Question 1mediummultiple choice
Read the full Security Architecture and Engineering explanation →CISSP Security Architecture and Engineering • Complete Question Bank
Complete CISSP Security Architecture and Engineering question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Issues and revokes certificates
Verifies identity before certificate issuance
List of revoked certificates
Binds a public key to an identity
ERROR: Certificate verification failed: unable to get local issuer certificate
SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_URI "/login" "phase:2,deny,msg:'Login attempt detected'"
Architecture Diagram Description: The system is composed of three tiers: web server in DMZ, application server in internal network, database server in secured network. All traffic between tiers must be encrypted using TLS. The database server only accepts connections from the application server on port 3306.
access-list 100 deny tcp host 10.1.1.2 any eq 80 access-list 100 permit tcp any any eq 80 access-list 100 deny ip any any
Feb 10 10:23:45 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Feb 10 10:23:48 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Feb 10 10:23:50 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
The TSF shall enforce the Access Control SFP on all subjects and objects covered by the following rules: (a) Subjects with a security level less than the object's security level are denied read access. (b) Subjects with a security level greater than the object's security level are denied write access.
USE master; CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY PASSWORD = 'P@ssw0rd!'; ALTER DATABASE SalesDB SET ENCRYPTION ON;
// Security-constrained model in SELinux policy
policy_module(myapp, 1.0.0)
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)
allow myapp_t self:capability { dac_override };
allow myapp_t self:process { fork };
allow myapp_t myapp_data_t:file { read write create open };
// Audit log snippet
AUDIT: type=AVC msg=audit(1633028000.123:456): avc: denied { read } for pid=1234 comm="myapp" name="shadow" dev="dm-0" ino=789 scontext=system_u:system_r:myapp_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=fileCryptographic Key Usage Policy (excerpt): Key Type: Asymmetric (RSA 2048) Purpose: Digital Signatures Storage: HSM Backup: Encrypted backup to secure offsite Rotation: Every 2 years Destruction: Upon compromise or retirement, key must be destroyed using NIST SP 800-57 approved methods. Recent Audit Finding: - Key #12345 was discovered to have been exported from HSM to a plaintext file on a backup server. - The key was later restored to the HSM for continued use. - The backup server was not encrypted at rest.
// AWS CloudTrail log event (truncated)
{
"eventVersion": "1.08",
"userIdentity": {
"arn": "arn:aws:iam::123456789012:role/AdminRole",
"principalId": "AROAEXAMPLEID:admin"
},
"eventTime": "2023-08-15T14:30:00Z",
"eventSource": "kms.amazonaws.com",
"sourceIPAddress": "192.0.2.10",
"userAgent": "signer.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256",
"messageType": "DIGEST",
"message": "base64-encoded-digest"
},
"responseElements": null,
"eventName": "Sign",
"readOnly": true,
"resources": [{
"ARN": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "123456789012"
}],
"recipientAccountId": "123456789012"
}// /etc/pam.d/sshd configuration #%PAM-1.0 auth required pam_securetty.so auth required pam_nologin.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session required pam_loginuid.so session include system-auth // /etc/ssh/sshd_config excerpt PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes ChallengeResponseAuthentication no UsePAM yes
// Windows Security Event Log excerpt Log Name: Security Event ID: 4672 (Special Logon) Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeTcbPrivilege Event ID: 4688 (Process Creation) Process Name: C:\Windows\System32\cmd.exe Command Line: cmd.exe /c whoami Parent Process: C:\Windows\System32\lsass.exe Event ID: 4672 (Special Logon) Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeDebugPrivilege, SeTcbPrivilege