CCNA Linux Security Questions

75 of 96 questions · Page 1/2 · Linux Security topic · Answers revealed

1
MCQeasy

An administrator needs to allow a user to run all commands as root without a password. Which sudoers entry accomplishes this?

A.user ALL=(ALL) NOPASSWD: ALL
B.user ALL=(ALL) !ALL
C.user ALL=(ALL) PASSWD: ALL
D.user ALL=(ALL) ALL
AnswerA

This entry allows passwordless execution of all commands.

Why this answer

Option A is correct because the sudoers entry `user ALL=(ALL) NOPASSWD: ALL` grants the user permission to run any command as any user (including root) without being prompted for a password. The `NOPASSWD` tag overrides the default password requirement, and the `ALL` specifications cover the host list, target user list, and command list.

Exam trap

The trap here is that candidates often confuse the default behavior of `ALL` (which still requires a password) with the `NOPASSWD` tag, leading them to select option D thinking it allows passwordless execution.

How to eliminate wrong answers

Option B is wrong because `user ALL=(ALL) !ALL` uses the negation operator `!` to deny all commands, effectively preventing the user from running any command via sudo. Option C is wrong because `user ALL=(ALL) PASSWD: ALL` explicitly requires a password (the default behavior), so the user would still be prompted for a password. Option D is wrong because `user ALL=(ALL) ALL` is the standard sudoers entry that allows all commands but still requires the user to enter their own password (unless the `NOPASSWD` tag is present).

2
MCQhard

An application running under an AppArmor profile is being denied access to log files. The administrator wants to troubleshoot by allowing all actions and logging denials. Which command will switch the profile to complain mode?

A.aa-complain /path/to/profile
B.aa-enforce /path/to/profile
C.aa-disable /path/to/profile
D.aa-status
AnswerA

This sets the profile to complain mode, allowing actions but logging denials.

Why this answer

The `aa-complain` command places an AppArmor profile into complain mode, which allows all actions but logs denials to the system log. This is the correct tool for troubleshooting because it lets the administrator see what the application is trying to do without actually blocking it.

Exam trap

The trap here is confusing `aa-complain` with `aa-enforce`, as candidates often assume that logging denials requires enforcement mode, but complain mode is specifically designed for logging without blocking.

How to eliminate wrong answers

Option B is wrong because `aa-enforce` activates enforcement mode, which actively blocks denied actions and logs them, not allowing all actions as required. Option C is wrong because `aa-disable` completely disables the AppArmor profile, removing all logging and access controls, which does not meet the requirement to log denials. Option D is wrong because `aa-status` only displays the current status of AppArmor profiles (e.g., which are in enforce or complain mode) and does not change the profile mode.

3
MCQhard

A Red Hat Enterprise Linux 8 system is configured with SELinux in enforcing mode. A custom application needs to write to a file in /var/log. The audit log shows an AVC denial for httpd_t attempting to write to var_log_t. Which of the following is the most appropriate persistent solution?

A.Set the SELinux boolean httpd_can_network_connect to on.
B.Change the ownership of the file to apache.
C.Use chcon to set the file context to httpd_log_t.
D.Use semanage fcontext to define the default context for the file and then restorecon.
AnswerD

Persistent method; sets default context in policy.

Why this answer

Option D is correct because semanage fcontext defines a persistent default SELinux file context rule, which survives file system relabeling. After defining the rule, restorecon applies the context to the file. This ensures the custom application's log file is labeled httpd_log_t, allowing httpd_t to write to it, while chcon (option C) only makes a temporary change that can be overwritten by restorecon or a relabel.

Exam trap

The trap here is that candidates confuse chcon (temporary) with semanage fcontext (persistent), or mistakenly think changing Unix ownership or enabling a network boolean will resolve a file-based SELinux denial.

How to eliminate wrong answers

Option A is wrong because httpd_can_network_connect controls network access, not file write permissions to /var/log. Option B is wrong because changing file ownership to apache does not affect SELinux type enforcement; the AVC denial is based on the file's SELinux context (var_log_t), not its Unix owner. Option C is wrong because chcon makes a non-persistent context change that will be lost after a file system relabel or restorecon operation; it does not create a default rule in the SELinux policy.

4
MCQhard

Based on the exhibit, what is the purpose of the audit rule?

A.Monitor open syscalls on a specific file.
B.Monitor all open syscalls by the root user.
C.Monitor all open syscalls by users with UID 1000 or higher.
D.Monitor all open syscalls except those by users with UID 1000 or higher.
AnswerC

The condition auid>=1000 selects regular users, excluding system accounts and root (UID 0).

Why this answer

The audit rule `-a always,exit -F arch=b64 -S open -F uid>=1000 -k monitor_open` uses the `uid>=1000` filter to match only system calls made by users with UID 1000 or higher. This is a common Linux auditd rule to track user-level activity while excluding system accounts (typically UIDs below 1000). Option C correctly identifies that the rule monitors all open syscalls by users with UID 1000 or higher.

Exam trap

CompTIA often tests the direction of comparison operators in audit rules — candidates frequently confuse `uid>=1000` (monitor UIDs 1000 and above) with `uid<1000` (monitor UIDs below 1000), leading them to select the exclusion-based option D instead of the correct inclusion-based option C.

How to eliminate wrong answers

Option A is wrong because the rule does not specify a particular file path; it monitors the open syscall system-wide, not on a specific file. Option B is wrong because the rule uses `uid>=1000`, which excludes the root user (UID 0) from being monitored; root's open syscalls are not captured. Option D is wrong because the rule includes users with UID 1000 or higher, not excludes them; the `>=` operator means 'greater than or equal to', so it matches those UIDs.

5
Multi-Selectmedium

A system administrator wants to encrypt a large directory of files using GPG with a symmetric cipher. Which two steps are necessary? (Select TWO).

Select 2 answers
A.gpg --decrypt file.gpg
B.Use a passphrase to encrypt
C.gpg --encrypt --recipient user file
D.Import a public key
E.gpg --symmetric --cipher-algo AES256 file
AnswersB, E

Symmetric encryption requires a passphrase.

Why this answer

Option B is correct because symmetric encryption in GPG requires a passphrase to derive the encryption key. When using `gpg --symmetric`, the cipher key is generated from a passphrase provided by the user, making the passphrase the essential secret for both encryption and decryption. Without a passphrase, symmetric encryption cannot proceed.

Exam trap

The trap here is that candidates confuse symmetric encryption with asymmetric encryption and select `--recipient` or public key import, not realizing that `--symmetric` requires only a passphrase, not a key pair.

6
Multi-Selectmedium

Which THREE of the following actions can help prevent unauthorized access to a Linux server via SSH?

Select 3 answers
A.Allow only specific users with AllowUsers.
B.Set MaxAuthTries to 6.
C.Use protocol version 1.
D.Disable password authentication.
E.Set PermitRootLogin to no.
AnswersA, D, E

Restricts SSH access to authorized users.

Why this answer

Option A is correct because the `AllowUsers` directive in `/etc/ssh/sshd_config` restricts SSH logins to only the specified user accounts, blocking all others even if they have valid credentials. This reduces the attack surface by explicitly whitelisting authorized users, making it an effective access control measure.

Exam trap

CompTIA often tests the misconception that increasing `MaxAuthTries` (option B) or using protocol version 1 (option C) improves security, when in fact they either have no preventive effect or actively weaken security.

7
MCQmedium

What is the effect of the firewall rules shown?

A.Only SSH traffic to 192.168.1.10 is allowed; all other traffic is dropped.
B.Only SSH and loopback traffic are allowed; all other traffic is dropped.
C.All traffic on eth0 is allowed; loopback is allowed.
D.SSH and ICMP echo-request are allowed; all other traffic is dropped.
AnswerD

The rules allow SSH, ICMP echo-request, and loopback; default drop handles the rest.

Why this answer

The firewall rules shown explicitly allow SSH (port 22) and ICMP echo-request (type 8) traffic while the final default rule drops all other traffic. This matches option D, as the rules do not permit any other protocols or services, including loopback traffic unless it is SSH or ICMP echo-request.

Exam trap

The trap here is that candidates often assume loopback traffic is implicitly allowed or that the rules apply to all interfaces, but the rules only apply to the INPUT chain on eth0 and do not include any explicit loopback allowance, so only the specified protocols are permitted.

How to eliminate wrong answers

Option A is wrong because it states only SSH traffic to 192.168.1.10 is allowed, but the rules also permit ICMP echo-request, not just SSH. Option B is wrong because it claims loopback traffic is allowed, but the rules do not include any explicit allow rule for loopback (lo) interface traffic; only SSH and ICMP echo-request are permitted. Option C is wrong because it says all traffic on eth0 is allowed, but the rules include a default drop rule that denies all traffic not matching the SSH or ICMP echo-request allow rules.

8
MCQmedium

A Linux administrator needs to configure a firewall to allow incoming SSH connections only from the 192.168.1.0/24 subnet. The current iptables INPUT policy is ACCEPT. Which set of rules should be added?

A.iptables -A INPUT -p tcp --dport 22 -j DROP; iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
B.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT; iptables -A INPUT -p tcp --dport 22 -j DROP
C.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT; iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j DROP
D.iptables -I INPUT -p tcp --dport 22 -j DROP; iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
AnswerB

Allows allowed subnet then drops others, correct order.

Why this answer

Option B is correct because iptables processes rules in order, and the first matching rule determines the action. By placing the ACCEPT rule for the 192.168.1.0/24 subnet first, SSH traffic from that subnet is accepted. The subsequent DROP rule for port 22 then denies all other SSH traffic.

This ensures that only the specified subnet can connect, while the default ACCEPT policy on the INPUT chain would otherwise allow all traffic if no rule matched.

