CCNA Security Questions

75 of 125 questions · Page 1/2 · Security · Answers revealed

1
Multi-Selecteasy

Which TWO commands can be used to lock a user account? (Choose two.)

Select 2 answers
A.passwd -u username
B.userdel username
C.usermod -L username
D.chage -E 0 username
E.passwd -l username
AnswersC, E

Locks account.

Why this answer

passwd -l locks the password, usermod -L locks the account. Both prevent login.

2
Multi-Selectmedium

A security administrator is reviewing file permissions on a Linux system. They want to ensure that the /etc/shadow file is only readable by the root user. Which two commands can be used to set the correct permissions?

Select 2 answers
A.chown root:root /etc/shadow
B.chmod 444 /etc/shadow
C.chmod 600 /etc/shadow
D.chmod 640 /etc/shadow
E.chown root:shadow /etc/shadow
AnswersA, C

Ensures owner and group are root.

Why this answer

Option A is correct because the chown root:root /etc/shadow command changes both the owner and group of the /etc/shadow file to root. This ensures that only the root user has ownership, which is a prerequisite for setting restrictive permissions. However, the question asks for commands to set the correct permissions, and while ownership change is important, the primary requirement is that the file is only readable by root, which is achieved by setting permissions to 600 (owner read/write, no access for group or others).

Thus, chmod 600 /etc/shadow (Option C) is also correct, making A and C the two commands that together ensure the file is only readable by root.

Exam trap

The trap here is that candidates often confuse the purpose of chown and chmod, thinking that changing ownership alone (Option A) is sufficient to restrict access, when in fact the permission bits (like 600) must also be set to deny group and others access, or they mistakenly choose chmod 640 (Option D) assuming the shadow group is acceptable, but the question explicitly requires only root to have read access.

3
MCQhard

A file named 'webapp.conf' is being served by Apache but users get a 'Permission denied' error. The SELinux context of the file is 'unconfined_u:object_r:admin_home_t:s0'. What is the most appropriate command to fix the SELinux context?

A.semanage fcontext -a -t httpd_sys_content_t webapp.conf && restorecon -v webapp.conf
B.setenforce 0
C.chcon -t httpd_sys_content_t webapp.conf
D.restorecon -v webapp.conf
AnswerA, D

This adds a default context rule and restores it. Both B and D could work, but D is more permanent. Since the question asks for 'most appropriate', D ensures persistence. However, B is also correct but may not be persistent if the file path is not covered by policy. In practice, D is better. But given options, D is more comprehensive. I'll choose D as correct.

Why this answer

Both options A and D are correct. Option D uses restorecon to apply the default SELinux context for the file's path, which can set httpd_sys_content_t if the path has a defined mapping. Option A first adds a persistent rule with semanage fcontext, then applies it with restorecon, ensuring the correct context regardless of the file's location and making the change survive system relabeling.

While both resolve the 'Permission denied' error, A is the most appropriate because it guarantees persistence and correctness even if the default mapping is missing.

Exam trap

The trap is that candidates often choose chcon (option C) because it works immediately without additional commands. However, chcon changes are not persistent across file relabeling (e.g., after a full restorecon or system policy update), making semanage fcontext the recommended approach for a permanent fix.

How to eliminate wrong answers

Option B is wrong because 'setenforce 0' disables SELinux entirely, which is a security risk and not a proper fix for the context mismatch; it only masks the issue. Option C is wrong because 'chcon -t httpd_sys_content_t webapp.conf' changes the context temporarily but does not update the SELinux policy database, so the change will be lost after a file system relabel or 'restorecon' run. Option D is wrong because 'restorecon -v webapp.conf' alone will reset the file to its default context based on the current policy, but since no persistent rule exists for this file, it will revert to 'admin_home_t' (or another default) and not fix the permission error.

4
MCQeasy

Which file contains the password aging information such as minimum and maximum days between password changes?

A./etc/shadow
B./etc/security/limits.conf
C./etc/passwd
D./etc/login.defs
AnswerA

Contains password aging fields: min, max, warn, inactive, expire.

Why this answer

/etc/shadow stores password hashes and aging fields like min, max, warn, and inactive days. /etc/passwd has basic user info, /etc/login.defs has system defaults, and /etc/security/limits.conf sets resource limits.

5
MCQmedium

A security analyst needs to see a list of failed login attempts on a Linux system. Which command displays this information from the /var/log/secure log?

A.lastb
B.lastlog
C.last
D.faillog
AnswerA

lastb displays bad login attempts from /var/log/btmp.

Why this answer

lastb shows failed login attempts based on /var/log/btmp. last shows successful logins, lastlog shows last login per user, faillog is an older command.

6
MCQmedium

A security policy requires that system logs be rotated weekly and kept for 4 weeks. Which configuration file should be modified to achieve this for /var/log/syslog?

A./etc/security/limits.conf
B./etc/rsyslog.conf
C./etc/logrotate.conf
D./etc/audit/auditd.conf
AnswerC

Main configuration file for logrotate.

Why this answer

Log rotation is managed by logrotate, not by rsyslog or syslog itself. The /etc/logrotate.conf file contains global rotation settings, including frequency (weekly) and retention count (rotate 4). Adding or modifying a configuration block for /var/log/syslog in logrotate.conf (or a file in /etc/logrotate.d/) directly implements the policy requirement.

Exam trap

CompTIA often tests the distinction between log generation (rsyslog.conf) and log rotation (logrotate.conf), so candidates mistakenly choose /etc/rsyslog.conf because they associate it with log management, not realizing rotation is a separate function.

How to eliminate wrong answers

Option A is wrong because /etc/security/limits.conf controls system resource limits (e.g., file handles, processes) per user via PAM, not log rotation. Option B is wrong because /etc/rsyslog.conf configures the rsyslog daemon’s logging rules, outputs, and facilities, but does not handle rotation or retention of log files. Option D is wrong because /etc/audit/auditd.conf configures the audit daemon (auditd) for kernel audit events, not general system log rotation.

7
MCQmedium

A system administrator needs to ensure that the Apache web server can read files in /var/www/html, which has the SELinux context httpd_sys_content_t. However, Apache is unable to access the files. What command should be used to apply the correct context to the directory and its contents?

A.chcon -R -t httpd_sys_content_t /var/www/html
B.restorecon -Rv /var/www/html
C.fixfiles -R restore /var/www/html
D.semanage fcontext -a -t httpd_sys_content_t /var/www/html
AnswerB

Correct. restorecon applies the default context recursively.

Why this answer

The directory /var/www/html already has the correct SELinux type (httpd_sys_content_t) as stated, but Apache cannot access the files. This suggests that the file contexts are not correctly applied or are mislabeled. The restorecon -Rv command resets the SELinux context of the directory and its contents to the default policy-defined context (httpd_sys_content_t), ensuring consistent labeling.

This directly resolves the access issue without needing to define or change the context type.

Exam trap

The trap here is that candidates assume the context is missing and choose `chcon` or `semanage fcontext` to set it, when in fact the context is already present but not applied correctly, and `restorecon` is the proper tool to enforce the policy-defined context.

How to eliminate wrong answers

Option A is wrong because `chcon -R -t httpd_sys_content_t` changes the SELinux context temporarily and does not persist after a file system relabel; it also assumes the context is missing when it is already present, and using it could overwrite any correct context with a non-persistent one. Option C is wrong because `fixfiles -R restore` is not a valid command; the correct syntax is `fixfiles restore` or `fixfiles -R` with a directory path, but `fixfiles` is used for bulk relabeling and is not the appropriate tool for a single directory context restoration. Option D is wrong because `semanage fcontext -a -t httpd_sys_content_t` adds a new file context mapping to the SELinux policy database, which is unnecessary since the correct type is already defined in the policy; this command would create a duplicate rule and does not apply the context to the files immediately.

8
Multi-Selecthard

An administrator is configuring auditd to monitor changes to the /etc/passwd file. Which three commands are part of the auditd toolset for setting up and reviewing audit rules?

Select 3 answers
A.aureport
B.ausearch
C.aulog
D.auditctl
E.auditd
AnswersA, B, D

Generates summary reports from audit logs.

Why this answer

auditctl adds rules, ausearch searches logs, aureport generates reports. auditd is the daemon, not a command for rules. aulog is not a standard tool.

9
MCQmedium

A system administrator wants to limit the number of simultaneous logins for a user to 2. Which file and parameter should be configured?

