Practice LPIC-2 System Security questions with full explanations on every answer.
Start practicing
System Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A system administrator notices that the SSH service on a Linux server is failing to start. The log shows: 'sshd: error: Could not load host key: /etc/ssh/ssh_host_rsa_key'. What is the most likely cause and solution?
2A security policy requires that all users must change their passwords every 90 days. Which command enforces maximum password age for an existing user 'jdoe'?
3A security audit reveals that the /var/log directory contains world-readable log files that may contain sensitive information. The administrator wants to ensure new files created in /var/log are not readable by others, without affecting existing file permissions. Which umask value should be set system-wide?
4Which TWO commands can be used to display the current iptables rules for the filter table?
5Which THREE of the following are valid methods to restrict access to the su command on a Linux system?
6Based on the iptables output, what is the expected behavior for incoming SSH connections on eth0?
7Based on the sshd configuration, user 'charlie' attempts to log in using public key authentication. What will happen?
8A system administrator wants to ensure that all commands executed by root are logged to a remote syslog server. Which rsyslog configuration directive should be used?
9An organization requires that all email traffic from their mail server must be encrypted in transit. Which of the following is the most appropriate solution?
10Which file is used to configure which users and groups are allowed to use the 'cron' daemon?
11Based on the ACL output, which user(s) can write to the file /var/www/html/index.html?
12A company runs a web application on a Linux server that uses Apache, MySQL, and PHP. The application stores sensitive user data in a MySQL database. The security team has detected that the MySQL service is listening on port 3306 on all interfaces (0.0.0.0). The application and database are on the same server, so there is no need for remote database access. The administrator must secure the MySQL service without breaking the application. Which of the following is the most appropriate course of action?
13A system administrator needs to ensure that all users must change their passwords every 90 days and that passwords must be at least 12 characters long. The administrator modifies /etc/login.defs and /etc/pam.d/common-password. Which additional step is required to enforce these settings for existing users?
14Which TWO commands can be used to list all currently listening TCP ports and the associated processes?
15Given the exhibit, what is the most likely reason for the GPG error, and what is the correct way to fix it permanently?
16You are the security administrator for a company that runs a web application on a Linux server. The application runs under the user 'www-data' and listens on TCP port 8080. The server also runs an SSH service on port 22. Recently, an external penetration test revealed that an attacker could exploit a vulnerability in the web application to execute commands as the 'www-data' user, and from there, the attacker could escalate privileges to root due to a misconfigured sudo rule. You need to implement a defense-in-depth approach to limit the impact of such an attack. Which single action would be the most effective in preventing privilege escalation from the 'www-data' user to root, while still allowing the application to function normally?
17An administrator is reviewing the audit rules on a Linux server. The current rules are shown in the exhibit. The administrator needs to ensure that any failed attempts to open files are logged, while also monitoring for successful outbound connections. Which of the following describes the effect of the current rules?
18An administrator wants to enhance the security of a web server running Apache. Which TWO of the following actions are recommended best practices?
19A company runs a critical database server on a Linux system. The server is subject to a strict compliance policy that requires all commands executed by the database administrator (user 'dbadmin') to be logged. Additionally, any attempt to change the system time must be logged regardless of the user. The administrator has configured auditd and added the following rules: -w /usr/bin -p x -k binary_exec, -a always,exit -F arch=b64 -S adjtimex -F key=time_change. However, during a compliance audit, it is discovered that not all commands executed by dbadmin are being logged. Which of the following is the most likely cause?
20Order the steps to configure a Linux system as a router using iptables.
21Match each systemd unit type to its function.
22A system administrator wants to ensure that only key-based authentication is allowed for SSH and password authentication is disabled. Which configuration change is required in /etc/ssh/sshd_config?
23A user needs to run a specific command as root without being prompted for a password. The command is /usr/bin/systemctl restart apache2. Which sudoers rule accomplishes this securely?
24An administrator configures iptables on a Linux firewall with the following rules: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT; -A INPUT -p tcp --dport 22 -j ACCEPT; -A INPUT -j DROP. Users report that SSH connections are being dropped. What is the most likely cause?
25A system administrator wants to verify the integrity of a downloaded package using a GPG signature. Which command should be used after importing the distributor's public key?
26An application running under AppArmor is failing to write to its log directory. The AppArmor profile for the application includes the line '/var/log/myapp/ r,' but not '/var/log/myapp/** rw,'. What is the most likely issue?
27A PAM configuration file for password authentication includes the line 'password requisite pam_cracklib.so retry=3 minlen=8'. A user tries to change their password but is rejected even though the new password meets the stated criteria. The administrator suspects a conflict with another PAM module. Which of the following is the most likely cause?
