CCNA Security Questions

50 of 125 questions · Page 2/2 · Security · Answers revealed

76
MCQmedium

A Linux technician is configuring a firewall with firewalld. The organization requires that SSH services be available only on the internal network zone (10.0.0.0/8). Which command should be used to add this rule permanently?

A.firewall-cmd --zone=internal --add-port=22/tcp --add-source=10.0.0.0/8 --permanent
B.firewall-cmd --zone=public --add-service=ssh --add-source=10.0.0.0/8 --permanent
C.firewall-cmd --zone=internal --add-rich-rule='rule family=ipv4 source address=10.0.0.0/8 service name=ssh accept' --permanent
D.firewall-cmd --zone=internal --add-service=ssh --add-source=10.0.0.0/8 --permanent
AnswerC, D

This also works but is more verbose. However, the simpler command is sufficient.

Why this answer

Both options C and D achieve the goal of allowing SSH only from the internal network (10.0.0.0/8). Option C uses a rich rule to explicitly allow SSH from that source. Option D adds the SSH service to the internal zone and then assigns the source 10.0.0.0/8 to that zone; since no other sources are assigned to internal, only traffic from that source matches the internal zone and thus gets SSH access.

Both commands are valid, but note that option D relies on the default zone not allowing SSH, while option C is more explicit.

77
MCQmedium

A system is running SELinux in enforcing mode. A custom application needs to write to /var/log/app.log. The log file shows the correct context, but access is denied. What is the most likely cause?

A.The file context is incorrect.
B.The application is running in an unconfined domain.
C.The SELinux boolean for the application is disabled.
D.SELinux is in permissive mode.
AnswerC

Many applications require a boolean to be enabled.

Why this answer

SELinux policy may not allow the application's domain to write to that file; audit2allow can generate a policy. But the question implies a boolean or context issue. However, typical cause is missing policy rule.

But among options, 'The application is running in an unconfined domain' is plausible but not best. Actually, the most common cause is that the file context is wrong. But given the file has correct context, the issue is likely a boolean or policy.

However, the best answer is 'A transition to the wrong domain'? I'll go with 'The SELinux boolean for the application is disabled'.

78
MCQeasy

A Linux administrator needs to add a new user named 'jdoe' with a home directory and bash shell. Which command accomplishes this?

A.groupadd -u jdoe -s /bin/bash
B.useradd -m -s /bin/bash jdoe
C.adduser -h /home/jdoe -s bash jdoe
D.usermod -m -s /bin/bash jdoe
AnswerB

Correct: -m creates home directory, -s sets shell.

Why this answer

The useradd command creates a new user, and the -m flag creates the home directory, -s sets the shell. useradd -m -s /bin/bash jdoe is correct.

79
MCQhard

A Linux administrator needs to configure auditing to monitor changes to the /etc/passwd file. Which auditctl command should be used?

A.auditctl -w /etc/passwd -p rwxa -k passwd_changes
B.auditctl -w /etc/passwd -p wa -k passwd_changes
C.auditctl -a exit,always -S unlink -S rename -F path=/etc/passwd
D.auditctl -a always,exit -F path=/etc/passwd -F perm=wa -k passwd_changes
AnswerB

This adds a watch on the file for write and attribute changes.

Why this answer

auditctl -w /etc/passwd -p wa -k passwd_changes adds a watch on the file for write and attribute changes, with a key for easier searching.

80
MCQmedium

An administrator is hardening SSH and wants to disable root login and only allow users in the 'sshusers' group. Which two directives should be set in /etc/ssh/sshd_config?

A.DenyRootLogin yes and AllowGroups sshusers
B.PermitRootLogin prohibit-password and AllowGroups sshusers
C.PermitRootLogin no and AllowGroups sshusers
D.PermitRootLogin no and AllowUsers sshusers
AnswerC

Correct directives.

Why this answer

Option C is correct because the directive `PermitRootLogin no` explicitly disallows root login via SSH, and `AllowGroups sshusers` restricts SSH access to only members of the 'sshusers' group. This combination meets both requirements: disabling root login and limiting access to a specific group. The `AllowGroups` directive is group-based, unlike `AllowUsers`, which is user-based.

Exam trap

The trap here is confusing `AllowGroups` with `AllowUsers` — candidates often pick `AllowUsers sshusers` thinking it restricts to the group, but it actually restricts to a user named 'sshusers', not group membership.

How to eliminate wrong answers

Option A is wrong because `DenyRootLogin` is not a valid directive in sshd_config; the correct directive is `PermitRootLogin`. Option B is wrong because `PermitRootLogin prohibit-password` only disables password-based root login but still allows root login via public key authentication, which does not fully disable root login as required. Option D is wrong because `AllowUsers sshusers` would only allow a user literally named 'sshusers', not members of the 'sshusers' group; the correct group-based directive is `AllowGroups`.

81
MCQeasy

Which file contains user password hashes and aging information on a Linux system?

A./etc/shadow
B./etc/group
C./etc/passwd
D./etc/gshadow
AnswerA

/etc/shadow stores encrypted passwords and aging data.

Why this answer

The /etc/shadow file stores user password hashes along with password aging information, such as the last password change date, minimum and maximum password age, warning period, and inactivity lockout. This file is readable only by root (or privileged processes) to protect the hashed passwords from unauthorized access, unlike /etc/passwd which is world-readable.

