Practice XK0-005 Security questions with full explanations on every answer.
Start practicing
Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A system administrator notices that an unauthorized user gained access to a server via SSH using a compromised user account. Which security measure should be implemented to prevent such attacks in the future?
2A Linux administrator needs to ensure that only the root user can run commands in the /usr/local/bin/scripts directory. Which command should be used to set the appropriate permissions?
3A security audit reveals that the /etc/shadow file has permissions 777. Which command should be used to correct this vulnerability?
4A Linux server is configured to allow SSH access for remote administration. The security team wants to limit SSH access to only users in the 'ssh-users' group. Which configuration should be added to /etc/ssh/sshd_config?
5A Linux administrator is configuring a firewall using iptables to allow incoming HTTP and HTTPS traffic but block all other incoming traffic. Which set of rules should be applied?
6A Linux administrator is hardening a server. Which TWO actions are effective in preventing unauthorized access via SSH? (Select TWO.)
7A security audit identified that the /tmp directory is world-writable. Which THREE steps should be taken to secure /tmp on a Linux system? (Select THREE.)
8Refer to the exhibit. The system administrator runs the command 'auditctl -l' and sees the above rules. What is the purpose of these audit rules?
9Refer to the exhibit. Alice is the owner of file.txt. Bob is a member of the staff group. What permissions does Bob have on file.txt?
10A system administrator needs to restrict SSH access to a Linux server to only users in the 'sshusers' group. Which configuration change achieves this?
11A security audit reveals that the /var/log directory has permissions 777. The administrator needs to ensure that only root can write to log files, while still allowing users to read system log files. Which command should the administrator run?
12A company's security policy requires that all user passwords must expire every 90 days. The administrator runs 'chage -M 90 jdoe' for user jdoe. Which additional step ensures that the password expiration policy is enforced for all new users?
13A Linux administrator discovers that a user's home directory contains a file with setuid bit set, owned by root. The file is not part of any authorized software. What is the most appropriate immediate action?
14Which TWO of the following are valid methods to enforce disk quota limits on a Linux filesystem? (Select TWO.)
15Scenario: A financial services company runs a critical application on a Linux server that stores sensitive customer data. The server is configured with a firewall (iptables) that only allows SSH (port 22) and HTTPS (port 443) from the internal network (10.0.0.0/8). Recently, the security team detected unauthorized access attempts from an external IP address (203.0.113.5) targeting port 22. The administrator needs to block this specific IP while maintaining current access rules. The existing iptables rules are: - INPUT chain policy ACCEPT - Rule 1: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - Rule 2: -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT - Rule 3: -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT - Rule 4: -A INPUT -j DROP The administrator wants to block 203.0.113.5 from any access. Which command should be added?
16Scenario: A cloud hosting company uses SELinux in enforcing mode on all Linux servers. A developer reports that a custom web application running under Apache (httpd) is unable to write log files to /var/log/myapp/. The directory /var/log/myapp/ has permissions 755 and is owned by root:root. The httpd process runs as the 'apache' user. The administrator checks SELinux context: /var/log/myapp is labeled with default_t type. The administrator wants to allow httpd to write to this directory while maintaining security. Which command should the administrator run?
17A systems administrator needs to restrict SSH access to a Linux server so that only users in the 'sshusers' group can log in. Which configuration change should be made in /etc/ssh/sshd_config?
18An administrator runs auditctl -l and ausearch -k auth_log -ts today as shown in the exhibit. The administrator expects to see audit events for /var/log/auth.log but gets no matches. Which TWO actions should the administrator take to resolve this issue?
19You are a systems administrator for a small company. The company uses a Linux server running Ubuntu 22.04 LTS that hosts a web application and a PostgreSQL database. The server has two network interfaces: eth0 (public IP) and eth1 (private IP). The web application listens on port 443 (HTTPS) on eth0, and the PostgreSQL database listens on port 5432 on eth1. The company security policy requires that only the web application should be accessible from the internet; all other ports must be blocked on the public interface. Additionally, SSH access should be allowed only from the internal network (192.168.1.0/24). The current iptables rules are as follows: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT There are no other rules. You need to implement the security policy using iptables. Which of the following sets of commands will achieve the required security policy?