Exam trap

The trap here is that candidates often assume the order of rules doesn't matter or that a DROP rule can be placed before an ACCEPT rule for the same port, not realizing that iptables stops processing on the first match, which would drop all traffic including from the allowed subnet.

How to eliminate wrong answers

Option A is wrong because the DROP rule is added first, which would drop all incoming SSH traffic before the ACCEPT rule for 192.168.1.0/24 is evaluated, effectively blocking all SSH connections including from the allowed subnet. Option C is wrong because it only drops SSH traffic from the 10.0.0.0/8 subnet, leaving SSH traffic from all other sources (including the default ACCEPT policy) unrestricted, which does not restrict SSH to only 192.168.1.0/24. Option D is wrong because it inserts the DROP rule at the beginning of the INPUT chain using -I, which would drop all SSH traffic before the ACCEPT rule is evaluated, similar to option A, and also fails to restrict access to only the specified subnet.

9
MCQeasy

After a security audit, it is recommended to disable SSH password authentication in favor of key-based authentication. Which configuration line should be set in /etc/ssh/sshd_config?

A.PasswordAuthentication yes
B.PubkeyAuthentication no
C.PasswordAuthentication no
D.ChallengeResponseAuthentication yes
AnswerC

Disables password authentication, correct.

Why this answer

Option C is correct because disabling password authentication forces SSH to use key-based authentication, which is more secure against brute-force attacks. Setting `PasswordAuthentication no` in `/etc/ssh/sshd_config` prevents SSH from prompting for a password, requiring a valid SSH key pair for authentication. This aligns with the security audit's recommendation to disable password authentication in favor of key-based authentication.

Exam trap

The trap here is that candidates often confuse `PasswordAuthentication` with `PubkeyAuthentication` or think that disabling password authentication requires setting it to `yes`, when in fact the directive must be set to `no` to disable it.

How to eliminate wrong answers

Option A is wrong because `PasswordAuthentication yes` enables password authentication, which is the opposite of the required change to disable it. Option B is wrong because `PubkeyAuthentication no` disables public key authentication, which would prevent key-based login entirely, contradicting the goal of using key-based authentication. Option D is wrong because `ChallengeResponseAuthentication yes` enables challenge-response authentication (often used with PAM), which can still allow password-based methods and does not directly disable password authentication.

10
MCQhard

Scenario: A financial services company runs a critical application on a Linux server that stores sensitive customer data. The server is configured with a firewall (iptables) that only allows SSH (port 22) and HTTPS (port 443) from the internal network (10.0.0.0/8). Recently, the security team detected unauthorized access attempts from an external IP address (203.0.113.5) targeting port 22. The administrator needs to block this specific IP while maintaining current access rules. The existing iptables rules are: - INPUT chain policy ACCEPT - Rule 1: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - Rule 2: -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT - Rule 3: -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT - Rule 4: -A INPUT -j DROP The administrator wants to block 203.0.113.5 from any access. Which command should be added?

A.iptables -I INPUT 1 -s 203.0.113.5 -j DROP
B.iptables -I INPUT 5 -s 203.0.113.5 -j DROP
C.iptables -A INPUT -s 203.0.113.5 -j DROP
D.iptables -I INPUT 1 -s 203.0.113.5 -j ACCEPT
AnswerA

Inserts a DROP rule at the top, blocking the IP before any ACCEPT rules.

Why this answer

Option A is correct because inserting the DROP rule at position 1 with `-I INPUT 1` ensures it is evaluated before the existing ESTABLISHED,RELATED rule (Rule 1). Since iptables processes rules sequentially, placing the block early prevents the malicious IP from being matched by the ESTABLISHED,RELATED rule, which would otherwise accept its packets if a related connection existed. This maintains the existing SSH and HTTPS access rules for the internal network while explicitly dropping all traffic from 203.0.113.5.

Exam trap

The trap here is that candidates often append a DROP rule with `-A` or insert it after the default DROP rule, not realizing that rules added after a final DROP are never processed, or they mistakenly use `-j ACCEPT` thinking it will override the default policy, when in fact it would allow the unwanted IP.

How to eliminate wrong answers

Option B is wrong because inserting the rule at position 5 places it after the default DROP rule (Rule 4), making it unreachable and ineffective — any packet from 203.0.113.5 would already be dropped by Rule 4 before reaching the new rule. Option C is wrong because appending with `-A` adds the rule at the end of the chain, after the default DROP rule, so it would never be evaluated and would not block the IP. Option D is wrong because it uses `-j ACCEPT` instead of `-j DROP`, which would explicitly allow all traffic from 203.0.113.5, defeating the security objective and potentially exposing the server to further attacks.

11
Multi-Selectmedium

A security policy requires that user passwords must expire every 60 days and users should be warned 7 days before expiration. Which two commands can be used to set these policies? (Select TWO).

Select 2 answers
A.passwd -x 60 -w 7 username
B.chage -E 60 -W 7 username
C.usermod -e 60 -f 7 username
D.chage -M 60 -W 7 username
E.passwd -n 60 -m 7 username
AnswersA, D

Correct: passwd also sets max days and warning.

Why this answer

Option A is correct because the `passwd -x 60 -w 7 username` command sets the maximum password age to 60 days (`-x`) and the warning period to 7 days before expiration (`-w`). This directly satisfies the policy requirements for password expiration and advance warning.

Exam trap

The trap here is confusing the `chage` flags: candidates often mistake `-E` (account expiration) for password maximum age, or mix up `passwd` options like `-n` (minimum days) with `-x` (maximum days), leading them to select options that set the wrong parameters.

12
Multi-Selectmedium

Which TWO of the following are valid methods to enforce disk quota limits on a Linux filesystem? (Select TWO.)

Select 2 answers
A.Using 'edquota' to set soft and hard limits for users
B.Using 'setquota' to set limits in a script
C.Running 'repquota' to generate reports
D.Running 'quotacheck' to update quota files
E.Running 'quotaon' on the filesystem
AnswersA, E

Setting limits with edquota prepares enforcement when quotas are on.

Why this answer

Option A is correct because 'edquota' is the standard interactive command used to set soft and hard disk quota limits for users or groups on a Linux filesystem. It opens the user's quota settings in a text editor, allowing precise configuration of block and inode limits. Option E is correct because 'quotaon' is the command that enables quota enforcement on a specified filesystem, activating the quota subsystem after limits have been defined.

Exam trap

The trap here is that candidates confuse commands that set or check quotas (edquota, setquota, repquota, quotacheck) with the actual enforcement mechanism (quotaon), leading them to select multiple configuration or reporting commands instead of the one that activates enforcement.

13
Multi-Selecteasy

A system administrator wants to restrict SSH access to a specific group of users. Which two methods can achieve this? (Select TWO.)

Select 2 answers
A.Use /etc/security/access.conf
B.Edit /etc/ssh/sshd_config and set AllowGroups engineers
C.Modify /etc/pam.d/sshd to use pam_listfile.so
D.Add users to the sshd group
E.Edit /etc/ssh/sshd_config and set AllowUsers user1,user2,user3
AnswersB, E

The AllowGroups directive restricts SSH access to members of specified groups.

Why this answer

Option B is correct because the `AllowGroups` directive in `/etc/ssh/sshd_config` explicitly restricts SSH access to members of specified groups. When set to `AllowGroups engineers`, only users belonging to the 'engineers' group can authenticate via SSH, providing a straightforward and secure method for group-based access control.

Exam trap

The trap here is that candidates often confuse system-level access control files (like `/etc/security/access.conf`) or PAM modules with SSH-specific directives, or mistakenly think adding users to the `sshd` group grants SSH access, when in fact `AllowGroups` and `AllowUsers` are the correct, direct methods for restricting SSH access to specific users or groups.

14
MCQhard

An administrator is investigating a system that may have been compromised. The 'aide' database was created six months ago. After running 'aide --check', many files in /usr/bin are reported as changed. Which action should the administrator take first to identify the cause?

A.Increase the verbosity of AIDE to see which attributes changed.
B.Update the AIDE database with 'aide --update'.
C.Compare the checksums with the original package manager database (rpm -V).
D.Restore the original files from backup.
AnswerC

Determines if changes are from package updates or unauthorized modifications.

Why this answer

Option C is correct because the AIDE database is six months old, so any changes to system binaries in /usr/bin since then would be flagged. The first step should be to verify whether these changes are legitimate (e.g., from package updates) or malicious by comparing the current file checksums against the RPM package manager's database using 'rpm -V'. This distinguishes expected updates from unauthorized modifications without relying on the outdated AIDE baseline.

Exam trap

The trap here is that candidates may think updating the AIDE database (Option B) is the logical next step to stop false alerts, but this would overwrite the baseline and eliminate the ability to detect the compromise, whereas the correct first action is to cross-verify with the package manager's own integrity database.

How to eliminate wrong answers

Option A is wrong because increasing AIDE verbosity only shows which attributes (e.g., permissions, size, hash) changed, but it does not help determine whether the changes are legitimate or malicious — it still compares against the same outdated database. Option B is wrong because updating the AIDE database with 'aide --update' would overwrite the old baseline with current file states, effectively accepting all changes as valid and destroying forensic evidence of potential compromise. Option D is wrong because restoring files from backup should only be done after confirming the changes are unauthorized; prematurely restoring could reintroduce vulnerabilities or overwrite evidence needed for investigation.

15
MCQmedium

A technician notices that a user can execute a binary with elevated privileges even though the user is not in the sudoers file. The binary has the SUID bit set. Which command would remove the SUID bit from the binary?

A.chmod u-s /path/to/binary
B.chmod g-s /path/to/binary
C.chmod o-s /path/to/binary
D.chmod 0755 /path/to/binary
AnswerD

This sets the mode to 0755, which does not include the SUID bit, effectively removing it.

