Use these Q&A to review, test, or examine learners on the practical lab: Using Access Control Techniques & Checking Logs for Unauthorized Access Attempts.

Q1. (Definition) What is Discretionary Access Control (DAC) in Linux?

A1. DAC is an access control model where the owner of a file or resource chooses who can access it. In Linux this is implemented with file ownership and permission bits (owner, group, others) using chown, chgrp, and chmod. Example: sudo chown adminuser:admins /securedata and sudo chmod 770 /securedata — owner and group have rwx, others none.

Q2. (Definition) What is Role-Based Access Control (RBAC) and how do Linux groups implement it?

A2. RBAC assigns permissions based on roles (job functions) rather than individuals. In Linux, roles are usually implemented as groups: create groups with groupadd and assign users with usermod -aG. Example: sudo groupadd students, sudo usermod -aG students student1. Files and directories can then be owned by those groups so the role controls access.

Q3. (Command) How do you create the three users student1, student2, and adminuser and verify they exist?

A3. Commands:

sudo adduser student1
sudo adduser student2
sudo adduser adminuser

# Verify
getent passwd student1
getent passwd student2
getent passwd adminuser

Expected verification shows lines from /etc/passwd with username and home directory.

Q4. (Practical) Step-by-step: Create groups students and admins, then add the users to them. Include verification commands.

A4. Steps & commands:

sudo groupadd students
sudo groupadd admins

sudo usermod -aG students student1
sudo usermod -aG students student2
sudo usermod -aG admins adminuser

# Verify
getent group students
getent group admins
groups student1
groups adminuser

Verification: groups student1 should include students; groups adminuser should include admins.

Q5. (Concept + Example) Explain numeric file permissions and decode drwxr-x--- and its numeric form.

A5. Permission format: r=4, w=2, x=1. Break into owner/group/others. For drwxr-x---: - d = directory - owner: r w x = 4+2+1 = 7 - group: r - x = 4 + 0 + 1 = 5 - others: - - - = 0 Numeric form: 750. Command: chmod 750 folder.

Q6. (Practical test) How would a student verify they cannot access /securedata and what is the expected message?

A6. As the student:

su - student1
cd /securedata

Expected: bash: cd: /securedata: Permission denied or similar. This confirms DAC blocked access.

Q7. (Logs) Which log files contain authentication and system events on Debian/Ubuntu, and how do you search them for a username?

A7. Authentication log: /var/log/auth.log. System log: /var/log/syslog. Search for username:

sudo grep "student1" /var/log/auth.log
sudo grep -i "denied" /var/log/syslog

Also use journalctl where systemd is in use: sudo journalctl -u sshd or sudo journalctl -xe | grep denied.

Q8. (Audit) What is auditd, how do you install and configure it to watch /securedata?

A8. auditd is the Linux Audit daemon that logs detailed file access events. Install & configure:

sudo apt update
sudo apt install auditd -y

# Add a watch
sudo auditctl -w /securedata -p rwxa -k securedata_watch

# Verify rules
sudo auditctl -l

Then query with sudo ausearch -k securedata_watch or sudo aureport -f to list file access events.

Q9. (Scenario) A student repeatedly tries to read an exam file. List the commands an admin uses to gather evidence (time, command, IP) and block an offending IP.

A9. Evidence commands:

sudo grep "student1" /var/log/auth.log
sudo ausearch -k securedata_watch      # if auditd installed
sudo journalctl --since "2025-01-01 10:00" | grep student1
last student1
sudo tail -n 200 /var/log/syslog

Block IP (example 192.168.100.10):

sudo ufw deny from 192.168.100.10
sudo ufw status numbered

Optionally add to /etc/hosts.deny or configure fail2ban for automated banning.

Q10. (True/False) T/F: Setting chmod 700 on /securedata allows members of the admins group to access it.

A10. False. chmod 700 grants full access only to the owner. If the owner is adminuser but the group is admins, group members will be denied. Use chmod 770 or ensure group ownership is correct (chown adminuser:admins /securedata then chmod 770).

Q11. (Command explanation) What does sudo usermod -aG students student1 do? Why is -a important?

A11. It appends user student1 to the group students. The -a (append) with -G avoids overwriting existing secondary groups. Without -a, you replace the user's supplementary groups and may inadvertently remove needed group memberships.

Q12. (Short answer) How do you lock and unlock a Linux user account?

A12. Lock: sudo usermod -L username (or passwd -l username). Unlock: sudo usermod -U username (or passwd -u username).

Q13. (Commands) How would you force password expiry after 30 days for students and verify it?

A13. Commands:

sudo chage -M 30 student1
sudo chage -M 30 student2

# Verify
sudo chage -l student1

This sets maximum password age to 30 days; chage -l lists expiry info.