20Drag and drop the steps to configure a static IP address using the command line in the correct order.
21Drag and drop the steps to configure a firewall rule using iptables to allow SSH in the correct order.
22Drag and drop the steps to recover a forgotten root password in single-user mode in the correct order.
23Match each Linux runlevel to its standard systemd target.
24Match each Linux networking command to its purpose.
25Match each Linux boot component to its role.
26A junior administrator accidentally modified the /etc/sudoers file and now users report not being able to use sudo. Which command should be used to safely edit the sudoers file?
27A security policy requires that SSH root login be disabled, but key-based authentication for users should remain enabled. Which configuration line should be added to /etc/ssh/sshd_config?
28An administrator needs to audit all write operations to the /etc/shadow file. Which audit rule should be added to /etc/audit/rules.d/audit.rules?
29A shared directory requires that any new files created within it are automatically writable by the group. What umask value should be set for users working in this directory?
30A security policy requires that SSH access be allowed only from the internal management subnet 10.10.10.0/24. Which firewalld rich rule should be added?
31An Apache web server (httpd) is serving content from a custom directory /webapps/company. The root directory is labeled with the default_t context, causing httpd to be denied access. Which command should the administrator use to persistently relabel the directory for httpd access?
32The company password policy requires minimum length, complexity, and that passwords cannot be based on dictionary words. Which file should be edited to configure these settings via pam_pwquality?
33A security engineer needs to verify the authenticity of a downloaded file using its detached GPG signature (file.sig). Which command should be used?
34An application running under an AppArmor profile is being denied access to log files. The administrator wants to troubleshoot by allowing all actions and logging denials. Which command will switch the profile to complain mode?
35Which TWO commands can be used to change the group ownership of a file? (Choose exactly two.)
36Which THREE are best practices for securing a Linux server? (Choose exactly three.)
37Which TWO commands are used to manage SSH key-based authentication processes? (Choose exactly two.)
38A user on a workstation with IP 192.168.1.100 reports being unable to SSH to the server with IP 10.0.0.5. Based on the exhibit, what is the most likely cause?
39A security audit reveals a misconfiguration. Which file has insecure permissions that could allow unauthorized users to read password hashes?
40Based on the exhibit, what is the purpose of the audit rule?
41A system administrator needs to ensure that only specific users can execute the 'sudo' command. Which configuration file should be modified?
42Which tool is used for encrypting files with public-key cryptography on Linux systems?
43Which command can be used to display the current user's effective user ID and group memberships?
44A security policy requires that user passwords must expire every 90 days. Which command can enforce this policy for user 'jsmith'?
45An administrator needs to ensure that the SSH service only allows key-based authentication and disables password authentication. Which configuration file and directive should be modified?
46A security audit reveals that the /var/log directory has permissions 777. Which command should restore secure permissions, assuming the owner is root and group is adm?
47A company is implementing a security policy that requires all files created in a shared directory /data to be owned by the group 'engineers' and have group read/write permissions, regardless of the user's umask. Which approach should be used?
48An administrator is configuring a Linux firewall to allow incoming SSH (port 22) and HTTPS (port 443) traffic while denying all other incoming traffic. Using iptables, which set of commands achieves this?
49A security policy requires auditing of all file access attempts. Which Linux kernel feature should be used?
50A system administrator wants to restrict SSH access to a specific group of users. Which two methods can achieve this? (Select TWO.)
51A security audit identifies that the system's /etc/passwd file is world-readable. Which three security issues does this pose? (Select THREE.)
52An administrator notices that a user's crontab file is not executing. Which two commands can the administrator use to verify the user's crontab configuration? (Select TWO.)
53An Apache web server hosted on a Linux system is unable to connect to a backend database server on port 3306. Based on the exhibit, which action should the administrator take to resolve the issue?
54A security policy requires that user passwords must expire after 90 days. The output in the exhibit shows the current configuration for the root user. Which command should the administrator run to enforce the policy for root?
55A user can access a web server on this Linux system via HTTPS but cannot connect via SSH. Based on the exhibit, what is the most likely cause?
56A system administrator is tasked with ensuring that users cannot delete files owned by other users in a shared directory. Which permission should be set on the directory?