Exam trap

The trap here is that candidates often confuse /etc/passwd with /etc/shadow, mistakenly thinking that /etc/passwd still stores password hashes, but modern Linux systems store them only in /etc/shadow for security.

How to eliminate wrong answers

Option B is wrong because /etc/group stores group membership information, not password hashes or aging data. Option C is wrong because /etc/passwd contains user account details (like UID, GID, home directory) and traditionally held password hashes, but on modern Linux systems it uses an 'x' placeholder and defers to /etc/shadow for security. Option D is wrong because /etc/gshadow stores group password hashes and group administrator information, not user password hashes or aging data.

82
Multi-Selectmedium

A security policy requires that user passwords must be changed every 60 days, and users should be warned 7 days before expiration. Which two chage commands set these requirements for user 'jsmith'? (Choose TWO.)

Select 2 answers
A.chage -M 60 jsmith
B.chage -E 60 jsmith
C.chage -W 7 jsmith
D.chage -m 60 jsmith
E.chage -I 7 jsmith
AnswersA, C

Sets maximum password age to 60 days.

Why this answer

chage -M 60 sets max days; chage -W 7 sets warning days.

83
MCQmedium

An administrator notices that a non-root user 'alice' can run commands as root without being in the sudoers file. Which group membership could allow this?

A.admin
B.wheel
C.root
D.sudo
AnswerB

Members of wheel group often have sudo privileges.

Why this answer

Option B is correct because on many Linux distributions, membership in the 'wheel' group is a standard mechanism that allows non-root users to execute commands with root privileges via the 'su' command, even if they are not listed in the sudoers file. The 'wheel' group is traditionally used to control access to the 'su' utility, and by default, PAM (Pluggable Authentication Modules) configuration often permits members of the 'wheel' group to switch to the root user without additional sudo configuration.

Exam trap

The trap here is that candidates often focus solely on sudo and the 'sudo' group, overlooking the alternative privilege escalation path through the 'wheel' group and the 'su' command, which is a common misconfiguration in Linux security audits.

How to eliminate wrong answers

Option A is wrong because the 'admin' group is not a standard Linux group for privilege escalation; on some older Ubuntu systems, 'admin' was used for sudo access, but it is not a default mechanism for 'su' and has been replaced by the 'sudo' group. Option C is wrong because the 'root' group is the primary group of the root user itself, and membership in it does not grant a non-root user the ability to run commands as root; it only provides group-level file access permissions. Option D is wrong because the 'sudo' group is used to grant sudo privileges via the sudoers file, but the question specifies that the user is NOT in the sudoers file, so membership in the 'sudo' group alone would not allow root command execution without a corresponding sudoers entry.

84
MCQhard

A Linux server has SELinux enforcing and a custom application needs to write to /var/log/app.log. The audit log shows 'avc: denied { write } for pid=1234'. After verifying that the application runs in the correct domain, which command should be used to allow the write access by generating a policy module?

A.ausearch -m avc | audit2allow -M myapp
B.chcon -t var_log_t /var/log/app.log
C.setsebool -P httpd_unified 1
D.restorecon -v /var/log/app.log
AnswerA

Correct: ausearch retrieves AVC messages, audit2allow creates policy module.

Why this answer

audit2allow reads audit messages and generates SELinux policy allow rules. ausearch can retrieve the specific denial, then audit2allow creates the module.

85
MCQeasy

Which command displays the last successful login times for all users?

A.who /var/log/wtmp
B.lastb
C.last
D.lastlog
AnswerD

Correct.

Why this answer

lastlog displays the last login for each user.

86
MCQmedium

A security policy requires that users cannot reuse any of their last 5 passwords. Which PAM module and configuration directive enforces this?

A.pam_faillock with deny=5
B.pam_pwhistory with remember=5
C.pam_tally2 with deny=5
D.pam_pwquality with remember=5
AnswerB

Correct. pam_pwhistory with remember=N prevents reuse of last N passwords.

Why this answer

The pam_pwhistory module with the remember directive tracks password history and prevents reuse. pam_pwquality enforces complexity, pam_faillock handles lockout, and pam_tally2 is an older lockout module.

87
MCQhard

An administrator needs to ensure that only users from the 'ops' group can SSH into a server. Which configuration in /etc/ssh/sshd_config accomplishes this?

A.AllowGroups ops
B.Match Group ops DenyUsers *
C.AllowUsers ops
D.DenyUsers all
AnswerA

Correct: AllowGroups restricts by group membership.

Why this answer

The `AllowGroups` directive in `/etc/ssh/sshd_config` restricts SSH access to only users who are members of the specified group. By setting `AllowGroups ops`, only users belonging to the 'ops' group will be permitted to log in via SSH, which directly meets the requirement.

Exam trap

The trap here is confusing `AllowUsers` (which matches usernames) with `AllowGroups` (which matches group membership), leading candidates to select option C when the requirement specifies group-based restriction.

How to eliminate wrong answers

Option B is wrong because `Match Group ops DenyUsers *` would deny all users (including those in 'ops') when the group matches, effectively blocking everyone. Option C is wrong because `AllowUsers ops` restricts access to a user named 'ops', not to members of the 'ops' group. Option D is wrong because `DenyUsers all` is invalid syntax (the correct directive is `DenyUsers` followed by specific usernames, not the keyword 'all'), and it would not achieve group-based restriction.