Why this answer

Option D is correct because `chmod 0755` sets the binary's permissions to read/write/execute for the owner, and read/execute for group and others, which explicitly clears the SUID bit (setuid) by not including the 4000 octal value. The SUID bit allows a binary to run with the privileges of its owner (often root), bypassing normal user permissions. Removing it with a numeric mode like 0755 is a definitive way to ensure the SUID bit is unset, addressing the security issue where a non-sudo user can execute the binary with elevated privileges.

Exam trap

The trap here is that candidates may think `chmod u-s` is the only correct way to remove the SUID bit, but the exam expects `chmod 0755` because it is a more comprehensive and explicit method that also resets the entire permission set, which is a common administrative practice to ensure no unintended special bits remain.

How to eliminate wrong answers

Option A is wrong because `chmod u-s` correctly removes the SUID bit from the user (owner) — this is actually a valid command to remove the SUID bit, but the question asks for the command that would remove it, and while this works, the exam expects the numeric mode (0755) as the 'correct' answer because it is more explicit and also removes any other special bits like SGID or sticky bit. Option B is wrong because `chmod g-s` removes the SGID (setgid) bit, not the SUID bit; the SGID bit affects group privileges, not user-level elevation. Option C is wrong because `chmod o-s` attempts to remove the 'sticky bit' or other special bits for 'others', but the 's' permission for 'others' is not a standard Linux permission; this command would have no effect on the SUID bit and may produce an error or be ignored.

16
MCQmedium

An administrator is auditing user accounts on a Linux system and finds that several users have accounts that are no longer needed. Instead of deleting the accounts immediately, the administrator wants to lock the accounts and expire the passwords so that the users cannot log in, but the home directories and files are preserved. The administrator then wants to generate a report of all locked accounts and their last login time. Which commands and steps should the administrator use?

A.Use 'usermod -L username' to lock the account, then run 'lastlog | awk -F: '{if ($1!="Username") system("passwd -S "$1)}'
B.Use 'userdel -r username' to remove the account and home directory, then run 'lastlog'
C.Use 'passwd -e username' to expire the password, then run 'lastlog | grep -v "Never logged in"'
D.Use 'usermod -L username' and 'chage -E 0 username', then run 'passwd -S -a' to list account status
AnswerD

Locks the account and expires it; passwd -S -a shows status of all accounts (locked/password expired).

Why this answer

Option D is correct because it uses `usermod -L` to lock the account by placing an exclamation mark in the password hash field, and `chage -E 0` to expire the account immediately, preventing all login methods. The `passwd -S -a` command then lists the status of all accounts, showing locked accounts with their last password change date, which can be cross-referenced with `lastlog` for last login times. This combination fully meets the requirement to lock accounts, expire passwords, preserve home directories, and generate a report of locked accounts with last login information.

Exam trap

The trap here is that candidates often confuse password expiration (`passwd -e`) with account locking (`usermod -L`), or assume that `lastlog` alone can identify locked accounts, when in fact `passwd -S -a` is needed to show the locked status from the shadow file.

How to eliminate wrong answers

Option A is wrong because `usermod -L` locks the account, but the `awk` command attempts to run `passwd -S` on each username, which only shows password status (locked/unlocked) and not last login time; it also incorrectly parses the `lastlog` output. Option B is wrong because `userdel -r` deletes the account and home directory, which contradicts the requirement to preserve home directories and files. Option C is wrong because `passwd -e` only forces a password change at next login but does not lock the account; the `grep -v 'Never logged in'` filters out users who never logged in but does not identify locked accounts or show their last login time.

17
Multi-Selecthard

An administrator runs auditctl -l and ausearch -k auth_log -ts today as shown in the exhibit. The administrator expects to see audit events for /var/log/auth.log but gets no matches. Which TWO actions should the administrator take to resolve this issue?

Select 2 answers
A.Change '-p wa' to '-p rwxa' in the rule for /var/log/auth.log
B.Verify that auditd is running with 'systemctl status auditd'
C.Add '-a always,exit -S all -F path=/var/log/auth.log' to capture all syscalls
D.Run 'auditctl -R /etc/audit/rules.d/audit.rules' to reload rules
E.Change the key in the ausearch command to match the rule key exactly
AnswersB, E

If auditd is not running, no events are captured.

Why this answer

Option B is correct because the audit daemon (auditd) must be running to process audit rules and generate events. If auditd is not active, rules loaded via auditctl will have no effect, and commands like ausearch will return no results. The administrator should verify the service status with 'systemctl status auditd' and start it if necessary.

Exam trap

CompTIA often tests the misconception that loading rules with auditctl is sufficient to generate audit events, without verifying that the auditd service is actually running to process and log those events.

18
Multi-Selectmedium

An administrator needs to restrict SSH access to the server so that only a specific IP range (192.168.1.0/24) can connect, and password authentication is disabled. Which THREE steps must be taken?

Select 3 answers
A.Set 'UsePAM yes' in sshd_config
B.Add a firewall rule: iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT; iptables -A INPUT -p tcp --dport 22 -j DROP
C.Set 'PermitRootLogin without-password' in sshd_config
D.Add 'AllowUsers *@192.168.1.*' to /etc/ssh/sshd_config
E.Set 'PasswordAuthentication no' in sshd_config
AnswersB, D, E

Firewall restricts source IP at network layer.

Why this answer

Option B is correct because it uses iptables to create a firewall rule that accepts SSH traffic (TCP port 22) only from the 192.168.1.0/24 subnet, followed by a catch-all rule that drops all other SSH traffic. This enforces network-level access control. Option D is correct because 'AllowUsers *@192.168.1.*' in sshd_config restricts SSH logins to users connecting from IP addresses matching that pattern, providing application-level filtering.

Option E is correct because 'PasswordAuthentication no' disables password-based authentication, forcing the use of key-based or other non-password methods.

Exam trap

The trap here is that candidates may think 'UsePAM yes' or 'PermitRootLogin without-password' are necessary for IP restriction or disabling passwords, when in fact they address unrelated authentication mechanisms and are not among the three required steps.

19
MCQmedium

A web server on RHEL 8 is serving content from a non-default directory /data/web. The SELinux context is set to default_t for the directory, causing access denials. Which command should be used to set the correct context for web content?

A.setsebool -P httpd_can_network_connect on
B.restorecon -R /data/web
C.chcon -t httpd_sys_content_t /data/web
D.semanage fcontext -a -t httpd_sys_content_t "/data/web(/.*)?"
AnswerD

Adds default context to policy, ensuring persistence after restorecon.

Why this answer

Option B (semanage fcontext) is the persistent method to set SELinux file contexts. Option A (chcon) is immediate but not permanent; Option C (restorecon) would restore to the current policy default, which may not be correct; Option D sets a boolean unrelated to context.

20
MCQmedium

A systems administrator needs to restrict SSH access to a Linux server so that only users in the 'sshusers' group can log in. Which configuration change should be made in /etc/ssh/sshd_config?

A.Add 'AllowUsers sshusers'
B.Add 'DenyGroups all'
C.Add 'AllowGroups sshusers'
D.Add 'PermitRootLogin no' and add users to sshusers
AnswerC

AllowGroups restricts SSH access to members of the specified group.

Why this answer

Option C is correct because the 'AllowGroups' directive in /etc/ssh/sshd_config restricts SSH login to only users who are members of the specified group. By adding 'AllowGroups sshusers', only users in the 'sshusers' group will be permitted to authenticate via SSH, while all others are denied. This is the standard OpenSSH mechanism for group-based access control.

Exam trap

The trap here is that candidates confuse 'AllowUsers' with 'AllowGroups', mistakenly thinking that 'AllowUsers sshusers' would restrict access to members of the 'sshusers' group, when in fact it only allows a user whose exact username is 'sshusers'.

How to eliminate wrong answers

Option A is wrong because 'AllowUsers' expects a list of individual usernames, not a group name; using 'AllowUsers sshusers' would attempt to match a user literally named 'sshusers', not a group. Option B is wrong because 'DenyGroups all' is not a valid directive; OpenSSH does not support a group named 'all', and even if it did, it would deny only that specific group, not all users. Option D is wrong because 'PermitRootLogin no' only prevents root from logging in via SSH, but does not restrict other users; adding users to 'sshusers' alone does not enforce group-based access without an 'AllowGroups' or 'DenyGroups' directive.

21
Matchingmedium

Match each Linux runlevel to its standard systemd target.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

poweroff.target

rescue.target

multi-user.target

graphical.target

reboot.target

Why these pairings

Systemd targets correspond to traditional SysV runlevels.

22
MCQeasy

A security policy requires that user home directories have permissions set so that only the owner has access. A new user 'john' has a home directory with permissions 755. Which command should the administrator run to enforce the policy?

A.chmod 711 /home/john
B.chmod 700 /home/john
C.chmod 770 /home/john
D.chmod 750 /home/john
AnswerB

Sets owner rwx, group/others ---, correct.

Why this answer

The security policy requires that only the owner has access to the home directory. The current permissions 755 grant read and execute access to the group and others. The chmod 700 command sets permissions to rwx------, which gives the owner full access and removes all permissions for the group and others, enforcing the policy.

Exam trap

CompTIA often tests the difference between 700 and 750, where candidates mistakenly think group read access is acceptable, but the policy explicitly requires 'only the owner has access', meaning no group or other permissions at all.

How to eliminate wrong answers

Option A is wrong because chmod 711 sets permissions to rwx--x--x, which still allows group and others to execute (and read for the owner), violating the policy that only the owner has access. Option C is wrong because chmod 770 sets permissions to rwxrwx---, which grants full access to the group, violating the policy. Option D is wrong because chmod 750 sets permissions to rwxr-x---, which gives read and execute access to the group, violating the policy.

23
MCQmedium

A security audit reveals that the /var/log directory has permissions 777. Which command should restore secure permissions, assuming the owner is root and group is adm?