57An administrator needs to allow a user to run all commands as root without a password. Which sudoers entry accomplishes this?
58A Linux server is configured to use Pluggable Authentication Modules (PAM). Which file is used to define the authentication order for the 'sshd' service?
59A security policy requires that all SUID files be identified and reviewed. Which command can recursively find SUID files?
60An administrator wants to restrict SSH access to only users in the 'sshusers' group. Which configuration should be added to /etc/ssh/sshd_config?
61A technician notices that a user can execute a binary with elevated privileges even though the user is not in the sudoers file. The binary has the SUID bit set. Which command would remove the SUID bit from the binary?
62A security audit reveals that a server's /etc/shadow file is readable by all users. Which command would correctly fix the permissions?
63A server is secured with SELinux in enforcing mode. A custom web application needs to write logs to /var/log/webapp. The SELinux type for httpd is httpd_t. Which command sets the correct context for the log directory?
64An administrator is configuring a chroot jail for an SFTP user. Which directive in /etc/ssh/sshd_config is used for this purpose?
65A security policy requires that user passwords must expire every 60 days and users should be warned 7 days before expiration. Which two commands can be used to set these policies? (Select TWO).
66A system administrator wants to encrypt a large directory of files using GPG with a symmetric cipher. Which two steps are necessary? (Select TWO).
67An administrator is hardening a Linux server. Which three of the following actions reduce the attack surface? (Select THREE).
68Based on the exhibit, what best describes the security implication?
69What is the effect of the firewall rules shown?
70An administrator notices that new SSH sessions fail for all users. Which line in the exhibit is most likely causing the failure?
71A security policy requires that user home directories have permissions set so that only the owner has access. A new user 'john' has a home directory with permissions 755. Which command should the administrator run to enforce the policy?
72After a security audit, it is recommended to disable SSH password authentication in favor of key-based authentication. Which configuration line should be set in /etc/ssh/sshd_config?
73A system administrator wants to ensure that the /tmp directory is mounted with noexec to prevent code execution from temporary files. Which file should be modified to persist this across reboots?
74A web server on RHEL 8 is serving content from a non-default directory /data/web. The SELinux context is set to default_t for the directory, causing access denials. Which command should be used to set the correct context for web content?
75A Linux administrator needs to configure a firewall to allow incoming SSH connections only from the 192.168.1.0/24 subnet. The current iptables INPUT policy is ACCEPT. Which set of rules should be added?
76A Linux administrator is troubleshooting login issues. Users can log in using SSH but not through the local console or graphical display manager. The /etc/pam.d/system-auth file was recently modified. Which PAM module is likely misconfigured?
77An administrator is investigating a system that may have been compromised. The 'aide' database was created six months ago. After running 'aide --check', many files in /usr/bin are reported as changed. Which action should the administrator take first to identify the cause?
78A server running Ubuntu 22.04 has AppArmor enabled. After installing a new application, the application is denied access to certain files even though the permissions are correct. The administrator checks the AppArmor profile and finds it is in enforce mode. Which command can be used to temporarily set the profile to complain mode to generate log entries for needed accesses?
79A Red Hat Enterprise Linux 8 system is configured with SELinux in enforcing mode. A custom application needs to write to a file in /var/log. The audit log shows an AVC denial for httpd_t attempting to write to var_log_t. Which of the following is the most appropriate persistent solution?
80Which TWO of the following are best practices for securing the GRUB boot loader?
81Which THREE of the following actions can help prevent unauthorized access to a Linux server via SSH?
82Which TWO tools are specifically designed to detect rootkits on a Linux system?
83Refer to the exhibit. After adding a firewall rule, the web server becomes unreachable from the internal network 192.168.1.0/24. Which line is the cause?
84Refer to the exhibit. A web application running under Apache cannot write to /var/log/app.log. The file has permissions 664 and is owned by apache. What is the correct action to allow writes while maintaining SELinux policies?
