Security Ir¶
24 cards — 🟢 6 easy | 🟡 15 medium | 🔴 3 hard
🟢 Easy (6)¶
1. Name three SSH hardening basics.
Show answer
1) Disable root login (PermitRootLogin no). 2) Use key-based auth and disable password auth. 3) Use a non-default port or restrict source IPs with AllowUsers/firewall rules. Also: enforce short session timeouts.2. Why should secrets never be committed to git?
Show answer
Git history is permanent — even if you delete the file, the secret remains in previous commits. Attackers scan public repos for leaked keys. Use environment variables, vault systems, or .gitignore to prevent exposure.3. What are the risks of granting unrestricted sudo?
Show answer
Full root access means a compromised account owns the system. Use sudoers to allow only specific commands. Log all sudo usage. Avoid NOPASSWD for privileged commands. Prefer dedicated service accounts over broad sudo.4. Why is centralized logging important for incident response?
Show answer
Attackers often tamper with local logs. Centralized logging (syslog, ELK, CloudWatch) preserves evidence, enables correlation across hosts, and provides a timeline. Without it, you may not detect or reconstruct an incident.5. Why must backup restores be tested regularly?
Show answer
Untested backups may be corrupted, incomplete, or incompatible with current systems. Regular restore drills verify RTO/RPO targets are achievable. An untested backup is not a backup — it is a hope.6. What are the six phases of incident response (NIST)?
Show answer
1) Preparation. 2) Identification/Detection. 3) Containment. 4) Eradication. 5) Recovery. 6) Lessons Learned. Each phase feeds into the next. Post-incident review improves preparation for the next event.🟡 Medium (15)¶
1. How should SSH keys be managed in production?
Show answer
Use ssh-agent or a secrets manager — never store unencrypted private keys on disk. Rotate keys periodically. Use ed25519 over RSA. Deploy keys via config management. Revoke departed users' keys immediately.2. What should you do immediately after discovering a leaked secret?
Show answer
1) Rotate/revoke the secret immediately. 2) Audit access logs for unauthorized use. 3) Remove from git history (git filter-repo or BFG). 4) Force-push cleaned history. 5) Notify affected teams. Speed matters — automated scrapers find leaked keys within minutes.3. How do you audit sudo usage on a Linux system?
Show answer
Check /var/log/auth.log or /var/log/secure for sudo entries. Use: grep sudo /var/log/auth.log. For centralized auditing, forward sudo logs to a SIEM. Also: sudoreplay if session recording is enabled.4. What log sources should you review during a Linux security incident?
Show answer
/var/log/auth.log (logins, sudo), /var/log/syslog (system events), audit.log (auditd rules), lastlog/wtmp (login history), cron logs, application logs. Also: journalctl for systemd services, and any SIEM alerts.5. What are common indicators of compromise (IOCs) on a Linux host?
Show answer
Unexpected processes or open ports, modified system binaries (check with rpm -V or debsums), new cron jobs or user accounts, unusual outbound connections, files with recent mtime in /tmp or /dev/shm, unfamiliar SSH authorized_keys entries.6. How do you check for unauthorized cron jobs?
Show answer
List all user crontabs: for u in $(cut -f1 -d: /etc/passwd); do crontab -l -u $u 2>/dev/null; done. Also check /etc/cron.d/, /etc/cron.daily/, and systemd timers (systemctl list-timers). Compare against a known-good baseline.7. What is the difference between containment and eradication?
Show answer
Containment stops the spread — isolate the host (network ACL, disable account, firewall rule) but keep evidence intact. Eradication removes the threat — delete malware, patch vulnerability, rotate credentials. Contain first, then eradicate.8. How do you contain a compromised Linux host without destroying evidence?
Show answer
1) Isolate network (iptables DROP all or unplug). 2) Do NOT reboot — volatile memory holds evidence. 3) Disable compromised accounts. 4) Snapshot disk/memory if in cloud. 5) Block known malicious IPs at the firewall. Preserve before you clean.9. What is the order of volatility in digital forensics?
Show answer
Most volatile first: 1) CPU registers/cache. 2) RAM. 3) Network connections and routing tables. 4) Running processes. 5) Disk (filesystem). 6) Remote logs/backups. Collect evidence from most volatile to least to preserve maximum data.10. How do you validate a restore after a security incident?
Show answer
1) Restore to an isolated environment. 2) Verify data integrity (checksums, record counts). 3) Scan restored data for malware/backdoors. 4) Check that the backup predates the compromise. 5) Confirm application functionality before promoting to production.11. What are common incident responder mistakes?
Show answer
1) Rebooting the system (destroys volatile evidence). 2) Running commands on the compromised host that alter state. 3) Not preserving chain of custody. 4) Alerting the attacker. 5) Skipping containment and jumping to eradication. 6) Failing to rotate all affected credentials.12. What are common Linux privilege escalation indicators?
Show answer
1) SUID binaries in unusual locations (find / -perm -4000). 2) World-writable files in PATH. 3) Weak sudo rules (sudo -l). 4) Kernel exploit artifacts in /tmp. 5) Modified /etc/passwd or /etc/shadow. 6) Unexpected setcap capabilities on binaries.13. What patterns indicate credential exposure?
Show answer
1) Secrets in environment variables visible via /proc/*/environ. 2) Credentials in shell history files. 3) Hardcoded passwords in scripts or config files. 4) API keys in git commits. 5) Tokens in URL query strings in access logs. 6) Plaintext passwords in log output.14. After credential exposure, what is the full remediation checklist?
Show answer
1) Revoke/rotate the exposed credential immediately. 2) Identify scope of access the credential granted. 3) Audit logs for unauthorized use of the credential. 4) Check for lateral movement. 5) Update all systems using the credential. 6) Add detection for the old credential in logs.15. How do you audit for overly permissive IAM or file permissions?
Show answer
Files: find / -perm -o+w -type f to find world-writable files. IAM (AWS): use Access Analyzer or review policies for Action: * or Resource: *. Locally: audit sudoers, check group memberships, review /etc/passwd for shell access. Automate with periodic scans.🔴 Hard (3)¶
1. Why is it important to avoid rebooting a compromised system during investigation?
Show answer
RAM contains running processes, network connections, loaded kernel modules, and decrypted data that are lost on reboot. Capture memory (e.g., LiME) and volatile state (ps, netstat, lsof) before any destructive action.2. How do you detect if a kernel exploit was used for privilege escalation?
Show answer
Check dmesg/syslog for kernel oops or segfaults. Look for exploit source code or compiled binaries in /tmp, /dev/shm. Check kernel version against known CVEs. Compare running kernel modules (lsmod) to baseline. Audit unexpected root processes.3. How do you establish a forensic timeline from Linux logs?