A./etc/pam.d/login: session required pam_limits.so
B./etc/security/limits.conf: username hard maxlogins 2
C./etc/security/limits.conf: @users hard maxlogins 2
D./etc/security/limits.conf: username soft nproc 2
AnswerB

Correct: limits.conf with hard maxlogins limits login count.

Why this answer

Option B is correct because the `/etc/security/limits.conf` file allows setting resource limits per user or group, and the `maxlogins` parameter specifically controls the maximum number of simultaneous logins for a user. The syntax `username hard maxlogins 2` enforces a hard limit of 2 concurrent sessions for that user, which is the exact requirement. This limit is enforced by the PAM module `pam_limits.so`, which must be configured in the appropriate PAM stack file (e.g., `/etc/pam.d/login` or `/etc/pam.d/sshd`).

Exam trap

The Linux+ exam often tests the distinction between `maxlogins` (simultaneous logins) and `nproc` (number of processes), and the difference between `soft` and `hard` limits, causing candidates to confuse process limits with login limits or choose a group-based entry when a per-user entry is required.

How to eliminate wrong answers

Option A is wrong because `/etc/pam.d/login` is a PAM service configuration file, not a resource limit file; the line `session required pam_limits.so` is necessary to enable `pam_limits.so` but does not itself set any limit. Option C is wrong because `@users` refers to a group named 'users', not a specific username, and the question explicitly asks to limit a single user, not a group. Option D is wrong because `soft nproc 2` limits the number of processes (nproc) for the user, not the number of simultaneous logins (maxlogins), and using a soft limit allows the user to exceed it temporarily, which does not enforce a hard cap of 2 logins.

10
Multi-Selecthard

An administrator is configuring a firewall using iptables to block all incoming traffic except SSH on port 22. Which three rules correctly implement this? (Choose THREE.)

Select 3 answers
A.iptables -A INPUT -p tcp --dport 22 -j DROP
B.iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
C.iptables -A INPUT -p tcp --dport 22 -j ACCEPT
D.iptables -A INPUT -j DROP
E.iptables -P INPUT DROP
AnswersB, C, E

Allows established and related connections.

Why this answer

The correct approach: set default policy to DROP on INPUT, then allow established/related connections, then allow SSH. The other options either drop all (blocking SSH), use wrong chain, or allow all.

11
MCQmedium

A user reports they cannot log in after three failed password attempts. The system uses PAM with pam_faillock. Which command can the administrator use to view the number of failed attempts for the user?

A.faillock --user username
B.ausearch -m USER_LOGIN -ui username
C.pam_tally2 --user username
D.lastb username
AnswerC

Displays failed login attempts for the user.

Why this answer

pam_tally2 --user username shows the count of authentication failures.

12
MCQmedium

A file on an SELinux-enabled system has the security context 'unconfined_u:object_r:httpd_sys_content_t:s0'. A web server needs to read it, but it is being denied. Which command changes the context to allow access?

A.chcon -t httpd_sys_content_t /path/to/file
B.setsebool -P httpd_read_content on
C.semanage fcontext -a -t httpd_sys_content_t /path/to/file
D.restorecon -v /path/to/file
AnswerA

Changes the type to httpd_sys_content_t, allowing web server read access.

Why this answer

Option A is correct because the file already has the correct SELinux type `httpd_sys_content_t`, but the context shown includes `unconfined_u:object_r:httpd_sys_content_t:s0`. The web server is denied because the file's SELinux context may have been misapplied or the file was moved from a different location, causing the type to be incorrect. The `chcon -t httpd_sys_content_t` command directly changes the file's SELinux type to the one required for Apache to read it, without modifying the policy or requiring a relabel.

Exam trap

A common trap is confusing `chcon` (immediate, temporary context change) with `semanage fcontext` + `restorecon` (persistent, policy-based change). Candidates may choose the persistent method when the question asks for a quick fix to allow access.

How to eliminate wrong answers

Option B is wrong because `setsebool -P httpd_read_content on` toggles a boolean that controls whether Apache can read content from certain directories, but it does not change the file's SELinux context; the file's type must already match for the boolean to be effective. Option C is wrong because `semanage fcontext -a -t httpd_sys_content_t /path/to/file` adds a file context mapping to the SELinux policy database, but it does not immediately change the context of the existing file; a subsequent `restorecon` would be needed to apply it. Option D is wrong because `restorecon -v /path/to/file` restores the file's context based on the default policy mapping, but if the file's path is not defined in the policy with the correct type, it will not set `httpd_sys_content_t` and may leave the file with an incorrect type.

13
MCQmedium

A security analyst notices repeated failed login attempts on a Linux server. They want to lock the account after 3 failed attempts using PAM. Which PAM module should be configured in /etc/pam.d/sshd or /etc/pam.d/system-auth?

A.pam_faillock.so
B.pam_tally2.so
C.pam_pwquality.so
D.pam_unix.so
AnswerA, B

Correct: pam_faillock provides account lockout based on failed attempts.

Why this answer

pam_faillock and pam_tally2 are both PAM modules used to lock accounts after a specified number of failed login attempts. In modern Linux distributions (e.g., RHEL 7+, CentOS 7+), pam_faillock is the recommended module, while pam_tally2 is an older module still available in some distributions. Both can be configured in /etc/pam.d/sshd or /etc/pam.d/system-auth to deny access after 3 failed attempts.

The correct answer includes both options A and B because they are functionally equivalent for this purpose.

14
Multi-Selecthard

A security audit reveals that a Linux system allows password-based SSH logins and has weak password policies. Which THREE actions should the administrator take to improve security? (Choose three.)

Select 3 answers
A.Change SSH port to 2222
B.Configure pam_faillock.so to lock accounts after failed attempts
C.Configure pam_pwquality.so to enforce password complexity
D.Set PasswordAuthentication no in sshd_config
E.Set PermitRootLogin yes
AnswersB, C, D

Prevents brute force.

Why this answer

Disabling password authentication, enforcing password complexity via pam_pwquality, and setting account lockout via pam_faillock are three strong measures. Changing SSH port is a minor hardening but not as effective as the other three. Enabling root login is bad.

15
MCQhard

A server running nftables has a rule set that allows incoming SSH from the management network (192.168.1.0/24). An administrator needs to insert a rule to drop SSH from all other sources. Which nft command accomplishes this? Assume the input chain is 'input' and the table is 'inet filter'.

A.nft add rule inet filter input ip saddr != 192.168.1.0/24 tcp dport 22 drop
B.nft insert rule inet filter input tcp dport 22 drop
C.nft replace rule inet filter input handle 1 tcp dport 22 drop
D.nft add rule inet filter input tcp dport 22 accept
AnswerA

This drops SSH from sources not within the management network.

Why this answer

The correct command is A. The existing rule allows SSH from 192.168.1.0/24. To drop SSH from all other sources, we need a rule that matches packets with source IP address not in that subnet and destination port 22, and then drops them.

The `add rule` subcommand appends the rule to the chain, which is appropriate because the allow rule for the management network should remain first. Using `ip saddr != 192.168.1.0/24` properly negates the source subnet. Option B drops SSH from any source (including the management network), which would block the allowed traffic.

Option C replaces an existing rule by handle but does not specify the source condition. Option D accepts SSH from all sources, which is not desired. Therefore, A is correct.

Exam trap

Candidates often confuse 'add' vs 'insert' in nftables. The question says 'insert a rule', but the correct approach is to append a drop rule after the allow rule. Adding the drop rule before the allow rule would make the allow rule irrelevant. 'Add rule' appends, which is correct here.

16
Multi-Selectmedium

An administrator needs to harden SSH access. Which TWO settings in /etc/ssh/sshd_config are recommended to improve security? (Choose two.)

Select 2 answers
A.PermitRootLogin yes
B.PermitRootLogin no
C.Protocol 1
D.PasswordAuthentication no
E.Port 22
AnswersB, D

Prevents direct root login.

Why this answer

Option B is correct because setting `PermitRootLogin no` disables direct root login via SSH, forcing administrators to log in as a regular user and then use `su` or `sudo` for privileged commands. This prevents attackers from targeting the root account directly and ensures all root-level actions are logged under the individual user's session. Option D is correct because setting `PasswordAuthentication no` disables password-based authentication, requiring the use of SSH key pairs, which are resistant to brute-force attacks and credential stuffing.