85A company uses a Linux server running Ubuntu 22.04 LTS as a file server to share documents via Samba. The server has been in operation for over a year without issues. Following a routine system update that included kernel patches and updated Samba packages, users began reporting that they could no longer access any shared folders. The administrator verifies that the smbd and nmbd services are running and have not failed. The Samba configuration has not been changed recently. The server uses ufw as its firewall. When the administrator runs 'ufw status', the output shows that only SSH (port 22) is allowed. The administrator checks for SELinux but finds it is not installed; however, AppArmor is active and the smbd profile is in enforce mode. The administrator examines the AppArmor logs and finds no denials related to smbd. Which of the following is the most likely reason for the connectivity failure?
86A systems administrator notices that users can successfully authenticate via SSH using their password, but cannot log in via the console. The /etc/securetty file exists and contains only the default entries. Which configuration change is most likely to resolve the issue?
87An administrator needs to ensure that /var/log/secure is only readable by members of the 'adm' group and is not accessible by any other user. Additionally, new files created in /var/log should inherit the group ownership 'adm'. Which set of commands achieves this?
88A security team wants to implement mandatory access control (MAC) on a Linux server to confine a potentially vulnerable daemon. Which TWO of the following technologies can be used for this purpose?
89An administrator needs to restrict SSH access to the server so that only a specific IP range (192.168.1.0/24) can connect, and password authentication is disabled. Which THREE steps must be taken?
90A company's web server running Apache on CentOS 7 has been compromised. The attacker exploited a vulnerability in the web application and gained access to the system as the 'apache' user. The administrator wants to prevent similar attacks in the future by hardening the server. Currently, the Apache process runs as the 'apache' user and can execute arbitrary code. The administrator considers enabling SELinux with targeted policy to confine the httpd daemon. However, after setting SELinux to enforcing and installing the 'httpd' SELinux package, the web server fails to serve pages over HTTPS. The administrator checks the audit log (/var/log/audit/audit.log) and sees denials related to port binding. What is the most likely cause of the issue?
91A junior administrator is tasked with setting up a file server using NFS on a Linux server. The /etc/exports file currently contains: /srv/nfs *(rw,sync,no_subtree_check). The administrator wants to restrict access to only the 192.168.10.0/24 network and require clients to use a privileged port (less than 1024) for added security. Additionally, the administrator wants to prevent root users on the client from having root access to the NFS share. Which exports configuration meets these requirements?
92An administrator is auditing user accounts on a Linux system and finds that several users have accounts that are no longer needed. Instead of deleting the accounts immediately, the administrator wants to lock the accounts and expire the passwords so that the users cannot log in, but the home directories and files are preserved. The administrator then wants to generate a report of all locked accounts and their last login time. Which commands and steps should the administrator use?
93A Linux server in a DMZ is experiencing intermittent SSH lockouts. The /var/log/secure shows repeated failed login attempts from multiple IP addresses, but then suddenly the administrator cannot SSH in even with correct credentials. The administrator suspects a brute-force protection mechanism. The server uses PAM with pam_tally2 for login counting. The administrator checks /etc/pam.d/sshd and sees: auth required pam_tally2.so deny=3 unlock_time=300 onerr=succeed file=/var/log/tallylog. What is the most likely reason the administrator is locked out even after 5 minutes?
94A Linux administrator needs to implement file integrity monitoring to detect unauthorized changes to critical system binaries. The administrator decides to use the 'aide' tool. After installing AIDE and initializing the database with 'aide --init', the database is placed at /var/lib/aide/aide.db.new.gz. The administrator then runs 'aide --check' and receives several warnings about files in /tmp being modified. However, the administrator is not concerned about /tmp. What is the simplest way to exclude the /tmp directory from future checks?
95A security audit reveals that the /etc/shadow file has permissions 0644 and is owned by root:shadow. The auditor states that this is a security risk because any local user can read password hashes. The administrator wants to fix the permissions to ensure that only root and the shadow group can read the file, and no one else can read it. Additionally, the administrator wants to set the immutable attribute on the file to prevent accidental modification. Which set of commands achieves the desired state?
96A web server is running on the system but clients cannot connect to port 8080. Based on the exhibit, which command should the administrator run to allow traffic on port 8080?
The Security domain covers the key concepts tested in this area of the XK0-005 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all XK0-005 domains — no account required.
The Courseiva XK0-005 question bank contains 96 questions in the Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included