 C. read/write access to the AUTH_SYS authenticated client "hosta" D. no access to clients authenticated via AUTH_SYS except "hosta" E. read-mostly access to any clients authenticated via Kerberos v5 F. read-mostly access to the AUTH_SYS authenticated client "hosta" G. read-only access to clients authenticated via AUTH_SYS except "hosta" Answer: B, C, G

QUESTION 94 Your customer has a client-server application that communicates over a TCP/IP network in clear

HP0-P17


text. Which feature can be used to encrypt a clear text network connection? A. SSH B. Snort C. IPTunnel D. Kerberos Answer: A

QUESTION 95 Which file restricts NIS clients so they can only bind to specified NIS servers? A. /var/yp/securenets B. /var/yp/securebinds C. /var/yp/secureclients D. /var/yp/secureservers Answer: D

QUESTION 96 Match each product with the correct functionality.

Answer:

HP0-P17


QUESTION 97 Which service should be disabled to prevent a remote user from gathering user names on the local system? A. rup B. rwho C. rusers D. finger Answer: D

QUESTION 98 Which NFS v4 security features are available on HP-UX 11i v3? (Select two.) A. using Kerberos V5 for user authentication B. using Diffie-Hellman public key system to encrypt data C. using UID and GID numbers to uniquely identify users and groups D. using port 2049 for the arrival of all NFS v4 requests, making it easier to restrict access with IPFilter or other firewalls E. using port 2049 for all NFS v4 requests, except mount and file lock requests, making it easier to restrict access with IPFilter or other firewalls Answer: A, D

QUESTION 99 In order to avoid including the system's hostname in the FTP login banner, which statement should be included in the /etc/ftpd/ftpaccess file?

HP0-P17


A. suppresssystemid yes B. avoidhostname yes C. suppresshostname yes D. DO_NOT_PRINT_HOST_NAME yes E. suppresssysinfo yes Answer: C

QUESTION 100 What kind of security breaches or misuses does the HP-UX Host Intrusion Detection System (HIDS) monitor? (Select four.) A. port scanning B. packet analysis C. password guessing D. unauthorized file modification E. poorly written privileged programs F. weak password or unauthorized access Answer: C, D, E, F

QUESTION 101 Which configuration files do TCP Wrappers utilize to prevent hackers from "spoofing" IP addresses? (Select two.) A. /etc/tcpd.deny B. /etc/inetd.deny C. /etc/tcpd.allow D. /etc/hosts.deny E. /etc/inetd.allow F. /etc/hosts.allow Answer: D, F

QUESTION 102 Which security setting provides data encryption on NFS v3 or v4 File systems? A. dh B. krb C. sys D. krb5 E. krb5i F. krb5p Answer: F

HP0-P17


QUESTION 103 In order to restrict the access to the /etc/passwd file through ftp, which statement should be included in the /etc/ftpd/ftpaccess file? A. noaccess /etc/passwd B. noretrieve /etc/passwd C. accessdeny /etc/passwd D. suppressaccess /etc/passwd Answer: B

QUESTION 104 A customer wants to configure their rpc.rexd service so that only IP address 192.10.10.14 is allowed access. Which /var/adm/inetd.sec syntax accomplishes this? A. rexd allow 192.10.10.14 B. allow 192.10.10.14 rexd C. rpc.rexd allow 192.10.10.* D. 192.10.10.14 allow rpc.rexd E. rpc.rexd allow 192.10.10.14 Answer: A

QUESTION 105 How does HP-UX Boot Authenticator secure booting into single-user mode? (Select two.) A. with trusted systems B. with Security Containment C. with physical console access D. with the system root password E. with a configured user and password Answer: D, E

QUESTION 106 What are methods of accomplishing physical security? (Select three.) A. encryption B. biometrics C. tape backup D. locks and keys E. account policies Answer: A, B, D

exam hp0-p17 - hp-ux 11i v3 security administration

Documents

d question

c question

core file answer

chatr es

chatr es default answer

memory applications

specified directory

power of knowing question