Exam trap

The trap here is that candidates often think changing the default SSH port (Option E) is a strong security measure, but the exam considers it a weak control compared to disabling root login and password authentication, which directly address authentication vulnerabilities.

17
MCQeasy

A Linux administrator needs to add a new user named 'jdoe' with a home directory and a bash shell. Which command accomplishes this?

A.usermod -m -s /bin/bash jdoe
B.adduser jdoe --home /home/jdoe --shell /bin/bash
C.useradd -m -s /bin/bash jdoe
D.passwd -m jdoe
AnswerC

This creates the home directory and sets the shell.

Why this answer

The useradd command with -m creates the home directory and -s sets the shell. useradd -m -s /bin/bash jdoe is correct.

18
MCQmedium

An administrator needs to prevent a specific user 'bob' from logging in via SSH while allowing other users. Which configuration directive should be added to /etc/ssh/sshd_config?

A.AllowUsers alice charlie
B.PermitRootLogin no
C.DenyUsers bob
D.AllowUsers bob
AnswerA

By listing other users, bob is implicitly denied.

Why this answer

Option A is correct because the AllowUsers directive in /etc/ssh/sshd_config explicitly lists the usernames that are permitted to log in via SSH. By specifying 'AllowUsers alice charlie', only those users are allowed SSH access, effectively blocking user 'bob' without needing a DenyUsers directive. This directive is processed before authentication, so any user not in the list is immediately rejected.

Exam trap

The trap here is that candidates often choose DenyUsers bob because it seems intuitive to block a specific user, but the question's requirement to 'prevent bob while allowing other users' is best met by AllowUsers with a whitelist, which is a common exam trick to test understanding of whitelist vs. blacklist logic.

How to eliminate wrong answers

Option B is wrong because PermitRootLogin no only prevents the root user from logging in via SSH; it has no effect on regular users like 'bob'. Option C is wrong because DenyUsers bob would explicitly block 'bob', but the question asks for a directive that prevents 'bob' while allowing other users; while DenyUsers works, the correct answer is AllowUsers as it is the more direct and commonly tested approach for this scenario. Option D is wrong because AllowUsers bob would permit only 'bob' to log in, blocking all other users including alice and charlie, which is the opposite of the requirement.

19
Multi-Selecteasy

Which THREE of the following commands are used to manage iptables rules? (Select THREE.)

Select 3 answers
A.iptables -p
B.iptables -j
C.iptables -I
D.iptables -A
E.iptables -D
AnswersC, D, E

Inserts a rule at a specified position.

Why this answer

iptables is used with options -A (append), -I (insert), -D (delete). -L lists rules, -F flushes. -j is for target, not a command itself. -p is for protocol. -s is source.

20
MCQmedium

An administrator wants to restrict SSH access to only users in the 'sshusers' group. Which configuration directive should be added to /etc/ssh/sshd_config?

A.AllowUsers sshusers
B.Match Group sshusers
C.AllowGroups sshusers
D.DenyGroups all
AnswerC

AllowGroups allows only users in the specified group to log in via SSH.

Why this answer

The AllowGroups directive in sshd_config restricts SSH access to users who are members of the specified group(s).

21
Multi-Selecthard

An administrator is configuring sudo access for a group of developers. They should be able to run any command as root, but only after authenticating with their own password. Which TWO configuration lines in /etc/sudoers would achieve this? (Select TWO.)

Select 2 answers
A.Defaults:%developers !authenticate
B.root ALL=(ALL) ALL
C.%developers ALL=(ALL) NOPASSWD: ALL
D.%developers ALL=(ALL) ALL
E.%developers ALL=(ALL) PASSWD: ALL
AnswersD, E

Gives developers full sudo access with password prompt (default).

Why this answer

Option D is correct because the syntax `%developers ALL=(ALL) ALL` grants members of the `developers` group permission to run any command as any user (including root) on any host, and by default sudo requires the user's own password for authentication. Option E is also correct because `PASSWD: ALL` explicitly enforces password authentication for all commands, overriding any global `!authenticate` or `NOPASSWD` settings. Together, these two lines ensure the developers must authenticate with their own password before executing commands as root.

Exam trap

The trap here is that candidates often confuse the default behavior of sudo (which requires a password) with the explicit `PASSWD` tag, and may incorrectly select `NOPASSWD` options or miss that `PASSWD: ALL` is needed to override potential global `!authenticate` settings or to make the requirement explicit.

22
MCQmedium

A security auditor notices that a service account's password never expires. The company policy requires password rotation every 60 days. Which command will enforce this policy for the service account?

A.chage -W 7 serviceacct
B.usermod -e 60 serviceacct
C.chage -M 60 serviceacct && chage -d 0 serviceacct
D.passwd -n 60 serviceacct
AnswerC

This sets max age and forces immediate password change.

Why this answer

chage -M 60 sets the maximum password age to 60 days. To also force a password change on next login, use -d 0.

23
MCQhard

An AppArmor profile for a web server is in complain mode. After testing, the administrator wants to enforce the profile. Which command accomplishes this?

A.apparmor_parser -r /etc/apparmor.d/usr.sbin.httpd
B.aa-enforce /etc/apparmor.d/usr.sbin.httpd
C.aa-complain /etc/apparmor.d/usr.sbin.httpd
D.aa-status /etc/apparmor.d/usr.sbin.httpd
AnswerB

Correct command.

Why this answer

The correct command to enforce an AppArmor profile that is currently in complain mode is `aa-enforce`. This command switches the profile from complain (log-only) to enforce (block violations) mode. The option `-r` in `apparmor_parser` reloads the profile but does not change its mode; `aa-complain` sets it to complain mode, and `aa-status` only displays status.

Exam trap

The trap here is that candidates confuse `apparmor_parser -r` (which reloads the profile but does not change its mode) with the mode-switching commands `aa-enforce` and `aa-complain`, leading them to choose option A incorrectly.

How to eliminate wrong answers

Option A is wrong because `apparmor_parser -r` reloads the profile from disk but does not change its operational mode; it would reload the profile in its current mode (complain), not enforce. Option C is wrong because `aa-complain` sets the profile to complain mode, which is the opposite of what the administrator wants. Option D is wrong because `aa-status` is used to display the status of loaded AppArmor profiles, not to change their enforcement mode.

24
MCQeasy

A Linux administrator needs to ensure that user passwords expire after 90 days. Which command should be used to enforce this policy?

A.chage -M 90 username
B.passwd -x 90 username
C.passwd -e 90 username
D.usermod -e 90 username
AnswerA

chage -M sets the maximum password age in days.

Why this answer

The `chage -M 90 username` command sets the maximum number of days a password is valid before it must be changed, enforcing a 90-day expiration policy. This directly modifies the `PASS_MAX_DAYS` field in `/etc/shadow` for the specified user, which the system checks during authentication.

Exam trap

The trap here is that candidates confuse `passwd -x` (which does set max days but is less commonly used and not the recommended tool for policy enforcement) with `chage -M`, or they misremember `usermod -e` as password aging when it actually controls account expiry.

How to eliminate wrong answers

Option B is wrong because `passwd -x 90 username` is not a valid syntax; the `passwd` command uses `-x` to set the maximum password age, but it requires a numeric argument and the correct form is `passwd -x 90 username` (note: this is actually valid on some systems, but the XK0-005 exam expects `chage` as the standard tool for aging policies). Option C is wrong because `passwd -e 90 username` is invalid; `passwd -e` forces password expiration immediately (sets the last change date to 0), not a 90-day interval. Option D is wrong because `usermod -e 90 username` sets the account expiration date (in YYYY-MM-DD format), not the password aging policy.

25
MCQeasy

Which command displays the current SELinux mode?

A.setenforce
B.selinuxenabled
C.sestatus
D.getenforce
AnswerD

getenforce shows the current SELinux mode.

Why this answer

getenforce displays whether SELinux is enforcing, permissive, or disabled.

26
Multi-Selectmedium

A security administrator is reviewing SSH configuration. Which TWO settings enhance security by limiting authentication attempts and preventing password-based logins? (Choose two.)

Select 2 answers
A.MaxAuthTries 3
B.PasswordAuthentication no
C.Protocol 2
D.PermitRootLogin no
E.Port 2222
AnswersA, B

Limits number of authentication attempts.