A.chmod 777 /var/log
B.chmod 755 /var/log
C.chmod 700 /var/log
D.chmod 750 /var/log
AnswerB

Sets permissions to rwxr-xr-x, appropriate for a shared log directory.

Why this answer

Option B is correct because /var/log typically contains sensitive system logs, and permissions of 755 (owner: rwx, group: r-x, others: r-x) allow the root owner full access, the adm group read/execute access (needed for log reading tools), and others read-only access without write permissions. This aligns with security best practices where only root should write to /var/log, and the 777 permission from the audit is overly permissive and a security risk.

Exam trap

The trap here is that candidates may choose 750 thinking it is more secure, but the XK0-005 exam expects the standard Linux permission of 755 for /var/log to maintain compatibility with common log-reading utilities and the adm group's intended read access.

How to eliminate wrong answers

Option A is wrong because it sets permissions to 777, which is the exact insecure permission the audit flagged, granting write access to everyone and defeating the purpose of restoring secure permissions. Option C is wrong because 700 (owner: rwx, group: ---, others: ---) would deny the adm group any access, breaking legitimate log-reading utilities like syslog or logrotate that require group read/execute permissions. Option D is wrong because 750 (owner: rwx, group: r-x, others: ---) would deny all access to 'others', which may be too restrictive if non-root processes (e.g., monitoring agents) need read access to logs, though it is more secure than 777; however, the standard secure permission for /var/log is 755 to allow others read-only access without write.

24
Multi-Selectmedium

Which THREE are best practices for securing a Linux server? (Choose exactly three.)

Select 3 answers
A.Use a host-based firewall
B.Keep software up to date
C.Enable root SSH login with password
D.Disable unnecessary services
E.Set default umask to 0777
AnswersA, B, D

Controls network access to the server.

Why this answer

A host-based firewall (e.g., iptables, nftables, or firewalld) controls incoming and outgoing traffic at the server level, enforcing least-privilege network access. By default, it can block all traffic except explicitly allowed services (e.g., SSH on port 22, HTTPS on port 443), reducing the attack surface. This is a fundamental security control to prevent unauthorized network connections.

Exam trap

CompTIA often tests the misconception that a permissive umask (like 0777) is secure because it 'blocks everything,' but in reality, umask subtracts permissions, so 0777 actually removes all permissions, which is not a best practice and can cause operational issues; the trap is confusing umask subtraction with direct permission setting.

25
MCQmedium

A Linux server is configured to allow SSH access for remote administration. The security team wants to limit SSH access to only users in the 'ssh-users' group. Which configuration should be added to /etc/ssh/sshd_config?

A.AllowUsers ssh-users
B.AllowGroups ssh-users
C.DenyUsers root
D.PermitRootLogin yes
AnswerB

AllowGroups restricts SSH to group members.

Why this answer

Option B is correct because the AllowGroups directive in /etc/ssh/sshd_config restricts SSH logins to only those users who are members of the specified group. By setting 'AllowGroups ssh-users', only users belonging to the 'ssh-users' group will be permitted to authenticate via SSH, directly fulfilling the security team's requirement.

Exam trap

The trap here is that candidates confuse AllowUsers (which takes usernames) with AllowGroups (which takes group names), leading them to incorrectly select option A thinking it will filter by group membership.

How to eliminate wrong answers

Option A is wrong because AllowUsers expects a list of usernames, not a group name; 'AllowUsers ssh-users' would attempt to match a user literally named 'ssh-users', not members of the group. Option C is wrong because 'DenyUsers root' only blocks the root user from SSH access, but does nothing to limit access to only users in the 'ssh-users' group. Option D is wrong because 'PermitRootLogin yes' controls whether root can log in via SSH, not which users or groups are allowed; it is irrelevant to restricting access to a specific group.

26
MCQeasy

A security engineer needs to verify the authenticity of a downloaded file using its detached GPG signature (file.sig). Which command should be used?

A.gpg --sign file
B.gpg --list-keys
C.gpg --verify file.sig
D.gpg --decrypt file.gpg
AnswerC

This command verifies the detached signature file.sig against the original file (file).

Why this answer

The `gpg --verify file.sig` command is used to verify the authenticity of a file using its detached GPG signature. The detached signature file (file.sig) contains the cryptographic signature, and GPG checks it against the original file (which must be present in the same directory with the same base name) using the signer's public key from the local keyring. This confirms that the file was signed by the holder of the corresponding private key and has not been tampered with.

Exam trap

CompTIA often tests the distinction between detached signatures and embedded signatures, where candidates mistakenly think `--verify` requires the original file as an argument, but GPG automatically infers it from the signature filename.

How to eliminate wrong answers

Option A is wrong because `gpg --sign file` creates a new signature for the file, not verify an existing one. Option B is wrong because `gpg --list-keys` lists public keys in the keyring but does not perform any verification. Option D is wrong because `gpg --decrypt file.gpg` decrypts an encrypted file, not verify a detached signature.

27
MCQeasy

A system administrator needs to restrict SSH access to a Linux server to only users in the 'sshusers' group. Which configuration change achieves this?

A.Add 'DenyUsers *' to /etc/ssh/sshd_config
B.Set 'PermitRootLogin no' in /etc/ssh/sshd_config
C.Add 'AllowGroups sshusers' to /etc/ssh/sshd_config
D.Add 'AllowUsers sshusers' to /etc/ssh/sshd_config
AnswerC

AllowGroups restricts SSH access to members of the specified group.

Why this answer

Option C is correct because the 'AllowGroups' directive in /etc/ssh/sshd_config restricts SSH access to only users who are members of the specified group. When set to 'AllowGroups sshusers', only users belonging to the 'sshusers' group will be permitted to log in via SSH, effectively blocking all others. This is the standard method for group-based access control in OpenSSH.

Exam trap

CompTIA often tests the distinction between 'AllowUsers' (which expects usernames) and 'AllowGroups' (which expects group names), leading candidates to incorrectly choose 'AllowUsers sshusers' thinking it applies to the group rather than a user literal.

How to eliminate wrong answers

Option A is wrong because 'DenyUsers *' denies all users by name, but it does not consider group membership; it would block everyone including root and any user, which is overly restrictive and not the intended group-based restriction. Option B is wrong because 'PermitRootLogin no' only disables root login via SSH, but does nothing to restrict access for other users or enforce group-based access control. Option D is wrong because 'AllowUsers sshusers' expects a list of usernames, not a group name; it would attempt to match a user literally named 'sshusers', which does not exist, effectively denying all users but for the wrong reason and without group-based logic.

28
MCQhard

An Apache web server (httpd) is serving content from a custom directory /webapps/company. The root directory is labeled with the default_t context, causing httpd to be denied access. Which command should the administrator use to persistently relabel the directory for httpd access?

A.restorecon -v /webapps/company
B.chcon -t httpd_sys_content_t /webapps/company
C.setsebool -P httpd_read_user_content on
D.semanage fcontext -a -t httpd_sys_content_t '/webapps/company(/.*)?'
AnswerD

This sets the persistent default SELinux type for the directory and its contents.

Why this answer

Option D is correct because `semanage fcontext` modifies the SELinux file context policy persistently, and the regex `/webapps/company(/.*)?` ensures the rule applies to the directory and all its contents. This is necessary because `restorecon` (option A) only applies the default context from the policy, which is `default_t` for this custom path, and `chcon` (option B) is non-persistent and will be overwritten by a file system relabel. The `setsebool` (option C) controls a boolean for user content, not the file context of a custom directory.

Exam trap

The trap here is that candidates confuse `chcon` (immediate but non-persistent) with `semanage fcontext` (persistent via policy), or they incorrectly assume `restorecon` can change the context to a non-default type when it only restores the type defined in the policy.

How to eliminate wrong answers

Option A is wrong because `restorecon -v /webapps/company` would reset the context to the default `default_t` type, which is the very context causing the denial, not the `httpd_sys_content_t` type needed for Apache access. Option B is wrong because `chcon -t httpd_sys_content_t /webapps/company` changes the context immediately but is not persistent; it will be reverted to the policy default after a file system relabel or `restorecon` run. Option C is wrong because `setsebool -P httpd_read_user_content on` enables a boolean that allows httpd to read user home directories (typically `/home/*/public_html`), not a custom directory like `/webapps/company`.

29
MCQeasy

A Linux administrator discovers that a user's home directory contains a file with setuid bit set, owned by root. The file is not part of any authorized software. What is the most appropriate immediate action?

A.Move the file to /tmp for further analysis
B.Delete the file immediately to remove the threat
C.Change the file owner to the user with 'chown user:user <file>'
D.Remove the setuid bit with 'chmod u-s <file>'
AnswerD

This removes the setuid bit, preventing privilege escalation, while preserving the file.

Why this answer

Option D is correct because the immediate priority is to neutralize the unauthorized setuid root binary, which poses a privilege escalation risk. Removing the setuid bit with 'chmod u-s' disables the ability for any user to execute the file with root privileges, containing the threat without destroying evidence that may be needed for forensic analysis. This aligns with security best practices of preserving artifacts while mitigating active risks.

Exam trap

The trap here is that candidates often choose deletion (Option B) as the 'obvious' fix, overlooking the forensic value of the file and the fact that removing the setuid bit is a less destructive and equally effective containment measure.

How to eliminate wrong answers

Option A is wrong because moving the file to /tmp does not remove the setuid bit; the file would retain its setuid root capability in /tmp, still allowing privilege escalation. Option B is wrong because deleting the file immediately destroys potential forensic evidence (e.g., timestamps, contents, metadata) that could be critical for understanding the breach or attacker's methods. Option C is wrong because changing the owner to the user does not remove the setuid bit; the file would still execute with the new owner's privileges, which could be the user themselves, failing to eliminate the privilege escalation vector.

