Practice EX200 Manage security questions with full explanations on every answer.
Start practicing
Manage security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A junior admin needs to ensure that the 'apache' user (UID 48) cannot log in via SSH or console. Which command achieves this?
2An administrator runs 'getenforce' and sees 'Enforcing'. They then run 'setenforce 0' but SELinux still denies access to a custom application. What is the most likely reason?
3A system administrator wants to allow user 'jdoe' to execute any command as root via sudo without being prompted for a password, but only from the host 'client1.example.com'. Which sudoers rule achieves this?
4A server's firewall is managed by firewalld. The admin adds a rule to allow HTTPS traffic to the public zone, but clients still cannot connect. What is the most likely cause?
5Which TWO commands can be used to display SELinux contexts of files? (Choose two.)
6Which THREE factors determine whether a local user can SSH into a Red Hat Enterprise Linux 9 system? (Choose three.)
7Refer to the exhibit. A web server (httpd) is unable to serve files from a user's home directory. What is the most appropriate single command to resolve the issue?
8You are the system administrator for a small company. A developer, Alice, needs to restart the web server (httpd.service) on server 'web1.example.com' without being prompted for a password. She should also be able to run any command as root on that server, but only from the server itself (not remotely). Currently, Alice can SSH into the server using her SSH key, but when she runs 'sudo systemctl restart httpd', she is prompted for her password. You have verified that Alice is in the 'wheel' group. The sudoers file currently has the line '%wheel ALL=(ALL) ALL'. You want to modify sudoers to satisfy the requirement with minimal privilege. Which action should you take?
9A system administrator needs to configure a firewall using firewalld to allow incoming HTTPS traffic and deny incoming SSH traffic from a specific source IP 192.168.1.100. Which two commands should be run? (Choose two.)
10A junior administrator is tasked with setting up SELinux contexts on a Red Hat Enterprise Linux 9 server to allow Apache HTTPD to read and write to a custom directory /var/www/customcontent. The directory already exists and contains several files. The administrator has confirmed that the httpd service is running and SELinux is in enforcing mode. After changing the context to httpd_sys_content_t using chcon, the web server can read files but cannot write to the directory. The administrator needs to fix this without disabling SELinux or changing the mode to permissive. Which of the following is the correct next step?
11Order the steps to configure firewall rules to allow HTTP and HTTPS traffic using firewalld.
12Match each networking term to its definition.
13A sysadmin wants to allow user 'alice' to run all commands as root via sudo. Which line should be added to /etc/sudoers?
14After configuring sudo, a user reports: 'sudo: unable to open /etc/sudoers: Permission denied'. The admin checks the file permissions and sees '-rw-r-----' owned by root:root. What is the most likely cause?
15A server uses firewalld with the default zone set to 'drop'. SSH is allowed only for the 192.168.1.0/24 subnet via a rich rule in the 'internal' zone. After a reboot, SSH connections from that subnet are refused. What is the most likely cause?
16Which command sets the password maximum age for user 'bob' to 30 days?
17An administrator wants newly created files to be readable and writable only by the owner, and readable by group and others. Which umask value should be set?
18A user reports that SSH key-based authentication fails, but password authentication works. The admin checks /etc/ssh/sshd_config: PubkeyAuthentication yes, PasswordAuthentication no (contrary to the report). Which is the most likely reason key-based auth fails?
19Which file contains the hashed passwords for local user accounts?
20A file has been assigned an incorrect SELinux context, preventing a service from accessing it. Which command restores the default SELinux context for that file?
21An administrator needs to grant user 'dev' the ability to execute /usr/local/bin/deploy.sh as root without a password, but no other commands. Which sudoers entry accomplishes this?
22Refer to the exhibit. What is the primary security concern with this sudo configuration?
23Refer to the exhibit. A CGI script located at /var/www/cgi-bin/test.cgi fails to execute. What is the most likely cause?
24Refer to the exhibit. An administrator wants to add the HTTP service (port 80) to the internal zone permanently. Which sequence of commands should be used?
25Which TWO statements about the /etc/shadow file are true? (Select exactly two.)
26Which THREE commands are used to manage SELinux file security contexts? (Select exactly three.)
27Which TWO methods are considered best practices for securing SSH access to a server? (Select exactly two.)
28A system administrator needs to allow members of the 'developers' group to run any command as root without being prompted for a password. Which sudoers configuration line should be added?
29A web server is running in enforcing mode with SELinux, but Apache cannot read content in a custom directory /web. The directory has been labeled correctly with httpd_sys_content_t. However, access is still denied. What is the most likely cause?