88
MCQhard

An administrator notices that a custom application uses port 8443/TCP. To allow external access, which firewalld command permanently opens this port in the default zone?

A.firewall-cmd --add-port=8443/tcp --permanent
B.firewall-cmd --add-service=8443/tcp --zone=public --permanent
C.firewall-cmd --add-port=8443 --permanent
D.firewall-cmd --permanent --add-port=8443
AnswerA

Correct. Opens port 8443/tcp permanently.

Why this answer

The correct command is firewall-cmd --permanent --add-port=8443/tcp. The --permanent flag makes it persistent, --add-port opens the port, and the syntax includes protocol. --add-service is for predefined services, not port numbers.

89
MCQmedium

An administrator needs to allow incoming TCP traffic on port 8443 using firewalld. Which command should be used to make this change persistent?

A.firewall-cmd --zone=public --add-port=8443/tcp
B.firewall-cmd --add-service=8443/tcp --permanent
C.firewall-cmd --add-port=8443/tcp
D.firewall-cmd --add-port=8443/tcp --permanent && firewall-cmd --reload
AnswerD

Adds port persistently and reloads to apply.

Why this answer

To add a port, use firewall-cmd --add-port=8443/tcp --permanent and then reload.

90
MCQeasy

An administrator wants to view the current SELinux mode on a system. Which command displays whether SELinux is enforcing, permissive, or disabled?

A.seinfo
B.sestatus
C.getenforce
D.getsebool -a
AnswerC

getenforce returns Enforcing, Permissive, or Disabled.

Why this answer

The `getenforce` command directly displays the current SELinux mode as either 'Enforcing', 'Permissive', or 'Disabled'. It reads the enforcing status from the kernel's SELinux state and outputs the mode in a simple, single-word format, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse `sestatus` (which shows the mode among many details) with `getenforce` (which is the dedicated command for just the mode), leading them to choose the more familiar but less precise option.

How to eliminate wrong answers

Option A is wrong because `seinfo` is used to query SELinux policy components (such as types, roles, and users) and does not display the current enforcement mode. Option B is wrong because `sestatus` provides a detailed status report of SELinux, including the current mode, but the question specifically asks for a command that displays whether SELinux is enforcing, permissive, or disabled; while `sestatus` can show this, it is not the most direct command for just the mode, and `getenforce` is the standard utility for that single piece of information. Option D is wrong because `getsebool -a` lists all SELinux boolean values and their current state, not the enforcement mode.

91
MCQeasy

A system administrator wants to enforce a password policy requiring a minimum length of 12 characters, at least one uppercase letter, and one digit. Which PAM module should be configured?

A.pam_pwquality
B.pam_unix
C.pam_faillock
D.pam_tally2
AnswerA

pam_pwquality enforces password complexity rules.

Why this answer

pam_pwquality is the correct PAM module because it is specifically designed to enforce password complexity requirements, such as minimum length, uppercase letters, and digits, through configurable parameters like minlen, ucredit, and dcredit. It replaces the older pam_cracklib and is the standard module for password quality checks on modern Linux systems.

Exam trap

The trap here is that candidates confuse pam_unix (which handles authentication and password aging) with pam_pwquality (which enforces complexity), because both are commonly used together in password policies but serve distinct roles.

How to eliminate wrong answers

Option B (pam_unix) is wrong because it handles traditional Unix authentication (password hashing and verification) but does not enforce complexity rules like length or character classes. Option C (pam_faillock) is wrong because it is used for account lockout after failed login attempts, not for password composition policies. Option D (pam_tally2) is wrong because it also manages login failure counting and account locking, not password quality enforcement.

92
Multi-Selectmedium

A security audit reveals that user accounts remain active after employees leave the company. Which TWO commands should be used to disable an account immediately?

Select 3 answers
A.chage -E 0 username
B.usermod -e 1 username
C.usermod -L username
D.passwd -l username
E.userdel username
AnswersB, C, D

Sets account expiration to epoch (Jan 1, 1970), disabling the account.

Why this answer

Options B, C, and D are all correct because each command disables the account immediately through different mechanisms. `usermod -e 1 username` sets the account's expiration date to January 1, 1970 (epoch time), which immediately expires the account and prevents all login methods. `usermod -L username` locks the user's password, preventing password-based authentication. `passwd -l username` also locks the password, effectively disabling password logins. Both locking methods block the most common authentication path, providing immediate disablement. Although the question asks for two commands, three are listed as correct in this context, as each can be used to disable an account.

Exam trap

The trap here is that candidates often confuse locking an account (which only disables password authentication) with expiring an account (which disables all login methods), leading them to select `usermod -L` or `passwd -l` as the sole solution, but the question requires immediate disablement that covers all authentication paths.

93
Multi-Selectmedium

A Linux administrator is troubleshooting a firewall issue using nftables. The ruleset is complex. Which two commands are useful for listing the current ruleset and adding a new rule? (Choose TWO.)

Select 2 answers
A.nft insert rule
B.nft list ruleset
C.nft add rule inet filter input tcp dport 443 accept
D.nft show ruleset
E.nft -a list ruleset
AnswersB, C

Lists all current rules.