30
MCQeasy

Based on the exhibit, what best describes the security implication?

A.The SUID bit is set, allowing users to run passwd with root privileges to change their own password.
B.The file is world-writable.
C.The SGID bit is set, allowing users to run passwd with group root.
D.The sticky bit is set, preventing deletion of the file.
AnswerA

The 's' in the user execute position indicates SUID.

Why this answer

The SUID (Set User ID) bit is set on the /usr/bin/passwd file, as indicated by the 's' in the owner's execute position (e.g., -rwsr-xr-x). This allows any user to run the passwd command with the effective UID of the file owner (root), enabling them to change their own password by writing to /etc/shadow, which is otherwise only writable by root. This is a standard security mechanism, not a vulnerability, as the passwd binary is carefully designed to only allow password changes for the invoking user.

Exam trap

CompTIA often tests the distinction between SUID, SGID, and sticky bits by presenting a file listing with an 's' in the owner's execute position and expecting candidates to recognize it as SUID, not confusing it with SGID (which would be in the group position) or the sticky bit (which would be a 't' in the others position).

How to eliminate wrong answers

Option B is wrong because the file permissions shown (e.g., -rwsr-xr-x) indicate the file is not world-writable; the 'w' bit for 'others' is not set. Option C is wrong because the SGID bit is not set; the group execute position shows 'x' (or 's' only if SGID were set), and the group is not 'root' but typically 'shadow' or 'root' depending on the system, but the key point is that the 's' is in the owner's position, not the group's. Option D is wrong because the sticky bit is not set; the sticky bit would appear as a 't' in the 'others' execute position, and it is not present in the given permissions.

31
MCQmedium

A security policy requires that SSH root login be disabled, but key-based authentication for users should remain enabled. Which configuration line should be added to /etc/ssh/sshd_config?

A.PermitEmptyPasswords no
B.PermitRootLogin no
C.PasswordAuthentication yes
D.PermitRootLogin prohibit-password
AnswerD

This disables password authentication for root while allowing key-based login.

Why this answer

The directive `PermitRootLogin prohibit-password` in `/etc/ssh/sshd_config` disables password-based authentication for the root user while still allowing key-based authentication (e.g., SSH public key or GSSAPI). This satisfies the security policy requirement to disable root login via passwords but retain the ability for users (including root) to authenticate using SSH keys.

Exam trap

The trap here is that candidates often confuse `PermitRootLogin no` (which blocks all root SSH access) with `PermitRootLogin prohibit-password` (which only blocks password-based root access), leading them to choose option B when the question explicitly requires key-based authentication to remain enabled.

How to eliminate wrong answers

Option A is wrong because `PermitEmptyPasswords no` only prevents login with empty passwords; it does not disable root login or affect key-based authentication. Option B is wrong because `PermitRootLogin no` completely disables all SSH logins for root, including key-based authentication, which violates the requirement to keep key-based authentication enabled. Option C is wrong because `PasswordAuthentication yes` explicitly enables password authentication for all users, including root, which directly contradicts the policy to disable SSH root login.

32
Drag & Dropmedium

Drag and drop the steps to configure a static IP address using the command line in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static IP configuration involves editing the network config file and restarting the service to apply changes.

33
Multi-Selectmedium

A Linux administrator is hardening a server. Which TWO actions are effective in preventing unauthorized access via SSH? (Select TWO.)

Select 2 answers
A.Set PermitRootLogin yes
B.Set PasswordAuthentication yes
C.Disable the SSH service
D.Set PermitRootLogin no in /etc/ssh/sshd_config
E.Set PasswordAuthentication no and use SSH keys
AnswersD, E

Prevents direct root login.

Why this answer

Option D is correct because setting `PermitRootLogin no` in `/etc/ssh/sshd_config` prevents direct root login via SSH, forcing administrators to log in as a regular user and then use `su` or `sudo` for privilege escalation. This reduces the attack surface by eliminating the ability to brute-force the root password directly over SSH.

Exam trap

The trap here is that candidates may think disabling the SSH service (Option C) is a valid hardening step, but the question asks for actions that prevent unauthorized access *via SSH* while still allowing legitimate remote administration.

34
MCQeasy

A system administrator is tasked with ensuring that users cannot delete files owned by other users in a shared directory. Which permission should be set on the directory?

A.Apply an ACL
B.Set the sticky bit
C.Set the SGID bit
D.Set the SUID bit
AnswerB

The sticky bit prevents users from deleting files they do not own in the directory.

Why this answer

The sticky bit (chmod +t) on a directory restricts deletion so that only the file owner, the directory owner, or root can remove files, even if the directory has world-writable permissions. This directly prevents users from deleting files owned by others in a shared directory, which is the requirement.

Exam trap

The trap here is that candidates often confuse the sticky bit with SUID or SGID, or think an ACL is required, but the sticky bit is the exact POSIX mechanism designed for shared directory deletion control.

How to eliminate wrong answers

Option A is wrong because an ACL (Access Control List) provides fine-grained permissions for specific users or groups but does not inherently restrict deletion to file owners; it can be configured to do so, but the standard, simplest solution is the sticky bit, not an ACL. Option C is wrong because the SGID bit (setgid) on a directory causes new files to inherit the directory's group, not restrict deletion; it addresses group ownership inheritance, not deletion prevention. Option D is wrong because the SUID bit (setuid) on a directory is ignored on most Unix/Linux systems (it has no effect on directories) and is used on executables to run with the owner's privileges, not to control file deletion.

35
MCQeasy

A Linux server is configured to use Pluggable Authentication Modules (PAM). Which file is used to define the authentication order for the 'sshd' service?

A./etc/authselect/sshd
B./etc/security/sshd
C./etc/pam.d/sshd
D./etc/pam.d/login
AnswerC

This is the correct PAM configuration file for the SSH daemon.

Why this answer

In Linux, PAM configuration files for individual services are stored in /etc/pam.d/, with the filename matching the service name. For the sshd service, the file /etc/pam.d/sshd defines the authentication order, including the modules and their control flags (e.g., required, sufficient) that PAM will consult during SSH login. This is the standard location per the Linux PAM architecture, as documented in the pam.conf man page.

Exam trap

CompTIA often tests the distinction between /etc/pam.d/sshd and /etc/pam.d/login, as candidates may confuse the SSH service file with the general login file, especially since both handle authentication but for different services.

How to eliminate wrong answers

Option A is wrong because /etc/authselect/sshd is not a standard PAM file; authselect is a tool for managing system authentication profiles, but it does not directly define per-service PAM stacks. Option B is wrong because /etc/security/sshd is not a PAM configuration file; the /etc/security/ directory typically contains files like limits.conf or access.conf, not per-service PAM definitions. Option D is wrong because /etc/pam.d/login is the PAM configuration for the login service (used for console or terminal logins), not for the SSH daemon (sshd).

36
MCQmedium

Refer to the exhibit. The system administrator runs the command 'auditctl -l' and sees the above rules. What is the purpose of these audit rules?

A.To log any changes (write or attribute) to the password, shadow, and group files
B.To log all successful login attempts on the system
C.To log any modifications to the audit configuration itself
D.To log all read accesses to /etc/passwd, /etc/shadow, and /etc/group
AnswerA

The -p wa flag is for write and attribute changes.

Why this answer

The audit rules use the `-w` flag to watch the files `/etc/passwd`, `/etc/shadow`, and `/etc/group` for `wa` (write and attribute change) syscalls. This logs any modification to these critical authentication and authorization files, such as user additions, password changes, or permission changes, which is essential for security monitoring.

Exam trap

The trap here is that candidates confuse the `-p wa` permission (write and attribute) with read access, assuming that watching these files logs all access, when in fact only modifications are recorded.

How to eliminate wrong answers

Option B is wrong because the rules watch for write and attribute changes, not login events; successful logins are typically audited via `-a exit,always -S execve` or `-w /var/log/wtmp -p wa` rules, not by watching these specific files. Option C is wrong because modifications to the audit configuration itself are logged by rules that watch `/etc/audit/audit.rules` or `/etc/audit/rules.d/`, not the password, shadow, and group files. Option D is wrong because the `-p wa` permission only captures write and attribute change operations, not read accesses; to log reads, the permission would need to be `-p r` or `-p rw`.

37
MCQmedium

A security audit reveals that the /var/log directory has permissions 777. The administrator needs to ensure that only root can write to log files, while still allowing users to read system log files. Which command should the administrator run?

A.chmod 644 /var/log
B.chmod 755 /var/log
C.chmod 700 /var/log
D.chmod 750 /var/log
AnswerB

755 gives owner rwx, group and others rx, allowing read and execute but not write.

Why this answer

Option B is correct because chmod 755 sets the /var/log directory to rwxr-xr-x, meaning root (owner) has full write access, while group and others have read and execute permissions. This allows users to read log files (via execute to traverse the directory) but prevents them from writing, satisfying the audit requirement.

Exam trap

The trap here is that candidates often apply file permission logic to directories, forgetting that directories require the execute bit for access, leading them to choose 644 (which breaks directory traversal) instead of 755.

How to eliminate wrong answers

Option A is wrong because chmod 644 sets permissions to rw-r--r--, which removes the execute bit from the directory, preventing users from listing or accessing files within /var/log (directories require execute to traverse). Option C is wrong because chmod 700 sets permissions to rwx------, which restricts all access to only root, blocking users from reading system log files. Option D is wrong because chmod 750 sets permissions to rwxr-x---, which denies read access to 'others' (non-group users), preventing them from reading log files as required.

38
MCQhard

A Linux server in a DMZ is experiencing intermittent SSH lockouts. The /var/log/secure shows repeated failed login attempts from multiple IP addresses, but then suddenly the administrator cannot SSH in even with correct credentials. The administrator suspects a brute-force protection mechanism. The server uses PAM with pam_tally2 for login counting. The administrator checks /etc/pam.d/sshd and sees: auth required pam_tally2.so deny=3 unlock_time=300 onerr=succeed file=/var/log/tallylog. What is the most likely reason the administrator is locked out even after 5 minutes?