Why this answer

MaxAuthTries sets maximum authentication attempts. PasswordAuthentication no disables password auth, forcing key-based.

27
MCQmedium

A firewall administrator wants to add a rule to allow incoming SSH traffic (port 22) using firewalld. Which command correctly adds this rule to the default zone permanently?

A.firewall-cmd --add-port=22/tcp
B.firewall-cmd --add-service=ssh --permanent
C.firewall-cmd --add-port=22 --permanent
D.firewall-cmd --zone=public --add-service=ssh
AnswerB

Adds the SSH service to the default zone permanently.

Why this answer

firewall-cmd --add-service=ssh --permanent adds the SSH service permanently. --add-port is also valid but --add-service is more descriptive.

28
MCQmedium

A security team wants to restrict SSH access to only users in the 'sshusers' group. Which configuration line in /etc/ssh/sshd_config achieves this?

A.DenyGroups sshusers
B.AllowGroups sshusers
C.AllowUsers sshusers
D.Subsystem sftp /usr/lib/openssh/sftp-server
AnswerB

Allows only members of sshusers group.

Why this answer

Option B is correct because the `AllowGroups` directive in `/etc/ssh/sshd_config` restricts SSH login to users who are members of the specified group. By setting `AllowGroups sshusers`, only users in the 'sshusers' group are permitted to authenticate via SSH, meeting the security team's requirement.

Exam trap

The trap here is confusing `AllowGroups` with `AllowUsers`; candidates often select `AllowUsers sshusers` thinking it applies to a group, but it only matches a literal username, not group membership.

How to eliminate wrong answers

Option A is wrong because `DenyGroups sshusers` would block users in the 'sshusers' group from SSH access, which is the opposite of what is required. Option C is wrong because `AllowUsers sshusers` specifies a username, not a group; it would only allow a user literally named 'sshusers' to log in, not all members of the group. Option D is wrong because `Subsystem sftp /usr/lib/openssh/sftp-server` configures the SFTP subsystem and has no effect on restricting SSH access based on group membership.

29
MCQeasy

A Linux administrator wants to prevent users from reusing their last five passwords. Which PAM module should be configured?

A.pam_faillock
B.pam_pwquality
C.pam_unix
D.pam_pwhistory
AnswerD

pam_pwhistory maintains a history of previous passwords and can reject reuse.

Why this answer

The pam_pwhistory module is specifically designed to enforce password history policies by storing a user's previous passwords in a separate file (e.g., /etc/security/opasswd) and preventing reuse of those passwords. By configuring the 'remember' option in the PAM stack, the administrator can set the number of previous passwords that cannot be reused, such as 'remember=5' to block the last five passwords.

Exam trap

The trap here is that candidates often confuse pam_pwquality (which enforces password strength) with pam_pwhistory (which enforces password reuse prevention), leading them to select pam_pwquality when the question specifically asks about preventing reuse of previous passwords.

How to eliminate wrong answers

Option A is wrong because pam_faillock is used to lock user accounts after a specified number of failed login attempts, not to enforce password history or reuse restrictions. Option B is wrong because pam_pwquality is used to enforce password complexity requirements (e.g., length, character classes) and does not track or prevent reuse of previous passwords. Option C is wrong because pam_unix handles traditional Unix authentication, password updates, and shadow password management, but it does not have built-in support for password history tracking; that functionality is delegated to pam_pwhistory.

30
MCQhard

A system administrator is configuring firewalld on a Linux server. They want to allow incoming HTTPS traffic permanently for the public zone. Which command should be used?

A.firewall-cmd --zone=public --add-service=https
B.firewall-cmd --service=https --add --zone=public --permanent
C.firewall-cmd --add-port=443/tcp --zone=public --permanent
D.firewall-cmd --add-service=https --zone=public --permanent
AnswerD

This adds the HTTPS service to the public zone permanently.

Why this answer

Option D is correct because the `firewall-cmd --add-service=https --zone=public --permanent` command adds the HTTPS service (TCP port 443) to the public zone and makes the rule persistent across reboots. The `--permanent` flag ensures the change survives a firewall reload or system restart, and the `--zone=public` targets the correct network zone for incoming traffic.

Exam trap

The trap here is that candidates often forget the `--permanent` flag or confuse the order of arguments, leading them to choose Option A (runtime-only change) or Option B (invalid syntax), while Option C works but is not the best practice for service-based rules.

How to eliminate wrong answers

Option A is wrong because it lacks the `--permanent` flag, so the rule only applies to the runtime configuration and will be lost after a firewall reload or reboot. Option B is wrong because the syntax is invalid: `--service` is not a valid option, and the flags are in the wrong order; the correct syntax is `--add-service` followed by the service name. Option C is wrong because while it uses the correct `--permanent` and `--zone` flags, it specifies a port number instead of the service name; using the service name is preferred for clarity and ensures the correct protocol (TCP) is applied, as HTTPS always uses TCP.

31
MCQhard

An administrator is configuring log rotation for /var/log/auth.log. They want logs to be rotated weekly, compressed, and kept for 12 weeks. Which logrotate configuration directive achieves this?

A.daily { rotate 12 compress }
B.weekly { rotate 12 compress }
C.weekly { rotate 52 compress }
D.monthly { rotate 12 compress }
AnswerB

This is the correct logrotate syntax.

Why this answer

weekly, compress, and rotate 12 set the desired behavior. The other options have incorrect parameters.

32
MCQhard

After modifying a PAM configuration file for sshd, a user reports they cannot log in. Which command can be used to verify the syntax of the PAM configuration without affecting running services?

A.pam_unix -t [CORRECT]
B.pam-auth-update --package [wrong]
C.pam_tally2 --check [wrong]
D.pam_faillock --test [wrong]
AnswerB

On Debian systems, this command can reconfigure PAM and validate module entries.

Why this answer

The `pam-auth-update --package` command is used on Debian-based systems to verify the syntax of PAM configuration files without affecting running services. It checks the configuration and reports any errors. This is the correct tool for syntax checking, whereas `pam_unix -t` does not validate syntax—it tests authentication against the pam_unix module. `pam_tally2` and `pam_faillock` are for account lockout management.

Exam trap

The trap is that candidates may think `pam_unix -t` is a syntax checker, but it is not. On Debian/Ubuntu, `pam-auth-update --package` is the appropriate command for syntax validation.

How to eliminate wrong answers

Option A is wrong because `pam_unix -t` is not a valid command; `pam_unix` is a PAM module, not a command-line tool for syntax checking. Option C is wrong because `pam_tally2 --check` is used to display login failure counts, not to verify PAM configuration syntax. Option D is wrong because `pam_faillock --test` is used to test faillock configuration for account locking, not to validate general PAM syntax.

33
MCQmedium

A technician needs to generate a self-signed certificate for an internal web server. Which OpenSSL command creates a new private key and a certificate signing request (CSR) in one step?

A.openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt
B.openssl genrsa -out server.key 2048 && openssl req -new -key server.key -out server.csr
C.openssl ca -new -key server.key -out server.csr
D.openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
AnswerD

One-step creation of key and CSR.

Why this answer

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr creates both key and CSR.

34
Multi-Selecthard

After configuring AppArmor, an administrator wants to verify the status of all profiles and switch a profile from complain to enforce mode. Which THREE commands are appropriate? (Choose three.)

Select 3 answers
A.systemctl restart apparmor
B.aa-status
C.apparmor_parser -r /etc/apparmor.d/profile
D.aa-complain /path/to/profile
E.aa-enforce /path/to/profile
AnswersB, D, E

Shows status of all AppArmor profiles.

Why this answer

B is correct because `aa-status` is the standard command to display the current status of all AppArmor profiles, including which are in enforce or complain mode. This directly meets the administrator's need to verify profile status before switching modes.

Exam trap

The trap here is that candidates confuse `aa-complain` with `aa-enforce` or think that reloading a profile with `apparmor_parser` changes its mode, when in fact the mode is set separately via the `aa-*` utilities.

35
MCQmedium

A security audit reveals that users can change their password without meeting complexity requirements. Which PAM module should be configured to enforce password complexity?

A.pam_faillock
B.pam_unix
C.pam_tally2
D.pam_pwquality
AnswerD

pam_pwquality enforces password strength rules.

Why this answer

pam_pwquality is the module that enforces password quality rules like length, character classes, etc.

36
MCQmedium

A security analyst wants to ensure that users cannot change their password more than once every 7 days. Which command and option should be used to enforce this policy for user 'jsmith'?

