LAB 9

### Multiple-Choice Questions

#### 1. Installing Logwatch

1. What command installs Logwatch on a Debian-based system?
- a) `yum install logwatch`
- b) `apt-get install logwatch`
- c) `dnf install logwatch`
- d) `zypper install logwatch`

2. What is the primary purpose of Logwatch?

- a) To create firewall rules
- b) To monitor network traffic
- c) To analyze and summarize system logs
- d) To update system packages

#### 2. Setting up a Basic Log Server

3. Which service is commonly used to collect system logs from multiple servers?
- a) Apache
- b) rsyslog
- c) MySQL
- d) FTP

4. What file should be modified to configure rsyslog on a log server?

- a) `/etc/syslog.conf`
- b) `/etc/rsyslog.conf`
- c) `/etc/logwatch.conf`
- d) `/etc/logrotate.conf`

5. Which protocol is typically used for transmitting logs to a remote log server?
- a) HTTP
- b) SSH
- c) SMTP
- d) UDP

#### 3. Installing ClamAV and Maldet

6. What is the primary function of ClamAV?
- a) To create backups
- b) To detect and remove malware
- c) To manage user permissions
- d) To monitor system performance

7. How do you update ClamAV’s virus database on a Debian-based system?

- a) `clamav-update`
- b) `freshclam`
- c) `update-clamav`
- d) `clamav-upgrade`

8. Which command installs Maldet on a CentOS system?

- a) `apt-get install maldet`
- b) `yum install maldet`
- c) `wget http://www.rfxn.com/downloads/maldetect-current.tar.gz`
- d) `dnf install maldet`
#### 4. Configuring Maldet
9. In which directory is Maldet typically installed?
- a) `/usr/local/maldetect`
- b) `/opt/maldetect`
- c) `/var/maldetect`
- d) `/home/maldetect`

10. Which configuration file is used to set Maldet options?

- a) `/etc/maldet.conf`
- b) `/usr/local/maldetect/conf.maldet`
- c) `/etc/maldetect/maldet.conf`
- d) `/usr/local/maldetect/conf.maldetect`

#### 5. Using auditd

11. What is the purpose of auditd?
- a) To perform regular system backups
- b) To audit and monitor user activity
- c) To manage disk quotas
- d) To optimize system performance

12. Which command installs auditd on a Fedora-based system?

- a) `apt-get install auditd`
- b) `yum install auditd`
- c) `dnf install audit`
- d) `zypper install auditd`

13. What file contains the audit rules for auditd?

- a) `/etc/audit/rules.d/audit.rules`
- b) `/var/audit/audit.rules`
- c) `/etc/audit/auditd.conf`
- d) `/etc/auditd/rules.conf`

#### 6. Using Pre-configured Rules with auditd

14. What command is used to load audit rules from a file?
- a) `auditctl -R`
- b) `auditd -R`
- c) `auditrules -load`
- d) `auditconfig -R`

15. Which command adds a rule to audit all write access to `/etc/passwd`?
- a) `auditctl -a always,exit -F path=/etc/passwd -F perm=w`
- b) `auditd -a always,exit -F path=/etc/passwd -F perm=w`
- c) `auditctl -w /etc/passwd -p w`
- d) `auditrules -w /etc/passwd -p w`

#### General Knowledge

16. What does the acronym TCP/IP stand for?
- a) Transmission Control Protocol/Internet Protocol
- b) Transfer Control Protocol/Internal Protocol
- c) Transmission Control Program/Internet Program
- d) Transfer Communication Protocol/Internal Program

17. How many layers does the OSI model have?

- a) 5
- b) 6
 - c) 7
- d) 8

18. Which OSI layer is responsible for data encryption?

- a) Physical
- b) Data Link
- c) Network
- d) Presentation

19. In which OSI layer does IP operate?

- a) Data Link
- b) Network
- c) Transport
- d) Session

20. Which TCP/IP layer corresponds to the OSI Transport layer?

- a) Application
- b) Internet
- c) Network Interface
- d) Transport

21. Which command lists all current audit rules?

- a) `auditctl -l`
- b) `auditd -l`
- c) `auditrules -list`
- d) `auditconfig -l`

22. What is the default log file for auditd?

- a) `/var/log/audit/audit.log`
- b) `/etc/audit/audit.log`
- c) `/usr/local/audit/audit.log`
- d) `/home/audit/audit.log`

23. Which of the following is a key benefit of using Logwatch?

- a) Real-time monitoring
- b) Detailed log summaries
- c) Automated backups
- d) Virus detection

24. How do you start the rsyslog service on a systemd-based system?

- a) `service rsyslog start`
- b) `systemctl start rsyslog`
- c) `initctl start rsyslog`
- d) `rsyslog start`

25. What command would you use to check the status of ClamAV?
- a) `clamav-status`
- b) `clamav --status`
- c) `systemctl status clamav`
- d) `service clamav status`