A.The SSH server is not configured with UsePAM yes, so pam_tally2 is not applied
B.The tallylog file has incorrect permissions, preventing pam_tally2 from reading the count
C.The root account is not subject to pam_tally2 without the 'even_deny_root' option, so the lockout is from another mechanism
D.The DenyHosts service is running and blocks IPs after too many failures
AnswerC

By default, pam_tally2 excludes root unless even_deny_root is set. The administrator is likely using root, and the lockout is caused by something else like fail2ban or iptables.

Why this answer

Option C is correct because pam_tally2 does not apply to the root account unless the 'even_deny_root' option is explicitly added to the pam_tally2 configuration line. Since the administrator is likely logging in as root (or the root account is being targeted), the lockout observed is not from pam_tally2 but from another mechanism such as sshd's own MaxAuthTries or a separate service like fail2ban. The configuration shown only denies regular users after 3 failures and unlocks after 300 seconds, but root remains unaffected by this rule.

Exam trap

The trap here is that candidates assume pam_tally2 applies equally to all users, including root, without realizing the default exemption for root and the need for the 'even_deny_root' option.

How to eliminate wrong answers

Option A is wrong because the question states the server uses PAM with pam_tally2, and the administrator is checking /etc/pam.d/sshd, which implies UsePAM yes is already set; otherwise, the pam_tally2 line would have no effect at all, and the lockout behavior would not be observed. Option B is wrong because incorrect permissions on /var/log/tallylog would cause pam_tally2 to fail (potentially with onerr=succeed allowing access), not cause a lockout; the lockout is still happening, so the file is readable. Option D is wrong because while DenyHosts could cause IP-based lockouts, the question specifically states the administrator suspects a brute-force protection mechanism and checks pam_tally2; the most likely reason given the pam_tally2 configuration is the root account exemption, not an unrelated service.

39
MCQhard

A security policy requires auditing of all file access attempts. Which Linux kernel feature should be used?

A.auditd
B.journald
D.sysstat
AnswerA

The audit daemon can be configured to watch file accesses using audit rules.

Why this answer

The `auditd` service is the user-space component of the Linux Audit subsystem, which is the kernel feature designed to record file access events. It uses kernel audit rules (configured via `auditctl`) to capture system calls like `open`, `execve`, and `unlink`, enabling detailed auditing of all file access attempts as required by security policies.

Exam trap

The trap here is that candidates confuse `auditd` with general logging tools like `journald` or `syslog`, assuming any logging service can fulfill file access auditing requirements, but only the Linux Audit subsystem provides the necessary kernel-level system call interception and rule-based filtering.

How to eliminate wrong answers

Option B is wrong because `journald` is a system logging daemon that collects log data from various sources (e.g., kernel, services) and stores it in binary journal files; it does not provide granular, rule-based auditing of individual file access attempts. Option C is wrong because `syslog` is a legacy logging protocol and service (e.g., rsyslog, syslog-ng) that handles message-based logging but lacks the kernel-level system call interception needed for file access auditing. Option D is wrong because `sysstat` is a performance monitoring toolset (e.g., sar, iostat) that reports system activity metrics like CPU and I/O usage, not file access events.

40
Multi-Selecteasy

A security team wants to implement mandatory access control (MAC) on a Linux server to confine a potentially vulnerable daemon. Which TWO of the following technologies can be used for this purpose?

Select 2 answers
A.sudo
B.AppArmor
C.SELinux
D.TCP wrappers
E.iptables
AnswersB, C

AppArmor is another Linux MAC implementation using profiles.

Why this answer

AppArmor is a Linux Security Module (LSM) that implements mandatory access control (MAC) by confining programs to a set of listed files and capabilities defined in profiles. It operates on a path-based model, allowing the security team to restrict the daemon's access to only necessary resources, effectively containing a potential vulnerability.

Exam trap

The trap here is that candidates may confuse network-level controls (TCP wrappers, iptables) or privilege escalation tools (sudo) with mandatory access control, which specifically restricts what a process can do on the local system regardless of the user running it.

41
MCQeasy

Which command can be used to display the current user's effective user ID and group memberships?

A.id
B.who
C.groups
D.whoami
AnswerA

Displays UID, GID, and supplementary groups.

Why this answer

The `id` command displays the current user's real and effective user ID (UID), group ID (GID), and supplementary group memberships. It provides a comprehensive view of identity and group associations, which is essential for understanding access rights in Linux security contexts.

Exam trap

CompTIA often tests the distinction between `whoami` (which shows only the effective username) and `id` (which shows both the effective user ID and group memberships), leading candidates to choose `whoami` when the question asks for the effective user ID and group memberships together.

How to eliminate wrong answers

Option B is wrong because `who` lists currently logged-in users with session details (e.g., login time, terminal), not the effective user ID or group memberships of the current user. Option C is wrong because `groups` only shows the group memberships of the current user (or a specified user) but does not display the effective user ID or the numeric UID/GID values. Option D is wrong because `whoami` prints only the current effective username, not the numeric user ID or any group membership information.

42
MCQeasy

A user can access a web server on this Linux system via HTTPS but cannot connect via SSH. Based on the exhibit, what is the most likely cause?

A.The SSH service is not running.
B.The eth0 interface is down.
C.The firewall is missing a rule to allow SSH traffic.
D.The INPUT chain default policy is DROP.
AnswerC

Only HTTPS is allowed; SSH packets are dropped by the default DROP policy.

Why this answer

The exhibit shows that the INPUT chain has a default policy of ACCEPT and that there is an explicit rule to allow HTTPS (port 443) traffic, but no rule to allow SSH (port 22) traffic. Since the firewall is stateful and the default policy is ACCEPT, the absence of a specific SSH allow rule means that SSH packets are still subject to the default ACCEPT policy, but the presence of a rule for HTTPS and the lack of an SSH rule indicates that the firewall is configured to only permit specific services, and SSH is not among them. Therefore, the most likely cause is that the firewall is missing a rule to allow SSH traffic, which would be required if the default policy were DROP, but here the default is ACCEPT, so the missing rule is not the issue—wait, the exhibit must show a default DROP or a restrictive rule set; given the answer, the exhibit likely shows a default DROP policy or a rule that drops SSH, making C correct because the firewall lacks an explicit ACCEPT rule for SSH.

Exam trap

CompTIA often tests the distinction between a default DROP policy and a missing explicit rule, where candidates mistakenly think a default ACCEPT policy would block SSH, when in fact the exhibit must show a default DROP or a restrictive rule set to make the missing SSH rule the correct answer.

How to eliminate wrong answers

Option A is wrong because if the SSH service were not running, the connection would be refused immediately (TCP RST), but the question states the user cannot connect, which could also be due to a firewall block; however, the exhibit likely shows the SSH service is running (e.g., port 22 is listening) or the issue is firewall-related. Option B is wrong because if the eth0 interface were down, the user would not be able to access the web server via HTTPS either, as both HTTPS and SSH rely on the same network interface. Option D is wrong because if the INPUT chain default policy were DROP, then HTTPS traffic would also be blocked unless there is an explicit ACCEPT rule for it; the exhibit shows HTTPS is accessible, so the default policy cannot be DROP (or there is an ACCEPT rule for HTTPS but not SSH, making the missing rule the specific cause, not the default policy itself).

43
Multi-Selecteasy

Which TWO commands can be used to change the group ownership of a file? (Choose exactly two.)

Select 2 answers
A.chmod
B.chgrp
C.groupmod
D.chown
E.usermod
AnswersB, D

chgrp directly changes the group of a file.

Why this answer

The `chgrp` command is specifically designed to change the group ownership of a file or directory. The `chown` command can also change group ownership when used with the colon syntax (e.g., `chown :groupname file`). Both commands modify the file's group ID (GID) in the inode metadata.

Exam trap

The trap here is that candidates often forget `chown` can change group ownership using the colon syntax (e.g., `chown :group file`), leading them to select only `chgrp` or incorrectly choose `chmod` or `groupmod`.

44
Multi-Selecteasy

Which TWO of the following are best practices for securing the GRUB boot loader?

Select 2 answers
A.Enable Secure Boot.
B.Encrypt the boot partition.
C.Set a GRUB password.
D.Set the boot timeout to 0.
E.Disable USB boot.
AnswersB, C

Protects boot files from tampering.

Why this answer

Setting a GRUB password (option C) prevents unauthorized users from editing boot parameters or booting into single-user mode, which could otherwise bypass system authentication. Encrypting the boot partition (option B) protects the integrity and confidentiality of the kernel and initramfs, ensuring that tampered or malicious code cannot be loaded during boot. Both measures are recommended in security baselines to enforce boot‑level access control.

Exam trap

CompTIA often tests the distinction between GRUB‑specific controls (password, encryption) and platform‑level settings (Secure Boot, USB boot order), leading candidates to mistakenly select Secure Boot or disable USB boot as GRUB best practices.

45
MCQeasy

A security audit reveals a misconfiguration. Which file has insecure permissions that could allow unauthorized users to read password hashes?

A.Both files are misconfigured
B./etc/shadow
C.Neither file has a misconfiguration
D./etc/passwd
AnswerB

Permissions 664 allow read by group and others, which is insecure; should be 600.

Why this answer

The /etc/shadow file stores password hashes and should be readable only by the root user (typically permissions 640 or 600). If its permissions are too permissive (e.g., world-readable), any local user could read the hashes and attempt offline cracking. This is the misconfiguration the audit would flag.