Q14. (Scenario + steps) A log shows many Failed password entries from a single IP. Write the step-by-step remediation an admin should take (investigate + mitigate).

A14. Steps:

Investigate logs: sudo grep "Failed password" /var/log/auth.log | tail -n 50.
Identify IP and frequency; check lastb for failed login history.
Temporarily block IP: sudo ufw deny from .
Install & configure fail2ban to auto-ban after repeated failures: sudo apt install fail2ban and create jail for ssh.
Check compromised accounts and enforce password reset.
Document incident in a report with timestamps and actions taken.

Q15. (Practical) How do you check who ran sudo commands and when?

A15. Inspect /var/log/auth.log filtering sudo entries:

sudo grep "sudo" /var/log/auth.log | tail -n 100

You will see lines like: user : TTY=pts/1 ; PWD=/home/user ; USER=root ; COMMAND=/bin/cat /securedata/file.txt which shows the exact command executed with sudo and timestamp.

Q16. (Definition + Example) What is ACL (Access Control List) and when would you use setfacl/getfacl?

A16. ACLs provide more granular permissions than standard owner/group/others. Use ACL when several specific users need different permissions without changing file ownership or group. Example:

sudo setfacl -m u:ictuser:rx /securedata/results/grades.txt
getfacl /securedata/results/grades.txt

This gives ictuser read & execute on that file while keeping existing owner/group permissions intact.

Q17. (Troubleshooting) A student reports they can read a file under /securedata when they shouldn't. List a troubleshooting checklist.

A17. Checklist:

Check file owner/group: ls -l /securedata.
Check file permissions: stat /securedata/file.txt.
Check ACLs: getfacl /securedata/file.txt.
Check group membership of student: groups student1.
Check directory parent permissions (execute bit on parent allows entering): ls -ld /securedata.
Check for symlinks that point to world-readable locations.
Check SELinux/AppArmor context (if used): sudo getenforce or aa-status.

Q18. (Commands) How to configure audit rule that watches all reads/writes to a specific file and then show recent audit events for that file?

A18. Commands:

sudo auditctl -w /securedata/file.txt -p rwxa -k file_watch
sudo ausearch -k file_watch --start recent
# or
sudo ausearch -f /securedata/file.txt

Use aureport to create summaries: sudo aureport -f.

Q19. (Scenario) Create a short incident report template (5 fields) for unauthorized access attempts showing an example filled in.

A19. Template:

Field	Example
User	student1
Timestamp	2025-01-02 14:36:12
Event	Attempted read of /securedata/exams/semester1.pdf (Permission denied)
Evidence	/var/log/auth.log entries and ausearch output
Action Taken	Blocked IP 192.168.100.10, enabled audit rule, locked user account

Q20. (MCQ) Which command will show recent failed login attempts?
A) last B) lastb C) who D) uptime

A20. Correct answer: B) lastb. lastb reads /var/log/btmp and shows failed login attempts.

Q21. (Short) How do you permanently delete a user and its home directory?

A21. Command:

sudo deluser --remove-home username
# or with userdel
sudo userdel -r username

Be careful: this is destructive and should be logged and approved.

Q22. (Scenario + commands) A student tried sudo cat /securedata/file.txt and got denied. As admin, show the exact commands to: find the sudo attempt log lines, show the timestamp, and capture the command executed.

A22. Commands:

# Find sudo entries for student1
sudo grep "student1" /var/log/auth.log | grep sudo

# Show lines with timestamps
sudo awk '/sudo/ && /student1/ {print $0}' /var/log/auth.log

# Directly get relevant lines
sudo grep -n "sudo" /var/log/auth.log | grep student1

A sudo log line contains the timestamp and the field COMMAND= showing what the user ran with sudo.

Q23. (Advanced) Explain how SELinux or AppArmor add an extra layer beyond DAC and RBAC. Give a brief example (Ubuntu uses AppArmor by default).

A23. SELinux/AppArmor are Mandatory Access Control (MAC) systems that enforce policies at the kernel level independent of file owner/group bits. They restrict programs' abilities (what files a process may open) based on security contexts/profiles. Example (Ubuntu/AppArmor): SSHD runs with a profile that may restrict access to specific directories. Even if file permissions allow access, AppArmor can block a process from reading a file if not permitted by its profile. Check status: sudo aa-status.

Q24. (True/False) T/F: Adding a user to the admins group automatically gives them passwordless sudo access.

A24. False. Group membership alone doesn't grant passwordless sudo. Sudo behavior is controlled by /etc/sudoers or files in /etc/sudoers.d. To allow a group passwordless sudo, add a sudoers line like: %admins ALL=(ALL) NOPASSWD:ALL using visudo.

