1. The following sources all come from the same device (hostname db01, IP address 10.0.5.50) and were captured during a routine risk assessment. Use them to answer parts A through E.
Source 1 — Device Firewall Settings
Rule Number | Action | Source | Destination | Direction | Port Number | Protocol |
|---|---|---|---|---|---|---|
1 | Allow | 10.0.5.0/24 | 10.0.5.50 | Inbound | 22 | SSH |
2 | Allow | ALL | 10.0.5.50 | Inbound | 80 | HTTP |
3 | Allow | ALL | 10.0.5.50 | Inbound | 443 | HTTPS |
4 | Allow | 10.0.5.0/24 | 10.0.5.50 | Inbound | 3306 | MySQL |
5 | Allow | ALL | 10.0.5.50 | Inbound | 21 | FTP |
6 | Allow | ALL | ALL | Outbound | ALL | ALL |
7 | Deny | ALL | ALL | Inbound | ALL | ALL |
Source 2 — /home/dbadmin/.bash_history
cat /home/dbadmin/.bash_history
1 sudo systemctl status mysql
2 ls -la /var/log/
3 ping 8.8.8.8
4 top
5 clearSource 3 — /var/log/auth.log
sudo tail -n 14 /var/log/auth.log
1 Nov 12 14:20:01 db01 CRON[3101]: pam_unix(cron:session): session opened for user root
2 Nov 12 14:20:01 db01 CRON[3101]: pam_unix(cron:session): session closed for user root
3 Nov 12 14:21:01 db01 vsftpd[3120]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
4 Nov 12 14:21:02 db01 vsftpd[3121]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
5 Nov 12 14:21:03 db01 vsftpd[3122]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
6 Nov 12 14:21:04 db01 vsftpd[3123]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
7 Nov 12 14:21:05 db01 vsftpd[3124]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
8 Nov 12 14:21:06 db01 vsftpd[3125]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
9 Nov 12 14:21:07 db01 vsftpd[3126]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
10 Nov 12 14:21:08 db01 vsftpd[3127]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
11 Nov 12 14:21:09 db01 vsftpd[3128]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
12 Nov 12 14:21:10 db01 vsftpd[3129]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
13 Nov 12 14:22:05 db01 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:1A:2B:3C:4D:5E SRC=203.0.113.88 DST=10.0.5.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41234 PROTO=TCP SPT=55432 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
14 Nov 12 14:22:08 db01 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:1A:2B:3C:4D:5E SRC=203.0.113.88 DST=10.0.5.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41235 PROTO=TCP SPT=55432 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0Source 4 — /var/log/nginx/access.log
sudo tail -n 6 /var/log/nginx/access.log
1 192.168.1.15 - - [12/Nov/2024:15:01:22 +0000] "GET / HTTP/1.1" 200 1024 "-" "Mozilla/5.0"
2 192.168.1.15 - - [12/Nov/2024:15:01:25 +0000] "GET /css/style.css HTTP/1.1" 200 512 "http://10.0.5.50/" "Mozilla/5.0"
3 198.51.100.42 - - [12/Nov/2024:15:10:05 +0000] "GET /ping?host=127.0.0.1 HTTP/1.1" 200 256 "-" "curl/7.68.0"
4 198.51.100.42 - - [12/Nov/2024:15:10:12 +0000] "GET /ping?host=127.0.0.1%3Bcat%20/etc/passwd HTTP/1.1" 200 1432 "-" "curl/7.68.0"
5 198.51.100.42 - - [12/Nov/2024:15:10:18 +0000] "GET /ping?host=127.0.0.1%3Bid HTTP/1.1" 200 312 "-" "curl/7.68.0"
6 198.51.100.42 - - [12/Nov/2024:15:10:25 +0000] "GET /ping?host=127.0.0.1%20%26%26%20uname%20-a HTTP/1.1" 200 405 "-" "curl/7.68.0"Source 5 — ls -l /etc/mysql/conf.d/
ls -l /etc/mysql/conf.d/
total 12
-rwxr-x--- 1 root dbadmin 1024 Nov 05 09:15 backup.sh
-rw-rw-rw- 1 dbadmin dbadmin 512 Nov 11 14:30 db_credentials.cnf
-rw-r--r-- 1 root root 256 Nov 10 10:00 mysql.cnfSource 6 — Acceptable Use Policy
Lock device screens when stepping away from the workstation.
Apply security patches to operating systems and applications within 30 days of release.
Use of approved VPN clients for remote administration.
Connecting organization-issued peripheral devices.
Sharing user accounts or credentials with other individuals.
Storing administrative passwords or sensitive keys in plaintext files.
Modifying firewall rules or security settings without authorization.
Consider the policy for the device in Source 6.
Explain how one part of the policy helps protect the device.
Explain how one rule in the current policy could be modified to make the device more secure. Include a specific example in your response.
In the authorization log, there is evidence of a password attack in rows 3–12.
Describe the evidence in the log file that indicates a password attack. Include specific entries from the log file in your response.
Identify the IP address of the adversary.
Consider all the sources from the device.
Explain how the permission settings for one file in the /etc/mysql/conf.d/ directory determine the level of access for that file for the owner, group, and all other users on the system. Include the name of the file in your response.
Other than removing all permissions from all users, describe one way the permission settings for one file on the system could be configured to restrict access for some users on the device. Include the name of the file in your response.
Using the explanation from part C (ii), write one or more chmod commands that set the permissions described.
Consider all the sources from the device.
Explain how one connection attempt on the device was blocked by the device’s firewall. Include evidence from a log file in your response.
Other than allowing all traffic for all services, describe a modification to one firewall rule that would allow the connection attempt identified in part D (i).
Other than allowing the connection attempt identified in part D (i), describe one impact of your modification from part D (ii) on incoming or outgoing network traffic on the device.
Apart from the password attack identified in part B, there is evidence of another attack on the device. Consider all the sources from the device.
Determine the type of attack evidenced in a log file.
Describe specific information in the log file that indicates the attack named in part E (i).
Describe one way an automated system could halt this type of attack in real time.
This attack could be mitigated by an automated system, such as a firewall, IDS, IPS, or AI. Identify a different countermeasure that could mitigate, prevent, or deter the attack.