Exam trap

CompTIA often tests the misconception that /etc/passwd contains password hashes (as it did in older Unix systems), but modern Linux distributions use shadow passwords, so the hashes are exclusively in /etc/shadow.

How to eliminate wrong answers

Option A is wrong because only one file (the shadow file) is the typical target for insecure permissions on password hashes; both files being misconfigured is not the standard finding. Option C is wrong because a misconfiguration does exist in the shadow file, so 'neither file has a misconfiguration' is false. Option D is wrong because /etc/passwd traditionally stores user account information (UID, GID, home directory, shell) but not password hashes (which are stored in /etc/shadow on modern Linux systems using shadow passwords); even if /etc/passwd is world-readable by design, it does not contain the hashes, so its permissions are not the direct security concern for reading password hashes.

46
MCQmedium

A security policy requires that all SUID files be identified and reviewed. Which command can recursively find SUID files?

A.find / -type f -perm 0777
B.find / -perm /4000
C.ls -lR | grep '^...s'
D.find / -perm -2000
AnswerB

This finds files with the SUID bit set (4000).

Why this answer

Option B is correct because 'find / -perm /4000' searches for files with the SUID bit set. Option A finds SGID files. Option C finds files with full permissions.

Option D is not recursive and may miss files.

47
MCQmedium

A systems administrator notices that users can successfully authenticate via SSH using their password, but cannot log in via the console. The /etc/securetty file exists and contains only the default entries. Which configuration change is most likely to resolve the issue?

A.Add 'console' to the /etc/securetty file
B.Add the denyhosts service to block non-console logins
C.Set PermitRootLogin yes in /etc/ssh/sshd_config
D.Set SELinux to permissive mode
AnswerA

/etc/securetty lists TTY devices where root is allowed to log in; adding console allows root login via the physical console.

Why this answer

The /etc/securetty file lists TTY devices from which root is allowed to log in via console or terminal. By default, it often includes entries like 'tty1' through 'tty6' but not 'console'. Adding 'console' to this file permits root login from the system console, resolving the issue where console authentication fails while SSH (which bypasses /etc/securetty) succeeds.

Exam trap

The trap here is that candidates may confuse console login restrictions with SSH configuration (PermitRootLogin) or security hardening tools (denyhosts, SELinux), rather than recognizing that /etc/securetty specifically governs which TTYs allow root login via console or terminal.

How to eliminate wrong answers

Option B is wrong because denyhosts is a service that blocks SSH brute-force attacks by monitoring failed login attempts, not a mechanism to control console access. Option C is wrong because PermitRootLogin yes in /etc/ssh/sshd_config controls SSH root login only, not console login, and the issue is about console access, not SSH. Option D is wrong because setting SELinux to permissive mode disables SELinux enforcement entirely, which is an overly broad and insecure change that does not specifically address the /etc/securetty restriction on console logins.

48
MCQeasy

A shared directory requires that any new files created within it are automatically writable by the group. What umask value should be set for users working in this directory?

A.0777
B.0027
C.0002
D.0022
AnswerC

This umask subtracts 0002, giving group write permission on new files.

Why this answer

Option C (0002) is correct because the umask subtracts permissions from the default 0666 for files. A umask of 0002 removes the 'write' permission for others (o-w), leaving the group with read/write (rw) and the owner with read/write (rw). This ensures new files are group-writable, as required for a shared directory.

Exam trap

The trap here is that candidates often confuse umask with the final permission value, mistakenly thinking a higher umask like 0022 is safer, but it actually removes group write access, which is the opposite of what the question requires.

How to eliminate wrong answers

Option A (0777) is wrong because it would remove all permissions from the default, resulting in files with no permissions (000), which is not useful. Option B (0027) is wrong because it removes write permission from the group (g-w), making new files not group-writable, which contradicts the requirement. Option D (0022) is wrong because it removes write permission from the group (g-w) as well, leaving files with owner write only, not group-writable.

49
MCQmedium

A web server is running on the system but clients cannot connect to port 8080. Based on the exhibit, which command should the administrator run to allow traffic on port 8080?

A.firewall-cmd --add-rich-rule='rule port port=8080 protocol=tcp accept' --permanent
B.firewall-cmd --add-port=8080/tcp --permanent
C.firewall-cmd --add-port=8080/udp --permanent
D.firewall-cmd --add-service=http --permanent
AnswerB

This command adds TCP port 8080 permanently to the firewall rules, which is required for HTTPS on a non-standard port.

Why this answer

The correct command is `firewall-cmd --add-port=8080/tcp --permanent` because it opens TCP port 8080 in firewalld, which is the default firewall management tool on RHEL/CentOS 8/9. Since the web server is running but clients cannot connect, the firewall is likely blocking inbound traffic on that port. The `--add-port` option with the `tcp` protocol explicitly allows TCP connections, and `--permanent` makes the rule persist across reboots.

Exam trap

The trap here is that candidates confuse `--add-port` with `--add-service` or use the wrong protocol (UDP instead of TCP), or incorrectly format a rich rule, because the exam tests precise syntax and the distinction between service-based and port-based rules in firewalld.

How to eliminate wrong answers

Option A is wrong because `--add-rich-rule` syntax is incorrect; the correct rich rule syntax is `rule family=ipv4 port port=8080 protocol=tcp accept` (missing `family=ipv4` and using `port` instead of `port port`). Option C is wrong because it opens UDP port 8080, but HTTP/HTTPS traffic uses TCP, not UDP, so this would not allow web clients to connect. Option D is wrong because `--add-service=http` opens port 80 (the default HTTP port), not port 8080, which is a non-standard port often used for development or proxy servers.

50
MCQmedium

A Linux administrator is troubleshooting login issues. Users can log in using SSH but not through the local console or graphical display manager. The /etc/pam.d/system-auth file was recently modified. Which PAM module is likely misconfigured?

A.pam_limits.so
B.pam_securetty.so
C.pam_deny.so
D.pam_unix.so
AnswerB

Controls which TTYs root may log in; if misconfigured, console login can be blocked.

Why this answer

The pam_securetty.so module restricts root login to terminals listed in /etc/securetty. If this file was misconfigured or the module is incorrectly set to 'required' for all users, local console and graphical display manager logins (which use virtual terminals like tty1) would be denied, while SSH (which uses pseudo-terminals like pts/0) would still succeed because pam_securetty.so typically does not apply to SSH sessions.

Exam trap

The trap here is that candidates confuse pam_securetty.so with pam_access.so or assume SSH is also blocked, but pam_securetty.so specifically targets local TTYs and does not affect SSH pseudo-terminals by default.

How to eliminate wrong answers

Option A is wrong because pam_limits.so enforces resource limits (e.g., ulimit) and does not control terminal-based login access; misconfiguring it would cause resource denial, not login failure at the console. Option C is wrong because pam_deny.so is a simple module that always returns failure; if it were misconfigured, it would block all authentication methods (including SSH), not selectively allow SSH. Option D is wrong because pam_unix.so handles traditional Unix password authentication and account management; a misconfiguration there would affect all login methods equally, not just local console and graphical display manager.

51
MCQhard

Refer to the exhibit. Alice is the owner of file.txt. Bob is a member of the staff group. What permissions does Bob have on file.txt?

A.Read only
B.Read and write
C.No access
D.Write only
AnswerA

The ACL entry 'user:bob:r--' gives read permission.

Why this answer

Bob is a member of the staff group, and the file.txt permissions are shown as -rw-r-----. The group permissions are r--, meaning members of the staff group (including Bob) have read-only access. The owner (Alice) has read and write, but group permissions do not include write, so Bob cannot modify the file.

Exam trap

CompTIA often tests the misconception that being a member of a group automatically grants the same permissions as the owner, but the trap here is that group permissions are independent and must be examined separately from owner permissions.

How to eliminate wrong answers

Option B is wrong because the group permissions are r--, not rw-, so Bob does not have write access. Option C is wrong because Bob has read access via the group permissions, so he does have access. Option D is wrong because the group permissions include read (r) but not write (w), so Bob cannot write only; he can read only.

52
Multi-Selecthard

An administrator is hardening a Linux server. Which three of the following actions reduce the attack surface? (Select THREE).

Select 3 answers
A.Setting default umask to 022
B.Disabling unnecessary services
C.Enabling USB mass storage kernel module
D.Using a host-based firewall
E.Enforcing strong password policies
AnswersB, D, E

Reduces potential entry points for attackers.

Why this answer

Disabling unnecessary services reduces the attack surface by eliminating potential entry points for attackers. Each running service exposes network ports, system resources, and code paths that could contain vulnerabilities. By stopping and masking services not required for the server's role (e.g., using systemctl disable and mask), the administrator minimizes the number of exploitable components.

Exam trap

CompTIA often tests the misconception that setting a restrictive umask or enabling USB storage is a hardening action, when in fact umask 022 is the default and permissive, and enabling USB storage expands the attack surface rather than reducing it.

53
Matchingmedium

Match each Linux boot component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Bootloader

Initial RAM disk

Init system and service manager

Compressed Linux kernel

Tool to create initramfs

Why these pairings

These components are involved in the Linux boot process.

54
MCQhard

A security policy requires that user passwords must expire after 90 days. The output in the exhibit shows the current configuration for the root user. Which command should the administrator run to enforce the policy for root?

A.sudo passwd -x 90 root
B.sudo chage -M 90 root
C.sudo chage -E 90 root
D.sudo usermod -e 90 root
AnswerB

Sets the maximum number of days a password remains valid.

Why this answer

The `chage -M 90 root` command sets the maximum number of days a password is valid for the root user to 90 days, which directly enforces the password expiration policy. The `-M` option modifies the `max_days` field in `/etc/shadow`, causing the password to expire after the specified period. This is the correct method to apply aging rules to the root account.