Why this answer

Option B is correct because `nft list ruleset` is the standard command to display the entire current nftables ruleset in a human-readable format, which is essential for troubleshooting complex firewall configurations. Option C is correct because `nft add rule inet filter input tcp dport 443 accept` is the proper syntax to append a new rule to the specified chain (here, the 'input' chain of the 'filter' table in the 'inet' family) that accepts TCP traffic on port 443.

Exam trap

The trap here is that candidates may confuse `nft show ruleset` (invalid) with `nft list ruleset` (valid), or think that `nft insert rule` is used for listing rules instead of adding them at a specific position.

94
MCQhard

An administrator needs to view all current nftables rules. Which command should be used?

A.nft list ruleset
B.nft --list
C.nft show ruleset
D.iptables -L
AnswerA

This command shows all rulesets.

Why this answer

nft list ruleset displays the entire ruleset. nft list table only shows a specific table.

95
Multi-Selecthard

An administrator is configuring iptables on a server. The requirements are: allow incoming SSH (port 22) from the 192.168.1.0/24 network, drop all other incoming traffic, and allow all outgoing traffic. Which three iptables rules achieve this? (Choose THREE.)

Select 3 answers
A.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
B.iptables -P OUTPUT ACCEPT
C.iptables -P FORWARD ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -j ACCEPT
E.iptables -P INPUT DROP
AnswersA, B, E

Allows SSH from subnet.

Why this answer

Default policies: INPUT DROP, OUTPUT ACCEPT. Then allow SSH from subnet.

96
MCQmedium

A security auditor notices that users can set weak passwords on a Linux system. The administrator wants to enforce password complexity requiring a minimum of 12 characters, at least one uppercase letter, and at least one digit. Which PAM module should be configured in /etc/pam.d/common-password?

A.pam_unix.so
B.pam_pwquality.so
C.pam_tally2.so
D.pam_faillock.so
AnswerB

pam_pwquality enforces password complexity rules.

Why this answer

pam_pwquality provides password strength checking with parameters like minlen, ucredit, dcredit. The other modules do not handle complexity.

97
MCQhard

An administrator wants to set an SELinux boolean that allows Apache to connect to databases. After setting the boolean, which option ensures the change persists across reboots?

A.setenforce 1
B.setsebool httpd_can_network_connect_db on
C.semanage boolean -m --on httpd_can_network_connect_db
D.setsebool -P httpd_can_network_connect_db on
AnswerD

-P makes it persistent.

Why this answer

setsebool -P makes the change permanent. Without -P, it only lasts until reboot.

98
MCQeasy

Which command displays the current SELinux mode?

A.sestatus
B.setenforce
C.selinuxenabled
D.getenforce
AnswerD

Displays the current SELinux mode.

Why this answer

The `getenforce` command displays the current SELinux mode as either Enforcing, Permissive, or Disabled. It reads the enforcing status directly from the kernel, making it the correct choice for checking the runtime mode.

Exam trap

The trap here is that candidates confuse `sestatus` (which also shows the mode) with `getenforce`, but the exam expects the command specifically designed to output only the mode, and `setenforce` is often mistakenly chosen because it sounds like it 'gets' the enforce status.

How to eliminate wrong answers

Option A is wrong because `sestatus` displays comprehensive SELinux status information including the current mode, policy version, and loaded policy, but it is not the command that solely displays the mode; however, the question asks for the command that displays the current SELinux mode, and `sestatus` does show it, but `getenforce` is the more direct and standard command for this purpose. Option B is wrong because `setenforce` is used to change the SELinux mode (e.g., `setenforce 0` for Permissive, `setenforce 1` for Enforcing), not to display it. Option C is wrong because `selinuxenabled` is a command that returns an exit status indicating whether SELinux is enabled (0 if enabled, 1 if not), but it does not display the current mode.

99
MCQhard

An administrator needs to generate a self-signed certificate valid for 365 days with a 2048-bit RSA key. Which OpenSSL command correctly creates both the private key and certificate in one step?

A.openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
B.openssl x509 -req -in req.pem -signkey key.pem -out cert.pem -days 365
C.openssl ca -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
D.openssl genrsa -out key.pem 2048 && openssl req -new -x509 -key key.pem -out cert.pem -days 365
AnswerA

Single command that generates both key and self-signed certificate.

Why this answer

The 'req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes' generates a self-signed certificate with a key. Other commands either miss -x509, -newkey, or use wrong options.

100
MCQhard

An administrator wants to allow the user 'ops' to run only the command '/usr/bin/systemctl restart httpd' via sudo on a specific host 'webserver'. Which /etc/sudoers entry is correct?

A.ops webserver=(root) /usr/bin/systemctl restart httpd
B.ops ALL=(root) /usr/bin/systemctl restart httpd
C.ops webserver=(ALL) /usr/bin/systemctl restart httpd
D.ops webserver=(root) ALL
AnswerA

This restricts to host webserver and runs as root.

Why this answer

The format is: username hostname=(runas) command. For host-specific, use the hostname. The correct entry is 'ops webserver=(root) /usr/bin/systemctl restart httpd'.

101
MCQeasy

Which file contains the hashed passwords and password aging information for user accounts?

A./etc/shadow
B./etc/gshadow
C./etc/group
D./etc/passwd
AnswerA

Contains encrypted passwords and aging data.

Why this answer

/etc/shadow stores password hashes and aging fields.