26. How can you manually run a scan with Maldet?

- a) `maldet --scan`
- b) `maldet -a /path/to/scan`
- c) `maldet --run /path/to/scan`
 - d) `maldet -s /path/to/scan`

27. Which file extension is used for audit rule files?

- a) `.audit`
- b) `.rules`
- c) `.conf`
- d) `.log`

28. What is the main configuration file for auditd?

- a) `/etc/audit/auditd.conf`
- b) `/etc/auditd/auditd.conf`
- c) `/var/log/audit/auditd.conf`
- d) `/usr/local/auditd.conf`

29. What command installs Logwatch on a Red Hat-based system?

- a) `yum install logwatch`
- b) `apt-get install logwatch`
- c) `dnf install logwatch`
- d) `zypper install logwatch`

30. How do you update the virus definitions for ClamAV?

- a) `clamav-update`
- b) `freshclam`
- c) `clamav-upgrade`
- d) `update-clamav`

31. Which command stops the auditd service?

- a) `auditctl stop`
- b) `systemctl stop auditd`
- c) `service auditd stop`
- d) `auditd stop`

32. What port does syslog use by default?

- a) 21
- b) 22
- c) 514
- d) 80

33. Which log file does Logwatch analyze by default?

- a) `/var/log/messages`
- b) `/var/log/logwatch.log`
- c) `/var/log/syslog`
- d) `/var/log/logwatch/messages`

34. How do you restart the rsyslog service on a systemd-based system?

- a) `service rsyslog restart`
- b) `systemctl restart rsyslog`
- c) `initctl restart rsyslog`
- d) `rsyslog restart`

35. What command shows the version of ClamAV installed?

- a) `clamav --version`
- b) `clamscan --version`
- c) `clamav -v`
- d) `clamscan -v`
36. Which command lists all loaded audit rules?
- a) `auditctl -l`
- b) `auditd -l`

Sure, here are the remaining multiple-choice questions to reach a total of 50. I'll continue from
question 36 and include a mix of command-line and theoretical questions related to the topics
covered:

#### 36. Using Pre-configured Rules with auditd (cont.)

36. Which command lists all loaded audit rules?
- a) `auditctl -l`
- b) `auditd -l`
- c) `auditrules -list`
- d) `auditconfig -l`

37. What is the main purpose of using pre-configured rules in auditd?

- a) To simplify the auditing setup process
- b) To reduce the size of log files
- c) To increase system performance
- d) To backup audit logs automatically

#### 7. Logging
38. Which file is commonly used to configure log rotation?
- a) `/etc/logrotate.conf`
- b) `/var/log/logrotate.conf`
- c) `/etc/rsyslog.conf`
- d) `/etc/audit/auditd.conf`

39. What command displays the last 10 lines of a log file?

- a) `cat`
- b) `less`
- c) `head`
- d) `tail`

#### 8. Security and Hardening

40. What is the main purpose of server hardening?
- a) To increase server performance
- b) To reduce security vulnerabilities
- c) To improve network speed
- d) To simplify system administration

41. Which tool can be used to scan for open ports on a server?
- a) nmap
- b) netstat
- c) ping
- d) traceroute

42. What does the `chmod` command do?

- a) Changes file ownership
- b) Modifies file permissions
- c) Compresses files
- d) Deletes files
#### 9. Configuring and Managing Logs
43. Which command shows active log files managed by rsyslog?
- a) `rsyslogd -v`
- b) `logger -V`
- c) `ls /var/log`
- d) `lsof /var/log`

44. How do you view logs for a specific service in systemd?

- a) `journalctl -u servicename`
- b) `systemctl log servicename`
- c) `service log servicename`
- d) `syslog servicename`

#### 10. File Integrity Monitoring

45. Which tool can be used for file integrity monitoring?
- a) `tripwire`
- b) `iptables`
- c) `ufw`
- d) `nfs`

46. How do you check the integrity of a file with md5sum?

- a) `md5sum filename`
- b) `checksum filename`
- c) `integrity filename`
- d) `sha256sum filename`

#### 11. Advanced Logging and Auditing

47. What command schedules a daily Logwatch report?
- a) `logwatch --daily`
- b) `logwatch --detail High --mailto root --output mail`
- c) `crontab -e logwatch`
- d) `logwatch --daily --mail root`

48. Which auditd option sets the maximum number of audit log files?
- a) `num_logs`
- b) `max_log_file`
- c) `max_log_files`
- d) `num_log_files`

49. What does the command `auditctl -w /etc/passwd -p wa` do?

- a) Watches the `/etc/passwd` file for write access
- b) Watches the `/etc/passwd` file for write and attribute changes
- c) Watches the `/etc/passwd` file for read access
- d) Watches the `/etc/passwd` file for execute access

50. How do you remove all audit rules currently loaded?

- a) `auditctl -D`
- b) `auditd -D`
- c) `auditctl --remove-all`
- d) `auditd --remove-all`