Q25. (Practical / Commands) How to enable and test audit logging, then export the logs section to a file for evidence submission?

A25. Steps:

sudo apt install auditd -y
sudo auditctl -w /securedata -p rwxa -k securedata_watch

# after reproducing the event, extract related logs
sudo ausearch -k securedata_watch --raw > /tmp/securedata_audit_raw.log
sudo aureport -f > /tmp/securedata_audit_summary.log

# Provide files for evidence
ls -lh /tmp/securedata_audit_*.log

Share these files with the incident report as evidence.

Q26. (Scenario / Troubleshoot) Student claims they see file contents copied into their home directory even though /securedata is 770. What checks do you make?

A26. Checks:

Search for copies: sudo find /home -name "filename" -type f -ls.
Check if a symlink exists: ls -l /home/student1.
Check process history or bash history: sudo cat /home/student1/.bash_history and sudo ausearch -u student1 if audit enabled.
Check if admin ran a command that copied file: check sudo logs (/var/log/auth.log).
Check backup scripts or cron jobs that may have copied files into home.

Q27. (MCQ) Which tool summarizes audit events and files accessed?
A) ausearch B) aureport C) auditctl D) getfacl

A27. Correct: B) aureport produces summaries; ausearch is for detailed searches, auditctl sets rules, and getfacl shows ACLs.

Q28. (Practical) Provide a step-by-step set of commands to: create the folder, set owner:group, set permissions, create a test file as admin, and demonstrate a permission denied as student.

A28. Commands:

# As root or sudo
sudo mkdir /securedata
sudo chown adminuser:admins /securedata
sudo chmod 770 /securedata

# Create a file as admin
sudo -i -u adminuser bash -c 'echo "SECRET" > /securedata/file.txt; ls -l /securedata'

# Now switch to student
su - student1
cat /securedata/file.txt   # Expect: Permission denied

Q29. (Policy) List 6 recommended mitigations and policies a college should adopt to reduce unauthorized access risk (brief explanations).

A29. Recommendations:

Strong password policy: expiry, complexity, reuse prevention (chage).
RBAC enforcement: assign minimum privileges via groups.
Audit logging: install auditd and monitor critical folders.
Automated banning: use fail2ban to block brute-force IPs.
Least privilege for sudo: restrict commands allowed in /etc/sudoers.d.
Incident response plan: documented steps to investigate, contain, and report incidents.

Q30. (Exam-style) Describe in detail — with commands, expected outputs, logs to check, and a short written incident report — what you would do if you observe the following: a student account student1 attempted to read /securedata/exams/final.pdf at 03:12am (outside college hours) and the system logged several permission denied entries.

A30. Full answer (step-by-step):

Immediate checks

sudo grep "student1" /var/log/auth.log | grep "03:12"
sudo ausearch -k securedata_watch --start "2025-01-02 03:10:00" --end "2025-01-02 03:15:00"
sudo tail -n 200 /var/log/syslog | grep "03:12"
last student1

Look for exact timestamps, TTY, source IP (if SSH), and command attempted.

Block & contain If IP is external: sudo ufw deny from . If suspicious, lock account: sudo usermod -L student1.

Gather evidence Export logs and audit info:

sudo grep "student1" /var/log/auth.log > /tmp/student1_auth_0312.log
sudo ausearch -k securedata_watch --raw > /tmp/securedata_audit_0312.raw
sudo cp /var/log/syslog /tmp/syslog_0312.log

Analyze Check whether it was interactive SSH or local session; check last and who. Inspect sudo lines to see if any privilege escalation happened.

Report Short incident report (example):

Incident Report — Unauthorized Access Attempt
User: student1
Date/Time: 2025-01-02 03:12:21
Event: Permission denied while attempting to read /securedata/exams/final.pdf
Evidence: /tmp/student1_auth_0312.log, /tmp/securedata_audit_0312.raw
Action Taken: Locked account (usermod -L), blocked IP  via ufw, enabled additional audit rules.
Recommendation: Reset password, review other accounts, enable fail2ban, schedule meeting with student.

Attach the exported logs and audit reports to the incident ticket.

Follow-up Review logs for previous similar behavior, check for exfiltration, verify integrity of files in /securedata, and restore normal account after investigation with a forced password reset and monitoring.

Additional resources & online practice (quick links)

Reference Book: N/A

Author name: SIR H.A.Mwala Work email: biasharaboraofficials@gmail.com
#MWALA_LEARN Powered by MwalaJS #https://mwalajs.biasharabora.com
#https://educenter.biasharabora.com

:: 2.3::

⬅ ➡