30A company requires that SSH access from the external network (10.0.1.0/24) only be allowed to port 2222, and all other incoming traffic on the firewall should be dropped. Which firewalld rule should be applied to the external zone?
31To enforce that user passwords expire every 90 days and users are warned 7 days before expiration, which command sets these policies for user 'john'?
32An administrator wants to allow user 'alice' to SSH into the server using key-based authentication only. Which configuration change is required?
33Refer to the exhibit. A web server is serving content from /var/www/html. SELinux is in enforcing mode. The web client reports 'Forbidden'. What is the most likely cause?
34To allow a user to run a specific program with root privileges without providing the root password, which configuration file should be modified?
35Refer to the exhibit. A host in the 192.168.1.0/24 network is unable to access a web service running on this server on port 8080. What is the most likely reason?
36An auditor requires that all failed SSH login attempts be logged to a separate file /var/log/ssh_failures. Which configuration is needed in /etc/rsyslog.conf or /etc/rsyslog.d/?
37A security policy requires that all files in /home have the default SELinux context for user home directories. Which command recursively restores the default context?
38Which command checks if a user's password has expired and forces a password change at next login?
39Which two statements about SELinux modes are correct? (Choose two.)
40Which three statements about firewalld zones are correct? (Choose three.)
41Which three actions enhance security for user accounts on a Red Hat Enterprise Linux system? (Choose three.)
42A company runs a web application on a Red Hat Enterprise Linux 8 server. The application is served by Apache HTTPD, and it requires read/write access to a custom directory /var/www/app_data. The SELinux context for the directory is set to httpd_sys_rw_content_t. Apache runs in enforcing mode. Recently, a new feature was added that requires Apache to connect to a database on the same server via a Unix socket. The database serves on /var/run/mysqld/mysqld.sock. After the feature deployment, the web application fails to connect to the database. The error logs show permission denied on the socket file. The socket file has permissions 660 and is owned by mysql:mysql. SELinux audit logs show AVC denials for httpd_t trying to connect to mysqld_var_run_t. Which of the following solutions should the administrator implement to allow Apache to read the database socket while maintaining security?
43Which TWO of the following are valid methods to enforce password complexity requirements on a Red Hat Enterprise Linux 9 system?
44A system administrator is managing a Red Hat Enterprise Linux 9 web server running Apache httpd. The server hosts a custom application that stores its files in /var/www/custom. The administrator has set ownership to apache:apache and file permissions to 755. However, when users access the web application, they receive a 'Forbidden' error. The httpd service is running, and SELinux is in enforcing mode. The administrator checks the SELinux context of the /var/www/custom directory and sees 'unconfined_u:object_r:default_t:s0'. What should the administrator do to resolve the issue without disabling SELinux?
45A Red Hat Enterprise Linux 9 system is configured as a router between an internal network (10.0.1.0/24) and a DMZ network (10.0.2.0/24). IP forwarding is enabled, and firewalld is active. The internal interface (eth0) is assigned to the 'internal' firewall zone, and the DMZ interface (eth1) is assigned to the 'dmz' zone. The requirement is that hosts on the internal network should be able to initiate connections to hosts in the DMZ, but the DMZ should not be able to initiate connections to the internal network. The administrator finds that traffic from internal to DMZ is being blocked. The internal zone has 'masquerade' enabled, and the dmz zone has no special settings. What is the most likely cause of the blocked traffic?
46A systems administrator needs to list all currently defined firewall rules in firewalld, including rules for all zones. Which TWO commands can be used to accomplish this? (Choose exactly two.)
47A user reports that the Apache web server cannot serve the file /var/www/html/index.html on a RHEL 9 system when SELinux is in enforcing mode. Given the exhibit output, what is the most likely cause?
48A systems administrator is managing a RHEL 9 server that hosts a custom web application on Apache. The application writes log files to /var/log/myapp/ and runs as the apache user. The administrator has set the directory permissions to 755 and ownership to apache:apache. SELinux is in enforcing mode. Despite these settings, the application fails to write logs. The audit log contains multiple AVC denials with the message 'avc: denied { write } for pid=1234 comm="httpd" name="myapp.log" dev="dm-0" ino=5678 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file'. The administrator has verified that the file exists and that SElinux booleans related to httpd are at their default values. Which of the following steps should the administrator take to resolve the issue while maintaining security?
The Manage security domain covers the key concepts tested in this area of the EX200 exam blueprint published by Red Hat. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all EX200 domains — no account required.
The Courseiva EX200 question bank contains 48 questions in the Manage security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included