102
Multi-Selectmedium

A Linux engineer needs to harden SSH access. Which TWO of the following settings should be configured in /etc/ssh/sshd_config to enhance security? (Select TWO.)

Select 2 answers
A.MaxAuthTries 6
B.PasswordAuthentication no
C.Protocol 1
D.PermitRootLogin yes
E.AllowUsers alice bob
AnswersB, E

Disables password logins, reducing risk of brute force.

Why this answer

Option B is correct because disabling password authentication forces the use of SSH keys, which are resistant to brute-force attacks and credential stuffing. This setting eliminates the risk of weak or reused passwords being exploited, a fundamental hardening step for SSH access.

Exam trap

The trap here is that candidates often confuse 'hardening' with 'increasing limits' (like MaxAuthTries) or 'enabling convenience' (like PermitRootLogin yes), when the correct hardening choices actually restrict or disable weaker authentication methods.

103
Multi-Selectmedium

A Linux administrator needs to configure sudo access for members of the 'wheel' group to run any command. Which two steps are required? (Choose TWO.)

Select 2 answers
A.Uncomment the line '%wheel ALL=(ALL) ALL' in /etc/sudoers using visudo
B.Set the setuid bit on /usr/bin/sudo
C.Run 'sudo visudo -c' to check syntax
D.Add users to the 'wheel' group using usermod -aG wheel username
E.Edit /etc/ssh/sshd_config to allow wheel group
AnswersA, D

Grants sudo access to wheel group members.

Why this answer

Option A is correct because the line '%wheel ALL=(ALL) ALL' in /etc/sudoers grants all members of the 'wheel' group permission to execute any command as any user. This line must be uncommented using visudo, which locks the file to prevent concurrent edits and performs syntax validation before saving. Option D is correct because users must be added to the 'wheel' group using 'usermod -aG wheel username' for the sudoers rule to apply to them.

Exam trap

The trap here is that candidates confuse the setuid bit on sudo (which is already set) with a configuration step, or think that editing SSH config or running syntax checks alone grants sudo access, when in fact both the sudoers rule and group membership are required.

104
MCQmedium

A system administrator wants to monitor changes to the /etc/passwd file using auditd. Which auditctl command sets up a watch on this file?

A.ausearch -f /etc/passwd
B.auditctl -a always,exit -F path=/etc/passwd -F perm=wa
C.aureport -f /etc/passwd
D.auditctl -w /etc/passwd -p rwxa
AnswerB

Correct: -a adds a rule, always,exit, path, perm=wa (write/attr).

Why this answer

The correct command is `auditctl -a always,exit -F path=/etc/passwd -F perm=wa`. This creates a syscall-based audit rule that triggers on every syscall that accesses /etc/passwd with write (w) or attribute change (a) permissions, effectively monitoring any changes to the file. Option D uses `-w` for a file watch but with `-p rwxa`, which monitors reads and executes as well—not just changes—making it less precise for monitoring changes only.

105
MCQhard

An administrator needs to generate a self-signed certificate and private key for an internal web server. Which OpenSSL command creates both in one step?

A.openssl ca -in req.pem -out cert.pem
B.openssl genrsa -out key.pem 2048 && openssl req -new -x509 -key key.pem -out cert.pem -days 365
C.openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
D.openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
AnswerC

Correct: -x509 for self-signed, -newkey generates key, -keyout and -out output files.

Why this answer

Option C is correct because the `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes` command generates a new RSA private key and a self-signed X.509 certificate in a single step. The `-x509` flag outputs a self-signed certificate instead of a CSR, `-newkey` creates the key pair, and `-nodes` prevents encryption of the private key, which is typical for an internal web server that must start without manual passphrase entry.

Exam trap

The trap here is that candidates may think Option B is correct because it technically works, but the question explicitly asks for a command that creates both 'in one step', meaning a single OpenSSL command, not a shell pipeline of two separate commands.

How to eliminate wrong answers

Option A is wrong because `openssl ca` is used to sign a certificate request (CSR) with a CA certificate, not to generate a self-signed certificate and private key together; it requires an existing CA setup and a pre-generated CSR. Option B is wrong because while it does produce a self-signed certificate and key, it uses two separate commands (`genrsa` then `req`) chained with `&&`, which is not a single OpenSSL command as the question asks for 'one step'. Option D is wrong because `openssl x509 -req` signs a CSR using an existing key (`-signkey`), but it does not generate a new private key; it requires a pre-existing CSR and key file, so it cannot create both in one step.

106
MCQhard

An administrator configures /etc/ssh/sshd_config with the following settings: PermitRootLogin no, PasswordAuthentication no, AllowUsers alice bob, MaxAuthTries 2. After restarting sshd, which of the following is true?

A.User charlie can log in using a public key.
B.User bob can log in using a public key.
C.User alice can log in using a password.
D.Root can log in using a valid password.
AnswerB

Correct. Password authentication is disabled, but public key is allowed, and bob is in AllowUsers.

Why this answer

PasswordAuthentication no disables password logins, so public key authentication is required. PermitRootLogin no prevents root login entirely. AllowUsers restricts to alice and bob only.

MaxAuthTries 2 limits authentication attempts. So root cannot log in even with keys, and alice/bob must use keys.

107
MCQmedium

An administrator wants to audit all attempts to access the file /etc/shadow. Which auditctl command should be used?