A.usermod -e 7 jsmith
B.chage -m 7 jsmith
C.chage -M 7 jsmith
D.passwd -n 7 jsmith
AnswerB

-m sets minimum days between password changes.

Why this answer

The `chage -m 7 jsmith` command sets the minimum number of days required between password changes for user jsmith to 7 days. The `-m` option of `chage` specifically controls the minimum password age, preventing the user from changing their password more than once every 7 days.

Exam trap

The trap here is confusing the `-m` (minimum days) and `-M` (maximum days) options of `chage`, as candidates often mix up which option controls the minimum interval between password changes versus the password expiration period.

How to eliminate wrong answers

Option A is wrong because `usermod -e` sets an account expiration date, not a minimum password age. Option C is wrong because `chage -M` sets the maximum password age (how long a password is valid), not the minimum interval between changes. Option D is wrong because `passwd -n` is not a valid option; the correct command to set minimum password age is `chage -m`, not `passwd`.

37
MCQmedium

A Linux server fails to boot after an administrator edits /etc/selinux/config and sets SELINUX=disabled. What is the most likely reason for the boot failure?

A.The administrator did not run restorecon on /etc/selinux/config
B.The administrator set SELINUX=0 instead of SELINUX=disabled
C.The administrator forgot to set SELINUXTYPE=targeted
D.The administrator set SELINUX=permissive which requires a relabel
AnswerB

SELINUX accepts enforcing, permissive, or disabled; 0 is invalid and may cause boot failure.

Why this answer

Setting SELINUX=disabled is valid and should not prevent booting. However, if the administrator incorrectly set SELINUX=0 or made a syntax error, the system might fail. But the most common issue is that disabling SELinux can cause services that rely on SELinux contexts to fail, but it doesn't prevent boot.

Actually, disabling SELinux is allowed. A better distractor: The system will boot but services may fail. However, the question says 'fails to boot' – a common misconfiguration is setting SELINUX=disabled in /etc/selinux/config but not running 'fixfiles onboot' or not changing the kernel parameters.

Actually, the most likely reason is that the administrator set SELINUX=0 instead of disabled, or made a typo. But given the options, the correct answer is that the system will boot normally (but with SELinux disabled). However, since the question states 'fails to boot', we need a plausible scenario.

Let's adjust: The admin might have set SELINUX=0 which is invalid. I'll rewrite the stem: 'A Linux server fails to boot after an administrator edits /etc/selinux/config. What is the most likely cause?'

38
MCQeasy

An administrator wants to force a password change for user 'alice' on next login. Which command is appropriate?

A.passwd --expire alice
B.passwd -l alice
C.chage -d 0 alice
D.usermod -f alice
AnswerA, C

Correct: --expire forces immediate password change.

Why this answer

Both `passwd --expire alice` and `chage -d 0 alice` force password expiration on next login. `passwd --expire` immediately expires the password, while `chage -d 0` sets the last password change date to 0 (epoch), forcing a change on next login. `passwd -l` locks the account and `usermod -f` sets the inactivity period, not immediate expiration.

39
MCQmedium

A Linux administrator wants to monitor changes to the /etc/passwd file for security auditing. Which auditctl command should be used?

A.auditctl -a always,exit -F path=/etc/passwd -F perm=wa
B.auditctl -w /etc/passwd -p r -k passwd_read
C.auditctl -w /etc/passwd -p wa -k passwd_change
D.ausearch -f /etc/passwd
AnswerC

Correctly watches for write and attribute changes.

Why this answer

auditctl -w /etc/passwd -p wa -k passwd_change watches for write and attribute changes.

40
Multi-Selectmedium

A Linux administrator needs to implement password complexity rules requiring at least one uppercase letter, one digit, and a minimum length of 10 characters. Which two PAM configuration entries would be used? (Choose TWO.)

Select 1 answer
A.password required pam_pwhistory.so use_authtok
B.password required pam_unix.so
C.password requisite pam_pwquality.so minlen=10 ucredit=1 dcredit=1
D.auth required pam_faillock.so
E.password requisite pam_pwquality.so enforce_for_root
AnswersC

Enforces minimum length and requires uppercase and digit.

Why this answer

Option C is correct because the `pam_pwquality.so` module enforces password complexity rules. The `minlen=10` parameter sets the minimum password length to 10 characters, `ucredit=1` requires at least one uppercase letter, and `dcredit=1` requires at least one digit. The `requisite` control ensures that if these checks fail, authentication is immediately denied.

Option E is also correct because `enforce_for_root` applies the same complexity rules to the root user, which is often needed to fully enforce the policy. Options A, B, and D are incorrect: `pam_pwhistory.so` is for password history, not complexity; `pam_unix.so` does not enforce complexity; `pam_faillock.so` is an `auth` module for account lockout, not password strength.

Exam trap

The CompTIA Linux+ exam often tests the distinction between `pam_pwquality.so` (complexity) and `pam_pwhistory.so` (history), and candidates may confuse `auth` modules (like `pam_faillock.so`) with `password` modules, or forget that `pam_unix.so` does not enforce complexity rules.

41
MCQmedium

To limit the number of processes a user can create, which file should be configured?

A./etc/pam.d/login
B./etc/security/limits.conf
C./etc/ulimit.conf
D./etc/systemd/system.conf
AnswerB

This file defines hard and soft limits for resources like nproc.

Why this answer

/etc/security/limits.conf sets resource limits per user/group, including nproc (number of processes).

42
MCQeasy

Which command displays the current SELinux mode?

A.sestatus
B.setenforce
C.getenforce
D.getsebool -a
AnswerC

Displays current mode.

Why this answer

getenforce displays the current SELinux mode (Enforcing, Permissive, Disabled). sestatus provides more detail including mode and policy version. setenforce changes mode, getsebool shows booleans.

43
MCQmedium

A system administrator needs to configure sudo so that members of the 'wheel' group can execute any command without a password. Which line should be added to /etc/sudoers (using visudo)?

A.%wheel ALL=(ALL) ALL
B.wheel ALL=(ALL) NOPASSWD: ALL
C.%wheel ALL=(ALL) NOPASSWD: ALL
D.%wheel ALL=NOPASSWD: ALL
AnswerC

Correct: % denotes group, NOPASSWD eliminates password prompt.

Why this answer

To allow wheel group to run all commands without a password, the line should be '%wheel ALL=(ALL) NOPASSWD: ALL'.

44
MCQhard

A security audit reveals that an SELinux boolean 'httpd_can_network_connect' is currently off, but a web application requires Apache to connect to a database server. Which command should the administrator use to enable this boolean persistently?

A.setenforce 1
B.setsebool httpd_can_network_connect 1
C.setsebool -P httpd_can_network_connect on
D.getsebool httpd_can_network_connect
AnswerC

Correctly sets the boolean persistently.

Why this answer

setsebool -P makes the change persistent across reboots.

45
MCQeasy

Which command displays the current SELinux mode (e.g., enforcing, permissive, disabled)?

A.getenforce
B.getsebool -a
C.seinfo
D.sestatus
AnswerA

Correct. getenforce prints enforcing, permissive, or disabled.

Why this answer

getenforce shows the current mode. getsebool shows boolean values. sestatus shows more detailed status including mode and policy. seinfo shows policy information.

46
MCQeasy

Which command can be used to generate an SSH key pair for user authentication?

A.ssh-keyscan
B.ssh-keygen
C.ssh-copy-id
D.ssh-add
AnswerB

ssh-keygen generates SSH key pairs.

Why this answer

The `ssh-keygen` command is the standard tool for generating SSH key pairs (public and private keys) used for user authentication. It creates RSA, ECDSA, Ed25519, or DSA key files (e.g., `~/.ssh/id_rsa` and `~/.ssh/id_rsa.pub`) and supports options like `-t` for key type and `-b` for bit length, directly enabling passwordless login via public key authentication.

Exam trap

The trap here is that candidates confuse `ssh-keygen` (key generation) with `ssh-copy-id` (key deployment) or `ssh-add` (key loading), leading them to pick a command that manages existing keys rather than creating new ones.

How to eliminate wrong answers

Option A is wrong because `ssh-keyscan` is used to gather SSH public host keys from remote servers, not to generate user key pairs. Option C is wrong because `ssh-copy-id` installs an existing public key onto a remote server's `authorized_keys` file, but does not generate keys itself. Option D is wrong because `ssh-add` adds private key identities to the SSH authentication agent (`ssh-agent`), but it cannot create new key pairs.