28To protect against SSH brute-force attacks, a system administrator installs fail2ban. Which configuration file should be modified to enable the SSH jail with default settings?
29A web server is running in enforcing mode under SELinux. The administrator wants to allow Apache to connect to a remote database server. Which SELinux boolean needs to be set to allow httpd to make network connections?
30An administrator wants to create a chroot environment for a potentially compromised service. The service needs to read /etc/resolv.conf and /etc/hosts, and run from a directory /chroot/service. Which of the following steps is essential to ensure the chroot environment is secure and functional?
31Which TWO of the following are effective methods to secure SSH access on a Linux server? (Choose two.)
32Which TWO iptables commands are necessary to allow incoming SSH connections (port 22) from the subnet 192.168.1.0/24 while dropping all other incoming traffic? Assume the INPUT chain has a default policy of DROP. (Choose two.)
33Which THREE of the following actions are recommended as initial security hardening steps after installing a new Linux server? (Choose three.)
34Refer to the exhibit. The user 'user' reports that they are able to run 'sudo apt-get update' without a password, but 'sudo apt-get upgrade' prompts for a password. What is the most likely cause?
35Refer to the exhibit. An administrator has applied these iptables rules. Users can still SSH into the server from any IP address, which is unexpected because the administrator intended to restrict SSH to only a specific subnet. What is the most likely reason the restriction is not working?
36Refer to the exhibit. What type of attack is indicated by the log entries?
37An administrator wants to allow user 'john' to execute any command as root without a password. Which sudoers entry is correct?
38An administrator wants to drop incoming TCP packets on port 22 from IP 10.0.0.5 using iptables. Which command is correct?
39An administrator is configuring nftables to log and drop packets from a specific IP. The rule must be added to the input hook. Which command accomplishes this?
40A company requires two-factor authentication for SSH logins. Which PAM module can be used to implement this if the system uses a time-based one-time password (TOTP)?
41An administrator wants to encrypt a file so that only a specific recipient can decrypt it. Which GPG command should be used?
42An administrator configures AIDE to monitor /etc. After initializing the database, what command updates the database with current file hashes without removing old entries?
43To ensure that OpenVPN clients authenticate the server, which configuration directive should be present on the client side?
44An administrator uses logwatch to send daily summaries to root. Which configuration file controls the default logwatch behavior?
45A security analyst notices that an /etc/pam.d/common-auth file contains the line 'auth required pam_tally2.so deny=5'. What is the effect?
46Which two commands correctly configure SSH to disable root login? (Select two.)
47Which three PAM modules can be used to enforce password complexity? (Select three.)
48Which two of the following are valid methods to authenticate with OpenVPN? (Select two.)
49Refer to the exhibit. A security audit reveals that the server is not blocking SSH connections from unauthorized networks. What is the most likely cause?
50Refer to the exhibit. A user cannot log in via SSH even though the password is correct. What is the most likely issue?
51Refer to the exhibit. An administrator runs aide --check and receives a warning that /var/log/syslog has changed. Why is this expected?
52A system administrator wants to allow the user 'jdoe' to run the '/usr/bin/systemctl restart httpd' command on a specific server without a password prompt. Which sudoers entry achieves this?
53A security audit reveals that a server with PAM authentication allows users to log in even when the '/etc/nologin' file exists, contrary to policy. Which PAM module is most likely misconfigured or missing?
54A user's SSH public key has been added to '~/.ssh/authorized_keys' on a remote server, but the user is still prompted for a password. Which file permission is most likely causing the issue?
55An administrator wants to block all incoming traffic from the IP address 203.0.113.55 except for SSH (port 22) using iptables. The current default policy for the INPUT chain is ACCEPT. Which set of commands achieves this?
56An administrator needs to encrypt a large file using GPG with a symmetric cipher and then decrypt it on another system. Which command encrypts the file using AES256 and prompts for a passphrase?
57A web server running Apache is receiving many failed login attempts. Which tool should be used to dynamically block IPs after a configurable number of failures?
58A system with SELinux in enforcing mode is running a custom application that needs to write to a file in /data. The application's context type is 'myapp_t', and the target file context is 'default_t'. The file's current context is 'var_t'. Which command changes the file's context to allow access?
59An AppArmor profile for a database server is too restrictive and denies legitimate queries. The administrator wants to learn the required accesses by running the application in complain mode. Which command puts the profile into complain mode?
60An administrator wants to restrict SSH access to a server so that only users from the domain 'example.com' can connect. Which file and syntax should be used with TCP Wrappers?
61Which TWO commands can be used to list currently loaded iptables rules in the filter table? (Choose two.)
62Which THREE conditions must be met for an SSH key-based login to succeed using the default settings on a OpenSSH server? (Choose three.)