A.auditctl -A exit,always -F path=/etc/shadow -k shadow
B.auditctl -w /etc/shadow -p rwxa -k shadow
C.auditctl -a always,exit -F path=/etc/shadow -F perm=wa -k shadow
D.ausearch -w /etc/shadow
AnswerC

Option C correctly uses `-a always,exit` with `-F path=/etc/shadow -F perm=wa -k shadow` to audit write and attribute change attempts to /etc/shadow.

Why this answer

Option C is correct because the auditctl command with `-a always,exit -F path=/etc/shadow -F perm=wa -k shadow` uses the system call filter syntax to audit all system calls that attempt to modify the file (write and attribute changes). While the stem states 'all attempts to access,' in the context of security auditing for sensitive files like /etc/shadow, the primary concern is unauthorized modifications. Read attempts are typically considered normal and are not the focus of such rules.

Option B uses the watch syntax (`-w`), which is less precise and not the expected method for this exam. Options A and D have syntax errors or use the wrong tool (ausearch). Therefore, option C is the correct choice.

Exam trap

The trap here is that candidates often confuse the watch-based syntax (`-w`) with the system call filter syntax (`-a`), and incorrectly assume that `-w /etc/shadow -p rwxa` is the correct way to audit all access, but the exam expects the precise `-a always,exit` with `-F perm=wa` for auditing file access attempts that involve modification.

How to eliminate wrong answers

Option A is wrong because `-A` is not a valid auditctl flag; the correct flag for appending a rule is `-a`, and the syntax `-A exit,always` is invalid and would cause an error. Option B is wrong because `-w /etc/shadow -p rwxa -k shadow` uses the watch flag `-w` with permissions `rwxa` (read, write, execute, attribute change), which audits all access types including read, but the question specifically asks to audit 'all attempts to access' the file, and while this might seem correct, the watch-based syntax is less precise for system call auditing and does not use the recommended `-a` approach for exit-based rules; more importantly, `-p rwxa` includes read (`r`), which is not necessary for auditing access attempts that modify the file, and the watch mode does not integrate as cleanly with the audit subsystem for exit-based filtering. Option D is wrong because `ausearch` is a search tool for querying audit logs, not a command to add audit rules; it cannot be used to configure auditing.

108
MCQmedium

An administrator wants to allow user 'jane' to run all commands as root via sudo without a password. Which line should be added to /etc/sudoers?

A.jane ALL=NOPASSWD: ALL
B.jane ALL=(root) NOPASSWD: ALL
C.jane ALL=(ALL) ALL
D.jane ALL=(ALL) NOPASSWD: ALL
AnswerD

Correct syntax for passwordless sudo.

Why this answer

The format is 'username ALL=(ALL) NOPASSWD: ALL'. The other options either require a password, use incorrect syntax, or include unnecessary aliases.

109
MCQmedium

SELinux is currently in enforcing mode. A service is being blocked by SELinux. Which command can analyze the audit log and suggest the minimum policy changes to allow the service?

A.ausearch
B.audit2allow
C.setsebool
D.restorecon
AnswerB

audit2allow creates policy from audit denials.

Why this answer

audit2allow reads audit messages and generates policy modules to allow the denied actions.

110
MCQmedium

An administrator needs to generate a self-signed certificate and private key for a web server. Which openssl command accomplishes this?

A.openssl genrsa -out key.pem 2048 && openssl req -new -x509 -key key.pem -out cert.pem -days 365
B.openssl req -new -key key.pem -out csr.pem
C.openssl ca -in csr.pem -out cert.pem
D.openssl x509 -req -in csr.pem -signkey key.pem -out cert.pem
AnswerA

Generates key and then self-signed cert.

Why this answer

Option A is correct because it first generates a 2048-bit RSA private key using `openssl genrsa`, then uses `openssl req -new -x509` to create a self-signed X.509 certificate directly from that key, bypassing the need for a Certificate Signing Request (CSR). The `-x509` flag tells OpenSSL to output a self-signed certificate instead of a CSR, and `-days 365` sets the validity period. This two-step process produces both the private key (`key.pem`) and the self-signed certificate (`cert.pem`) required for a web server.

Exam trap

The trap here is that candidates may confuse the `openssl req -new -x509` command with the CSR-only `openssl req -new` command, or think that a CSR is required for self-signed certificates, when in fact the `-x509` flag directly outputs a self-signed certificate without needing a separate CSR step.

How to eliminate wrong answers

Option B is wrong because `openssl req -new -key key.pem -out csr.pem` only generates a Certificate Signing Request (CSR), not a self-signed certificate; it requires a CA to sign the CSR to produce a certificate. Option C is wrong because `openssl ca -in csr.pem -out cert.pem` assumes a CA infrastructure is already set up and configured, and it signs an existing CSR using the CA's own key and certificate, which is not a self-signed certificate generation process. Option D is wrong because `openssl x509 -req -in csr.pem -signkey key.pem -out cert.pem` creates a self-signed certificate from a CSR, but it requires a CSR to already exist (generated by a separate command), making it a two-step process that is less direct than Option A; more importantly, it does not generate the private key, so it is incomplete for the stated requirement.

111
MCQeasy

Which log file typically records authentication failures and successes on a Debian-based system?

A./var/log/auth.log
B./var/log/messages
C./var/log/syslog
D./var/log/secure
AnswerA

Records authentication logs on Debian.