47
MCQmedium

A Linux administrator needs to configure a firewall to allow incoming SSH connections on the default port. Which firewalld command accomplishes this permanently?

A.firewall-cmd --add-service=ssh --permanent && firewall-cmd --reload
B.firewall-cmd --add-port=22/tcp --permanent
C.firewall-cmd --add-service=ssh
D.firewall-cmd --zone=public --add-port=22/tcp
AnswerA

Correctly adds the service permanently and reloads.

Why this answer

The correct command adds the ssh service to the default zone permanently and reloads the firewall.

48
MCQmedium

A user reports being unable to log in because the password is locked. The administrator needs to unlock the account. Which command should be used?

A.usermod -L username
B.passwd -l username
C.passwd -u username
D.chage -E -1 username
AnswerC

Correct: -u unlocks the account.

Why this answer

passwd -u unlocks a locked account. usermod -U also works. Among options, passwd -u is correct.

49
MCQhard

A system administrator needs to configure PAM to lock a user account after 5 failed login attempts for 15 minutes. Which two PAM modules and configuration lines are appropriate? (Select TWO.)

A.session required pam_limits.so
B.account required pam_faillock.so deny=5 unlock_time=900
C.auth required pam_tally2.so deny=5 unlock_time=900
D.auth required pam_faillock.so deny=5 unlock_time=900
E.password required pam_pwquality.so retry=5
AnswerC, D

pam_tally2 can also be used for account lockout with similar options.

Why this answer

pam_faillock can be used to lock accounts after failed attempts. The 'deny' option sets the threshold, and 'unlock_time' sets the lockout duration. Alternatively, pam_tally2 can be used with similar options.

50
MCQeasy

Which of the following correctly describes the purpose of the /etc/shadow file?

A.It stores the list of users who can use sudo.
B.It stores group memberships and group passwords.
C.It stores user account information including UID, GID, and shell.
D.It stores encrypted passwords and password aging fields.
AnswerD

Correct.

Why this answer

The /etc/shadow file stores encrypted (hashed) user passwords and password aging information such as the date of last password change, minimum/maximum password age, and account expiration. This file is readable only by root to protect password hashes from unauthorized access, unlike /etc/passwd which is world-readable.

Exam trap

The trap here is that candidates confuse the purpose of /etc/shadow with /etc/passwd, mistakenly thinking /etc/shadow stores UID, GID, and shell, when in fact those are in /etc/passwd and /etc/shadow specifically holds password hashes and aging data.

How to eliminate wrong answers

Option A is wrong because the list of users who can use sudo is stored in /etc/sudoers (or /etc/sudoers.d/), not in /etc/shadow. Option B is wrong because group memberships and group passwords are stored in /etc/group and /etc/gshadow, not in /etc/shadow. Option C is wrong because user account information including UID, GID, and shell is stored in /etc/passwd, not in /etc/shadow.

51
MCQeasy

An administrator wants to enforce an account lockout policy after five failed login attempts on a Linux system. Which PAM module should be added to the authentication stack?

A.pam_faillock.so
B.pam_unix.so
C.pam_pwquality.so
D.pam_tally2.so
AnswerA

pam_faillock locks accounts after a defined number of failures.

Why this answer

pam_faillock is used for account lockout after failed attempts. pam_unix handles authentication, pam_pwquality checks password strength, pam_tally2 is an older module.

52
MCQhard

A system administrator configures PAM to enforce account lockout after 3 failed login attempts. Which PAM module should be used?

A.pam_faillock
B.pam_pwquality
C.pam_securetty
D.pam_unix
AnswerA

pam_faillock manages account lockout based on failed attempts.

Why this answer

pam_faillock is the correct PAM module for enforcing account lockout after a specified number of failed login attempts. It tracks failed authentication attempts per user and can lock the account when the threshold (e.g., 3 attempts) is reached, typically by writing to a tally file like /var/log/faillock.

Exam trap

The trap here is that candidates may confuse pam_faillock with pam_tally2 (a legacy module) or assume pam_unix alone can enforce lockout, but pam_unix lacks built-in lockout tracking and requires pam_faillock or pam_tally2 for that feature.

How to eliminate wrong answers

Option B (pam_pwquality) is wrong because it enforces password quality rules (e.g., length, complexity) during password changes, not account lockout after failed logins. Option C (pam_securetty) is wrong because it restricts root login to terminals listed in /etc/securetty, not lockout policies. Option D (pam_unix) is wrong because it handles standard Unix authentication (e.g., verifying passwords via /etc/shadow) but does not provide account lockout functionality on its own.

53
MCQmedium

A security policy requires that all users must have passwords with at least one uppercase letter, one digit, and a minimum length of 12 characters. Which PAM configuration file and module should be used to enforce this?

A./etc/pam.d/login with pam_securetty.so
B./etc/pam.d/sshd with pam_unix.so
C./etc/pam.d/sudo with pam_permit.so
D./etc/pam.d/common-password with pam_pwquality.so
AnswerD

pam_pwquality.so enforces password complexity rules.

Why this answer

pam_pwquality is used for password complexity requirements. It is typically configured in /etc/pam.d/common-password (or system-auth, password-auth) with options like minlen, ucredit, dcredit.

54
MCQeasy

A Linux administrator needs to add a new user named 'jdoe' with a home directory and default shell /bin/bash. Which command should be used?

A.chage -m -s /bin/bash jdoe
B.useradd -m -s /bin/bash jdoe
C.passwd -m -s /bin/bash jdoe
D.usermod -m -s /bin/bash jdoe
AnswerB

Correct. useradd with -m creates home directory and -s sets shell.

Why this answer

The useradd command is used to create new users. The -m option creates the home directory, and -s sets the shell. usermod modifies existing users, passwd sets passwords, and chage manages password aging.

55
MCQhard

An administrator notices that a process is running with the context 'unconfined_u:unconfined_r:unconfined_t:s0'. What does this indicate about SELinux?

A.The process is running in permissive mode.
B.The process is running in an unconfined domain.
C.SELinux is disabled.
D.The process is confined by a targeted policy.
AnswerB

Unconfined domains have minimal restrictions.

Why this answer

The 'unconfined' domain means the process is not restricted by SELinux policy; it can run as if SELinux is disabled.

56
MCQeasy

Which command displays the current SELinux mode?

A.selinuxenabled
B.sestatus
C.setenforce
D.getenforce
AnswerD

Correct command.

Why this answer

The `getenforce` command displays the current SELinux mode as either Enforcing, Permissive, or Disabled. It directly queries the SELinux status from the kernel and returns the current enforcement state without requiring elevated privileges. This makes it the correct command for simply viewing the current mode.

Exam trap

The trap here is that candidates confuse `setenforce` (which changes the mode) with `getenforce` (which displays the mode), or they assume `sestatus` is the only command to check SELinux state, overlooking the simpler `getenforce` command specifically asked for the current mode.

How to eliminate wrong answers

Option A is wrong because `selinuxenabled` only returns an exit code (0 if SELinux is enabled, 1 if disabled) and does not display the current mode. Option B is wrong because `sestatus` provides detailed SELinux status information including the mode, but it is not the command that specifically displays only the current mode; it shows additional context like policy version and loaded policy name. Option C is wrong because `setenforce` is used to change the SELinux mode (e.g., `setenforce 0` for permissive, `setenforce 1` for enforcing) and does not display the current mode.

57
MCQmedium

A system administrator is hardening SSH and needs to disable root login and password authentication. Which two directives should be set in /etc/ssh/sshd_config?

A.PermitRootLogin no and ChallengeResponseAuthentication no
B.DenyUsers root and PasswordAuthentication no
C.PermitRootLogin no and PasswordAuthentication no
D.PermitRootLogin prohibit-password and PasswordAuthentication yes
AnswerC

These two settings disable root login and password auth.

Why this answer

Option C is correct because disabling root login and password authentication are two separate directives in sshd_config. PermitRootLogin no prevents direct SSH access for the root user, and PasswordAuthentication no disables password-based logins, forcing the use of key-based authentication. Both directives are required to meet the hardening goal.

Exam trap

The trap here is that candidates confuse ChallengeResponseAuthentication with PasswordAuthentication, or assume DenyUsers is a valid directive for blocking root, when the correct syntax is PermitRootLogin no.