63Which TWO files are commonly used to configure PAM authentication for the 'login' service on a Linux system? (Choose two.)
64Which user can execute any command as any user without any password restriction?
65A new client with IP 10.0.1.15 tries to connect to HTTPS on the server. Based on the exhibit, what happens?
66A Linux server in a DMZ hosts a custom web application that listens on TCP port 8080. The server is also configured with SSH on port 22 for remote administration. Recently, the security team noticed an increase in brute-force attacks against SSH from various external IPs. The server runs Fedora with firewalld as the firewall service. The current firewalld default zone is 'public', and the SSH service is allowed in the 'public' zone. The administrator wants to mitigate the brute-force attacks without blocking legitimate users. Additionally, the administrator wants to ensure that only specific administrative IP addresses can initiate SSH connections, and that SSH connections are rate-limited to prevent flooding. The administrator also needs to keep the web application accessible from any external IP. Which course of action best meets these requirements?
67A system administrator wants to enforce key-based SSH authentication for all users on a server, disabling password authentication. Which two commands must be executed to achieve this? (Choose TWO.)
68A company's security policy requires that all members of the 'developers' group be able to run the command 'systemctl restart httpd' as root using sudo, without being prompted for a password. Which sudoers entry achieves this?
69An administrator wants to chroot SSH users in the 'jailed' group to their home directories. Which configuration in /etc/ssh/sshd_config achieves this?
70A firewall rule set is implemented using iptables. The administrator wants to allow incoming SSH connections only from the 192.168.1.0/24 subnet, while all other incoming traffic is dropped. Which set of rules achieves this?
71Which TWO of the following are recommended best practices for securing a Linux server that is publicly accessible?
72Which THREE of the following tools can be used to implement file integrity checking on a Linux system?
73Your company runs a web application on a Linux server that uses Apache HTTPD with mod_ssl for HTTPS. Recently, after a security audit, it was discovered that the server is vulnerable to the POODLE attack on SSLv3. The server is running RHEL 8 with Apache 2.4. The SSL configuration file /etc/httpd/conf.d/ssl.conf currently has the line 'SSLProtocol all -SSLv2'. You need to disable SSLv3 and also disable all versions of TLS below 1.2, while still allowing TLS 1.2 and 1.3. The server must remain available immediately. Which action should you take?
74A financial institution uses a Linux server with a custom application that runs as the 'appuser' and writes logs to /var/log/app/. The security team recently detected that the application is vulnerable to a local privilege escalation via log injection. To mitigate, they decide to implement mandatory access control (MAC) using SELinux. The system is CentOS 7 with SELinux in enforcing mode. The current context of /var/log/app is 'unconfined_u:object_r:var_log_t:s0'. The application should only be allowed to write to logs in that directory, and no other processes should modify them. Which SELinux policy change should be made?
75A small business has a single Linux server that serves as both a file server (Samba) and a web server (Apache). The server is directly connected to the internet. Recently, there have been numerous brute-force SSH login attempts. The administrator wants to implement a simple solution to block IP addresses that have more than 5 failed SSH attempts in 10 minutes. The server runs Ubuntu 20.04. Which tool should the administrator use to achieve this with minimal configuration?
76A DevOps team manages a Kubernetes cluster on premises. The security team requires that all communication between pods be encrypted. The team decides to use mutual TLS (mTLS). They are using a Linux-based control plane with etcd and kube-apiserver. The current setup uses self-signed certificates for the API server, but the team wants to implement a proper PKI with automated certificate renewal. They have a small budget and prefer open-source tools. Which solution should they implement?
77A government agency runs a classified application on a Linux server with strict auditing requirements. The application writes sensitive data to a MySQL database. The auditor requires that all SQL queries executed by the application be logged with timestamps, user, and the full query text. Additionally, the audit logs must be immutable (cannot be altered by the application or any user except a designated auditor account). The database runs on the same server. Which combination of tools and configurations should the administrator deploy?
78Which TWO of the following actions are recommended to improve SSH server security?
79Refer to the exhibit. What is the effect of this sudoers configuration?
80A company runs an Apache web server (port 80) and an SSH server (port 22) for remote administration. The system administrator notices that the server has become sluggish and network traffic has increased significantly. Checking /var/log/auth.log reveals hundreds of failed SSH authentication attempts per minute from diverse IP addresses targeting the 'admin' user. The administrator wants to mitigate this brute-force attack with minimal impact on legitimate users. Which course of action is most effective?
The System Security domain covers the key concepts tested in this area of the LPIC-2 exam blueprint published by LPI. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all LPIC-2 domains — no account required.
The Courseiva LPIC-2 question bank contains 80 questions in the System Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the System Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included