Why this answer

On Debian/Ubuntu, /var/log/auth.log records authentication events. On RHEL/CentOS, it's /var/log/secure.

112
MCQeasy

Which command displays the current SELinux mode?

A.selinuxenabled
B.getsebool -a
C.chcon
D.sestatus
AnswerD

sestatus shows SELinux status including mode.

Why this answer

The 'sestatus' command displays the current SELinux mode, including whether it is enforcing, permissive, or disabled, along with other SELinux status information.

113
MCQeasy

An administrator needs to add a new user named 'jdoe' with a home directory and default group. Which command should be used?

A.useradd jdoe
B.groupadd jdoe
C.passwd jdoe
D.usermod jdoe
AnswerA

Correct. useradd creates a new user with default settings including home directory.

Why this answer

The useradd command creates a new user and can set up the home directory and group via options, but by default it creates a home directory and assigns the user's own group.

114
MCQmedium

A technician needs to create a self-signed certificate and private key for a web server. Which OpenSSL command should be used?

A.openssl genrsa -out key.pem 2048 && openssl req -new -key key.pem -out cert.pem
B.openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
C.openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
D.openssl ca -in req.pem -out cert.pem
AnswerC

This command creates a self-signed certificate valid for 365 days.

Why this answer

Option C is correct because the `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes` command generates a new RSA 2048-bit private key and immediately creates a self-signed X.509 certificate in a single step. The `-x509` flag tells OpenSSL to output a self-signed certificate instead of a certificate signing request (CSR), and `-nodes` ensures the private key is not encrypted with a passphrase, which is typical for a web server that must start without manual intervention.

Exam trap

The trap here is that candidates often confuse the `req -new` command (which creates a CSR) with the `req -x509` command (which creates a self-signed certificate), leading them to choose Option A, which only produces a CSR, not a usable certificate for a web server.

How to eliminate wrong answers

Option A is wrong because it first generates a private key with `genrsa` and then creates a CSR (`req -new`), not a self-signed certificate; the output file `cert.pem` would be a CSR, not a certificate. Option B is wrong because `openssl x509 -req` signs a CSR using a CA private key, but it requires an existing CSR (`req.pem`) and an existing signing key (`key.pem`); it does not create a self-signed certificate from scratch. Option D is wrong because `openssl ca` is used to sign a CSR with a configured CA infrastructure (requires a CA database and configuration), not to create a self-signed certificate directly.

115
Multi-Selecthard

An administrator is configuring AppArmor for a custom application. Which THREE commands are used to manage AppArmor profiles?

Select 3 answers
A.aa-logprof
B.aa-status
C.apparmor_parser
D.aa-complain
E.aa-enforce
AnswersB, D, E

Shows status of AppArmor profiles.

Why this answer

aa-status displays the status of AppArmor profiles. aa-complain sets a profile to complain mode (logs violations but does not enforce). aa-enforce sets a profile to enforce mode.

116
MCQmedium

A security audit reveals that the system's PAM configuration does not enforce password complexity. Which PAM module and configuration line should be added to /etc/pam.d/common-password to require at least one uppercase letter, one digit, and a minimum length of 12 characters?

A.password requisite pam_pwquality.so minlen=12 ucredit=-1 dcredit=-1
B.password sufficient pam_faillock.so minlen=12 ucredit=-1 dcredit=-1
C.password required pam_cracklib.so minlen=12 ucredit=-1 dcredit=-1
D.password required pam_unix.so minlen=12 ucredit=-1 dcredit=-1
AnswerA

Correct. pam_pwquality with requisite enforces the rules.

Why this answer

pam_pwquality is the module for password complexity. The options ucredit=-1, dcredit=-1, minlen=12 enforce the requirements. pam_unix handles password hashing, pam_faillock handles lockout, and pam_cracklib is an older module (deprecated in favor of pam_pwquality).

117
MCQhard

An administrator wants to ensure that the Apache web server can only listen on port 443 (HTTPS) and not on port 80, enforced by SELinux. Which SELinux boolean should be set to allow Apache to use port 443?

A.httpd_use_nfs
B.httpd_can_network_connect
C.httpd_enable_homedirs
D.None of the above; port 443 is already permitted by default
AnswerD

SELinux allows Apache to bind to port 443 by default; no boolean change needed.

Why this answer

The boolean httpd_use_nfs is irrelevant; the port context needs to be managed. However, SELinux has a boolean 'httpd_can_network_connect' but for specific ports, the administrator should use semanage port. But among the options, the correct one is 'httpd_can_network_connect' is not correct; actually, the answer is not about booleans but about port labeling.

Since options are booleans, the correct answer is none; but the question expects that no boolean is needed because port 443 is already allowed. However, the best answer is that the boolean 'httpd_can_network_connect' is needed for outbound, not inbound. Given the options, choose the one that is correct for allowing HTTPS.

118
Multi-Selectmedium

Which THREE are valid SELinux modes?

Select 3 answers
A.Strict
B.Permissive
C.Enforcing
D.Disabled
E.Audit
AnswersB, C, D

Permissive mode logs violations but does not enforce.

Why this answer

SELinux has three modes: enforcing (policy enforced), permissive (only logs violations), and disabled (SELinux turned off).

119
Multi-Selectmedium

A security analyst is investigating a potential breach and needs to examine user login history. Which THREE commands or log files provide information about user logins? (Select THREE.)