How to eliminate wrong answers

Option A is wrong because ChallengeResponseAuthentication no disables challenge-response authentication (e.g., keyboard-interactive), but it does not disable password authentication; PasswordAuthentication must be explicitly set to no. Option B is wrong because DenyUsers root is not a valid sshd_config directive; the correct directive is PermitRootLogin no. Option D is wrong because PasswordAuthentication yes enables password authentication, which contradicts the requirement to disable it; PermitRootLogin prohibit-password allows root login with key-based authentication but does not disable password authentication for other users.

58
MCQmedium

An administrator wants to generate a self-signed certificate and private key for testing. Which command creates both in one step?

A.openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
B.openssl genrsa -out key.pem 2048
C.openssl req -new -x509 -days 365 -key key.pem -out cert.pem
D.openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
AnswerA

Generates key and certificate in one command.

Why this answer

Option A is correct because the `openssl req -x509 -newkey rsa:2048` command generates a new private key (via `-newkey`) and immediately creates a self-signed X.509 certificate (via `-x509`) in a single step. The `-keyout` and `-out` flags specify the output files for the private key and certificate, respectively, and `-nodes` ensures the private key is not encrypted with a passphrase, which is typical for testing scenarios.

Exam trap

The trap here is that candidates often confuse `openssl req -new` (which creates a CSR) with `openssl req -x509` (which creates a self-signed certificate), leading them to pick option C, which requires a pre-existing key and does not generate both in one step.

How to eliminate wrong answers

Option B is wrong because `openssl genrsa` only creates an RSA private key; it does not generate a certificate, so it fails to produce both artifacts in one step. Option C is wrong because it uses `-key key.pem` to reference an existing private key file, meaning the private key must already exist; it does not create a new private key as part of the command. Option D is wrong because `openssl x509 -req` processes a Certificate Signing Request (CSR) and signs it with a provided key; it requires a pre-existing CSR and private key, so it does not generate both in one step.

59
MCQmedium

A system administrator needs to add an iptables rule to drop incoming TCP traffic on port 22 (SSH) from the IP address 10.0.0.100. Which command should be used?

A.iptables -A INPUT -p udp --dport 22 -s 10.0.0.100 -j DROP
B.iptables -I OUTPUT -p tcp --sport 22 -d 10.0.0.100 -j DROP
C.iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.100 -j DROP
D.iptables -A INPUT -p tcp --dport 22 -s 10.0.0.100 -j DROP
AnswerD

This appends a rule to the INPUT chain to drop SSH from that source.

Why this answer

The correct syntax is iptables -A INPUT -p tcp --dport 22 -s 10.0.0.100 -j DROP. The chain is INPUT, protocol tcp, destination port 22, source IP, and target DROP.

60
MCQmedium

A Linux administrator is troubleshooting a service that fails to start. The audit.log shows an AVC denial related to the httpd_t domain. The administrator wants to see the full denial message and generate a policy to allow the access. Which two commands should be used in conjunction?

A.auditctl and ausearch
B.ausearch and restorecon
C.aureport and audit2why
D.ausearch and audit2allow
AnswerD

ausearch retrieves the denial, and audit2allow creates a policy module to allow it.

Why this answer

The correct answer is D because `ausearch` retrieves the full AVC denial message from the audit log, and `audit2allow` generates a policy module to allow the denied access. Together, they enable the administrator to first identify the exact denial and then create a custom SELinux policy to permit the httpd_t domain's blocked action.

Exam trap

The trap here is that candidates confuse `ausearch` with `aureport` or `auditctl`, or think `restorecon` can fix AVC denials, when in fact only `ausearch` paired with `audit2allow` provides the complete solution for generating a custom policy from a denial message.

How to eliminate wrong answers

Option A is wrong because `auditctl` configures audit rules and does not retrieve denial messages, while `ausearch` alone cannot generate a policy. Option B is wrong because `restorecon` restores default SELinux contexts on files, which does not address AVC denials or generate policies. Option C is wrong because `aureport` summarizes audit events but does not produce a policy, and `audit2why` explains denials but does not generate an allow policy.

61
MCQhard

An administrator notices that an AppArmor profile is in complain mode for a service that should be enforcing. Which command changes the profile to enforce mode?

A.apparmor_parser -r /etc/apparmor.d/profile
B.aa-status --enforce /etc/apparmor.d/profile
C.aa-enforce /etc/apparmor.d/profile
D.aa-complain /etc/apparmor.d/profile
AnswerC

Enforces the specified profile.

Why this answer

aa-enforce sets a profile to enforce mode. aa-complain sets to complain, aa-status shows status, and apparmor_parser loads profiles.

62
MCQhard

An administrator is troubleshooting an AppArmor profile that is blocking a custom application. They want to set the profile to complain mode to gather violations without enforcing. Which command should they use?

A.aa-status
B.aa-complain /path/to/profile
C.apparmor_parser -r /etc/apparmor.d/profile
D.aa-enforce /path/to/profile
AnswerB

Sets complain mode.

Why this answer

aa-complain sets the profile to complain mode.

63
Multi-Selectmedium

A security audit has identified that several users have excessive sudo privileges. The administrator needs to review and modify sudo access. Which two files or commands would be used? (Choose TWO.)

Select 2 answers
A.chage
B.visudo
C.usermod -G
D./etc/sudoers
E./etc/group
AnswersB, D

Command to safely edit /etc/sudoers.

Why this answer

visudo is the recommended way to edit /etc/sudoers safely. The file /etc/sudoers contains the rules. /etc/sudoers.d/ is a directory for drop-in files. The other options are unrelated.

64
MCQmedium

To harden SSH, an administrator needs to disable root login over SSH. Which directive should be set in /etc/ssh/sshd_config?

A.RootLogin no
B.PermitRootLogin no
C.DenyUsers root
D.AllowUsers root
AnswerB

Correct directive to disable root login.

Why this answer

PermitRootLogin no prevents root from logging in via SSH.

65
MCQmedium

A user named 'jdoe' needs to run commands as root without being given the root password. The administrator wants to grant jdoe the ability to run any command as root, but only after entering their own password. Which entry in /etc/sudoers accomplishes this?

A.jdoe ALL=(ALL) NOPASSWD: ALL
B.jdoe ALL=(root) /usr/bin/su
C.jdoe ALL= /bin/su -
D.jdoe ALL=(ALL) ALL
AnswerD

This allows jdoe to run any command as any user, but requires a password by default.

Why this answer

The format is 'user host=(runas) commands'. The correct entry grants jdoe full root access with password authentication.

66
Multi-Selecthard

A security audit reveals that a service is running with an incorrect SELinux context. Which two commands can be used to relabel the file or directory to the correct context? (Choose TWO.)

Select 2 answers
A.setenforce 0
B.restorecon -R /path/to/file
C.chcon -t httpd_sys_content_t /path/to/file
D.fixfiles relabel
E.ls -Z
AnswersB, C

Restores default SELinux context.

Why this answer

restorecon restores default context based on policy, and chcon can set a specific context manually.

67
MCQeasy

A Linux administrator needs to prevent the root user from logging in via SSH. Which directive should be set in /etc/ssh/sshd_config to accomplish this?

A.PasswordAuthentication no
B.PermitRootLogin no
C.MaxAuthTries 1
D.AllowUsers root
AnswerB

This setting prevents root from logging in via SSH.

Why this answer

The directive `PermitRootLogin no` in `/etc/ssh/sshd_config` explicitly disallows the root user from authenticating via SSH, regardless of the authentication method used. This is the standard way to block root SSH logins while still allowing other users to connect.

Exam trap

The trap here is that candidates often confuse `PasswordAuthentication no` with blocking root login, not realizing that root could still authenticate via SSH keys or other mechanisms if `PermitRootLogin` is not explicitly set to `no`.

How to eliminate wrong answers

Option A is wrong because `PasswordAuthentication no` disables password-based authentication for all users, but root could still log in using a public key or other methods; it does not specifically prevent root login. Option C is wrong because `MaxAuthTries 1` limits the number of authentication attempts per connection, but it does not prevent root from logging in on the first successful attempt. Option D is wrong because `AllowUsers root` explicitly permits only the root user to log in, which is the opposite of what is needed.

