CompTIA Security Plus Mock Test Q611

The security administrator is analyzing a user’s history file on a Unix server to determine if the user was attempting to break out of a rootjail. Which of the following lines in the user’s history log shows evidence that the user attempted to escape the rootjail?

A. cd ../../../../bin/bash
B. whoami
C. ls /root
D. sudo -u root


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
On modern UNIX variants, including Linux, you can define the root directory on a perprocess basis. The chroot utility allows you to run a process with a root directory other than /.
The root directory appears at the top of the directory hierarchy and has no parent: A process cannot access any files above the root directory (because they do not exist). If, for example, you run a program (process) and specify its root directory as /home/sam/jail, the program would have no concept of any files in /home/sam or above: jail is the program’s root directory and is labeled / (not jail).
By creating an artificial root directory, frequently called a (chroot) jail, you prevent a program from accessing or modifying — possibly maliciously — files outside the directory hierarchy starting at its root. You must set up a chroot jail properly to increase security: If you do not set up the chroot jail correctly, you can actually make it easier for a malicious user to gain access to a system than if there were no chroot jail.
The command cd .. takes you up one level in the directory structure. Repeated commands would take you to the top level the root which is represented by a forward slash /. The command /bin/bash is an attempt to run the bash shell from the root level.

Incorrect Answers:
B: The whoami command is used to display the username that the user is working under. It does not signify an attempt to break out of a rootjail.
C: The ls / command is used to list the directories at the root level of the directory structure. It does not signify an attempt to break out of a rootjail.
D: The sudo -u root command is used to change the security context to that of the root user. The root user is equivalent to the Administrator account in Windows. It does not signify an attempt to break out of a rootjail.

References:
http://searchitchannel.techtarget.com/feature/Secure-your-Linux-server-with-a-chroot-jail-or-TCP-wrappers