Select 3 answers
A.last
B.lastlog
C.lastb
D./var/log/syslog
E./var/log/messages
AnswersA, B, C

Shows user login history.

Why this answer

The `last` command reads the /var/log/wtmp file to display a list of all user logins and logouts since that file was created, showing timestamps and source IPs. This makes it a primary tool for investigating login history during a breach.

Exam trap

The trap here is that candidates often confuse general system logs like /var/log/syslog or /var/log/messages with dedicated authentication logs, but these files lack the structured login/out records that commands like last, lastlog, and lastb specifically parse.

120
Multi-Selectmedium

A Linux administrator is hardening an SSH server. Which two of the following settings should be applied to /etc/ssh/sshd_config to improve security?

Select 2 answers
A.Port 2222
B.X11Forwarding yes
C.PermitRootLogin no
D.PasswordAuthentication no
E.Protocol 1
AnswersC, D

Disables root SSH login, reducing attack surface.

Why this answer

PermitRootLogin no prevents root login; PasswordAuthentication no forces key-based authentication. Changing the port and enabling X11 forwarding are not necessarily hardening.

121
MCQeasy

An administrator wants to ensure that only users in the 'wheel' group can use the sudo command. Which directive in /etc/sudoers enables this?

A.%wheel ALL=ALL
B.@wheel ALL=(ALL) ALL
C.%wheel ALL=(ALL) ALL
D.wheel ALL=(ALL) ALL
AnswerC

This allows all members of the wheel group to run any command as any user.

Why this answer

%wheel ALL=(ALL) ALL grants sudo access to all members of the wheel group.

122
MCQhard

A Linux security administrator needs to generate a self-signed certificate for a web server. They want to create a private key and a certificate signing request (CSR) in one step. Which OpenSSL command should be used?

A.openssl genrsa -out key.pem 2048 && openssl req -new -key key.pem -out req.pem
B.openssl req -new -key key.pem -out req.pem
C.openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
D.openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem
AnswerD

This creates a new private key and CSR.

Why this answer

The 'req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem' command generates a new private key and CSR. The other options either generate a self-signed certificate directly or are incomplete.

123
MCQmedium

An administrator needs to configure SELinux to allow the Apache HTTP server to connect to a database server. Which SELinux boolean should be enabled?

A.httpd_can_network_connect
B.httpd_enable_cgi
C.httpd_use_nfs
D.httpd_can_network_connect_db
AnswerD

This boolean specifically allows Apache to connect to database servers.

Why this answer

The SELinux boolean `httpd_can_network_connect_db` specifically allows the Apache HTTP server to make outbound TCP connections to database servers (e.g., MySQL, PostgreSQL). This is required when a web application needs to query a remote database. The other booleans control different aspects of httpd's behavior and do not grant network connectivity to databases.

Exam trap

Cisco often tests the distinction between `httpd_can_network_connect` and `httpd_can_network_connect_db` — the trap here is that candidates may choose the more general boolean, not realizing the exam specifically requires the database-targeted boolean for a database connection scenario.

How to eliminate wrong answers

Option A is wrong because `httpd_can_network_connect` allows general outbound network connections (e.g., to any TCP port), which is broader than needed and may introduce unnecessary risk; it does not specifically target database connections. Option B is wrong because `httpd_enable_cgi` controls whether httpd can execute CGI scripts, not network connectivity. Option C is wrong because `httpd_use_nfs` allows httpd to access files on NFS mounts, not to connect to a database server over the network.

124
Multi-Selectmedium

A Linux engineer needs to restrict resource usage for users in the 'developers' group. Which TWO files or commands can be used to set ulimit values?

Select 2 answers
A.sysctl command
B./etc/security/limits.conf
C./etc/pam.d/login with pam_limits.so
D./etc/ulimit.conf
E.ulimit command
AnswersB, E

This file specifies limits for users and groups.

Why this answer

Option B is correct because /etc/security/limits.conf is the standard configuration file used by the pam_limits.so PAM module to set per-user or per-group resource limits (ulimits) such as max number of open files, max processes, etc. This file allows system administrators to define hard and soft limits persistently across logins for users or groups, including the 'developers' group.

Exam trap

The trap here is that candidates often confuse the configuration file (/etc/security/limits.conf) with the PAM module file (/etc/pam.d/login) or think the ulimit command alone can set persistent limits for a group, when in fact ulimit only affects the current shell session and is not persistent across logins for all group members.

125
MCQmedium

A system administrator needs to monitor file access attempts to /etc/shadow using auditd. Which auditctl command sets up the watch?

A.auditctl -a always,exit -F path=/etc/shadow -F perm=wa -k shadow_watch
B.auditctl -W /etc/shadow -p rwxa -k shadow_watch
C.auditctl -w /etc/shadow -k shadow_watch
D.auditctl -w /etc/shadow -p wa -k shadow_watch
AnswerD

Correct use of -w to watch file with write and attribute permissions.

Why this answer

The correct syntax is 'auditctl -w /etc/shadow -p wa -k shadow_watch'. The -w specifies the file, -p wa watches for write and attribute changes (access is implied), but the -k is for a key. The other options have incorrect flags or order.

← PreviousPage 2 of 2 · 125 questions total

Ready to test yourself?

Try a timed practice session using only Security questions.