68
MCQmedium

A web server running on port 8080 must be accessible from external networks. The system uses firewalld. Which command opens port 8080/tcp permanently in the default zone?

A.firewall-cmd --zone=public --add-service=8080/tcp --permanent
B.firewall-cmd --permanent --add-port=8080/tcp
C.iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
D.firewall-cmd --add-port=8080/tcp
AnswerB

Correct: --permanent makes it persistent, --add-port opens the port.

Why this answer

The correct firewalld command is 'firewall-cmd --permanent --add-port=8080/tcp' followed by '--reload'.

69
MCQmedium

A security audit reveals that the /etc/shadow file is readable by all users. What is the most appropriate immediate action?

A.chmod 000 /etc/shadow
B.chmod 600 /etc/shadow && chown root:shadow /etc/shadow
C.chmod 640 /etc/shadow
D.chmod 600 /etc/shadow
AnswerB

Sets proper permissions and ownership to root and shadow group.

Why this answer

The /etc/shadow file stores hashed user passwords and must be protected from unauthorized access. The correct command is `chmod 600 /etc/shadow && chown root:shadow /etc/shadow` because it sets the file to be readable and writable only by the owner (root) and changes the group to 'shadow', which is the standard group used by many Linux distributions to allow certain system utilities (like `pwck` or `unix_chkpwd`) to read the file without granting access to all users. This ensures that only root and members of the shadow group can read the file, immediately fixing the security issue.

Exam trap

Cisco often tests the misconception that simply setting restrictive permissions (like 600) is sufficient, without also ensuring the correct group ownership (shadow), which is a common oversight in Linux security hardening.

How to eliminate wrong answers

Option A is wrong because `chmod 000 /etc/shadow` removes all permissions for everyone, including root, which would break system authentication and password management utilities that require root to read the file. Option C is wrong because `chmod 640 /etc/shadow` gives read permission to the group, which is typically not the shadow group by default and could still expose the file to unauthorized users if the group is set incorrectly. Option D is wrong because `chmod 600 /etc/shadow` alone does not change the group ownership to 'shadow', so the file might remain accessible to a group that should not have access, failing to follow the principle of least privilege and standard Linux security practices.

70
MCQeasy

A technician needs to ensure a service can listen on TCP port 8443 using firewalld. Which command permanently adds the port to the default zone?

A.firewall-cmd --add-port=8443/tcp --permanent
B.firewall-cmd --add-port=8443 --permanent
C.firewall-cmd --add-port=8443/tcp
D.firewall-cmd --add-service=8443/tcp --permanent
AnswerA

Correctly adds port 8443/tcp permanently.

Why this answer

The correct syntax is firewall-cmd --add-port=8443/tcp --permanent. The other options either omit the protocol, use incorrect syntax, or forget --permanent.

71
MCQhard

An administrator runs 'auditctl -w /etc/passwd -p wa -k passwd_changes' to monitor changes to /etc/passwd. Which command should be used to search the audit log for all events related to this watch?

A.ausearch -k passwd_changes
B.auditctl -l -k passwd_changes
C.tail -f /var/log/audit/audit.log | grep passwd_changes
D.aureport -k passwd_changes
AnswerA

Correct. ausearch with -k searches for audit events with that key.

Why this answer

The `ausearch -k passwd_changes` command is correct because it searches the audit log for events that were tagged with the key `passwd_changes` when the watch was created via `auditctl -w /etc/passwd -p wa -k passwd_changes`. The `-k` option in `auditctl` assigns a key to the rule, and `ausearch` uses that same key to filter and retrieve matching audit records from `/var/log/audit/audit.log`.

Exam trap

The trap here is that candidates confuse `ausearch` (for searching logs) with `aureport` (for generating summaries) or `auditctl -l` (for listing rules), leading them to pick a command that does not actually retrieve historical audit events.

How to eliminate wrong answers

Option B is wrong because `auditctl -l -k passwd_changes` lists currently loaded audit rules, not search results from the audit log; it would show the rule itself, not events. Option C is wrong because `tail -f /var/log/audit/audit.log | grep passwd_changes` is a raw log tail with grep, which is inefficient and unreliable for structured audit log searching, and it does not use the dedicated `ausearch` tool that properly parses audit records. Option D is wrong because `aureport -k passwd_changes` generates summary reports of audit events, not a detailed event listing; it aggregates data and does not output individual audit records like `ausearch` does.

72
Multi-Selecthard

An administrator needs to configure iptables to allow incoming SSH traffic only from the 10.0.0.0/8 network and drop all other incoming traffic except established connections. Which TWO rules are necessary?

Select 2 answers
A.iptables -A INPUT -p tcp --dport 22 -j DROP
B.iptables -P INPUT DROP
C.iptables -A INPUT -j DROP
D.iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
E.iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
AnswersD, E

Allows SSH from the 10.0.0.0/8 network.

Why this answer

Option D is correct because it explicitly allows incoming SSH traffic (TCP port 22) from the 10.0.0.0/8 network, which matches the requirement to permit SSH only from that subnet. Option E is correct because it accepts all packets that are part of an established or related connection, ensuring that return traffic for outbound connections is not dropped by the default policy or subsequent rules.

Exam trap

The trap here is that candidates often forget to include the rule for established connections (Option E) and mistakenly think setting a default DROP policy (Option B) or a blanket DROP rule (Option C) alone is sufficient, not realizing that without allowing established traffic, all return packets are dropped, breaking connectivity.

73
Multi-Selecthard

A system administrator is configuring PAM to lock out users after 3 failed login attempts for 15 minutes. Which TWO PAM modules can be used together to achieve this? (Select TWO.)

Select 2 answers
A.pam_faillock.so
B.pam_tally2.so
C.pam_limits.so
D.pam_pwquality.so
E.pam_unix.so
AnswersA, E

pam_faillock can enforce lockout after failed attempts.

Why this answer

pam_faillock.so is the modern PAM module designed to track failed login attempts and enforce account lockout policies. It can be configured with parameters like `deny=3` to lock after three failures and `unlock_time=900` to set a 15-minute lockout duration. This module is the recommended replacement for the deprecated pam_tally2.so in current Linux distributions.

Exam trap

The trap here is that candidates often select pam_tally2.so (option B) because it was historically used for this purpose, but the exam expects knowledge of the modern, supported module pam_faillock.so, and they may also mistakenly think pam_unix.so alone handles lockout when it only performs standard Unix authentication.

74
Multi-Selectmedium

An administrator wants to harden SSH access by implementing the following: disallow root login, disable password authentication, and limit the number of authentication attempts. Which three configuration directives should be set in /etc/ssh/sshd_config? (Choose THREE.)

Select 3 answers
A.PermitRootLogin no
B.Port 22
C.PermitEmptyPasswords no
D.PasswordAuthentication no
E.MaxAuthTries 3
AnswersA, D, E

Disallows root login via SSH.

Why this answer

PermitRootLogin no, PasswordAuthentication no, and MaxAuthTries limit attempts.

75
MCQmedium

An administrator notices repeated failed login attempts in /var/log/secure. The company policy requires account lockout after 5 failed attempts within 15 minutes. Which PAM module and configuration can enforce this?

A.pam_unix.so with remember=5
B.pam_pwquality.so with minlen=5
C.pam_limits.so with maxlogins=5
D.pam_faillock.so with deny=5 unlock_time=900
AnswerD

This configuration locks after 5 attempts and unlocks after 15 minutes.

Why this answer

Option D is correct because pam_faillock.so is the PAM module specifically designed to track failed login attempts and enforce account lockout policies. The `deny=5` parameter sets the threshold to 5 failures, and `unlock_time=900` sets the lockout duration to 900 seconds (15 minutes), matching the policy requirement exactly.

Exam trap

The trap here is confusing password policy modules (pam_pwquality.so, pam_unix.so) or session limits (pam_limits.so) with the dedicated account lockout module pam_faillock.so, leading candidates to select options that address different security controls.

How to eliminate wrong answers

Option A is wrong because pam_unix.so with `remember=5` controls password history (preventing reuse of the last 5 passwords), not account lockout after failed logins. Option B is wrong because pam_pwquality.so with `minlen=5` enforces password complexity and minimum length, not failed login attempt tracking. Option C is wrong because pam_limits.so with `maxlogins=5` limits the maximum number of concurrent login sessions for a user, not the number of failed attempts before lockout.

Page 1 of 2 · 125 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security questions.