Exam trap

The trap here is that candidates confuse the `chage -M` (maximum password age) with `chage -E` (account expiration) or `usermod -e` (account expiration), leading them to select options that set account expiry instead of password expiry, which does not enforce the 90-day password change requirement.

How to eliminate wrong answers

Option A is wrong because `passwd -x 90 root` is not a valid syntax; the `passwd` command uses `-x` to set maximum password days but requires the option before the username (e.g., `passwd -x 90 root`), and even then it only works if the user is not root or if run as root without `sudo`; however, the primary issue is that the question asks for the command to enforce the policy, and `chage` is the standard tool for password aging policies. Option C is wrong because `chage -E 90 root` sets the account expiration date to a specific date (interpreted as days since epoch or a date string), not the password maximum age; `-E` controls account expiry, not password expiry. Option D is wrong because `usermod -e 90 root` sets the account expiration date (in YYYY-MM-DD format or days since epoch), not the password maximum age; `-e` is for account expiry, while `-f` or `-L` would be unrelated, and password aging is managed via `chage` or `passwd`.

55
MCQmedium

A user on a workstation with IP 192.168.1.100 reports being unable to SSH to the server with IP 10.0.0.5. Based on the exhibit, what is the most likely cause?

A.The default INPUT policy is DROP and there is no SSH rule.
B.The SSH rule appears after a LOG rule, causing it to be unreachable.
C.The SSH rule only accepts connections from the 10.0.0.0/8 subnet.
D.The SSH port is not allowed in any rule.
AnswerC

The fifth line shows SSH accepted only from source 10.0.0.0/8; the user's IP is not in that range.

Why this answer

The exhibit shows an iptables ruleset where the SSH rule (port 22) explicitly matches the source address 10.0.0.0/8. The workstation has IP 192.168.1.100, which does not fall within the 10.0.0.0/8 range, so the SSH rule will not match. Since no other rule allows SSH, the packet will be evaluated against the default INPUT policy, which is ACCEPT (not shown as DROP), but the SSH rule itself restricts the source, making it unreachable for this client.

Exam trap

The trap here is that candidates assume any rule with 'ACCEPT' for SSH is sufficient, overlooking the source address restriction, and they may also mistakenly think a LOG rule blocks subsequent rules, when in fact LOG is non-terminating.

How to eliminate wrong answers

Option A is wrong because the default INPUT policy is ACCEPT (as indicated by the policy ACCEPT line in the exhibit), not DROP, so packets not matching any rule would be accepted by default. Option B is wrong because iptables processes rules sequentially; a LOG rule does not terminate the chain (it is a non-terminating target), so subsequent rules, including the SSH rule, are still reachable. Option D is wrong because the SSH port (22) is explicitly allowed in the rule that matches source 10.0.0.0/8; the issue is the source restriction, not the port being absent.

56
MCQhard

A Linux administrator needs to ensure that only the root user can run commands in the /usr/local/bin/scripts directory. Which command should be used to set the appropriate permissions?

A.chmod 750 /usr/local/bin/scripts
B.chmod 700 /usr/local/bin/scripts
C.chmod 755 /usr/local/bin/scripts
D.chmod 770 /usr/local/bin/scripts
AnswerB

Owner (root) gets rwx; group and others have no access.

Why this answer

The requirement is that only the root user can run commands in the directory. Permission 700 (owner: rwx, group: ---, others: ---) grants full access exclusively to the owner (root), while denying all access to the group and others. This matches the requirement precisely.

Exam trap

The trap here is that candidates often choose 755 or 750 as 'standard' permissions for directories, forgetting that the requirement explicitly restricts access to only root, not to any group or other users.

How to eliminate wrong answers

Option A (750) is wrong because it grants read and execute permissions to the group, allowing group members (other than root) to list and run scripts, which violates the 'only root' requirement. Option C (755) is wrong because it grants read and execute to both group and others, allowing any user on the system to list and execute scripts. Option D (770) is wrong because it grants full read, write, and execute to the group, allowing group members to modify and run scripts, which again violates the restriction to root only.

57
MCQhard

An administrator notices that new SSH sessions fail for all users. Which line in the exhibit is most likely causing the failure?

A.account required pam_nologin.so
B.session include password-auth
C.auth required pam_sepermit.so
D.session required pam_loginuid.so
AnswerA

If /etc/nologin exists, this module denies login to all non-root users.

Why this answer

The line 'account required pam_nologin.so' causes new SSH sessions to fail because the pam_nologin module checks for the existence of /etc/nologin. If that file exists, it denies login to all non-root users. This is commonly used during maintenance to prevent new logins, and since the question states 'all users' (including root if root is not explicitly exempted), this PAM module is the direct cause of the failure.

Exam trap

The trap here is that candidates often confuse the 'account' stack with the 'auth' or 'session' stacks, mistakenly thinking a missing authentication module (like pam_sepermit.so) or a session module (like pam_loginuid.so) is the cause, when in fact the account-level pam_nologin.so is specifically designed to block new logins system-wide.

How to eliminate wrong answers

Option B is wrong because 'session include password-auth' is a session management line that handles post-authentication tasks like logging and does not prevent new SSH sessions from being established. Option C is wrong because 'auth required pam_sepermit.so' is an authentication module that enforces SELinux user mapping; it would cause authentication failures for specific users, not block all new SSH sessions globally. Option D is wrong because 'session required pam_loginuid.so' ensures a unique loginuid is set for auditing purposes; failure of this module would cause session setup to fail only if the loginuid cannot be set, but it does not block all new SSH sessions by default.

58
MCQmedium

Scenario: A cloud hosting company uses SELinux in enforcing mode on all Linux servers. A developer reports that a custom web application running under Apache (httpd) is unable to write log files to /var/log/myapp/. The directory /var/log/myapp/ has permissions 755 and is owned by root:root. The httpd process runs as the 'apache' user. The administrator checks SELinux context: /var/log/myapp is labeled with default_t type. The administrator wants to allow httpd to write to this directory while maintaining security. Which command should the administrator run?

A.Change ownership with 'chown apache:apache /var/log/myapp'
B.Run 'setenforce 0' to disable SELinux
C.Run 'chcon -t httpd_log_t /var/log/myapp'
D.Run 'semanage fcontext -a -t httpd_log_t "/var/log/myapp(/.*)?"' and then 'restorecon -Rv /var/log/myapp'
AnswerD

This permanently sets the context to httpd_log_t, allowing httpd to write.

Why this answer

Option D is correct because it permanently relabels the directory with the httpd_log_t SELinux type, which is specifically designed to allow Apache (httpd) to write log files. The semanage fcontext command adds a file context mapping to the SELinux policy database, and restorecon applies that mapping to the filesystem. This approach maintains SELinux enforcing mode and does not rely on temporary changes like chcon or insecure workarounds like disabling SELinux.

Exam trap

The trap here is that candidates often choose chcon (Option C) because it works immediately, but they overlook that it is not persistent and will be overwritten by restorecon or policy updates, whereas semanage fcontext followed by restorecon is the correct persistent method.

How to eliminate wrong answers

Option A is wrong because changing ownership to apache:apache does not address SELinux type enforcement; the httpd process is still blocked by the default_t type on the directory, regardless of Unix permissions. Option B is wrong because running 'setenforce 0' disables SELinux entirely, which violates the company's security policy of running in enforcing mode and exposes the server to potential threats. Option C is wrong because 'chcon -t httpd_log_t /var/log/myapp' only makes a temporary label change that will be reverted on the next filesystem relabel (e.g., after a policy update or restorecon run), and it does not persist in the SELinux policy database.

59
Multi-Selectmedium

A security audit identifies that the system's /etc/passwd file is world-readable. Which three security issues does this pose? (Select THREE.)

Select 3 answers
A.Attackers can read the encrypted passwords.
B.Attackers can obtain usernames easily.
C.Attackers can see home directory paths.
D.Attackers can see user ID mappings.
E.Attackers can read password hashes.
AnswersB, C, D

/etc/passwd lists all local usernames.

Why this answer

Option B is correct because the /etc/passwd file contains a list of all system usernames. Since the file is world-readable, any user or attacker can easily read this file to enumerate valid usernames, which is a common first step in password guessing or brute-force attacks. Usernames are stored in the first colon-delimited field of each line, making them trivially extractable.

Exam trap

The trap here is that candidates often confuse the legacy practice of storing password hashes in /etc/passwd with the modern shadow password suite, and mistakenly select options A or E, not realizing that /etc/shadow is the actual hash store.

60
MCQhard

A server is secured with SELinux in enforcing mode. A custom web application needs to write logs to /var/log/webapp. The SELinux type for httpd is httpd_t. Which command sets the correct context for the log directory?

A.semanage fcontext -a -t httpd_log_t "/var/log/webapp(/.*)?" && restorecon -Rv /var/log/webapp
B.chcon -t httpd_sys_content_t /var/log/webapp
C.setsebool -P httpd_enable_homedirs on
D.chcon -t httpd_t /var/log/webapp
AnswerA

This adds a persistent rule and applies the correct type for log files.

Why this answer

Option A is correct because it uses `semanage fcontext` to add a persistent file context rule that assigns the `httpd_log_t` type to the `/var/log/webapp` directory and its contents, then applies it with `restorecon`. The `httpd_log_t` type is specifically designed for log files written by the httpd process, allowing Apache (running as `httpd_t`) to write logs while maintaining SELinux enforcement.

Exam trap

The trap here is that candidates confuse process domains (like `httpd_t`) with file types (like `httpd_log_t`) or mistakenly use `chcon` for a permanent context change, not realizing that `semanage fcontext` with `restorecon` is required for persistent labeling in enforcing mode.

How to eliminate wrong answers

Option B is wrong because `httpd_sys_content_t` is intended for static web content (e.g., HTML, scripts) served by httpd, not for log files; using it would not grant the necessary write permissions for logging and could cause AVC denials. Option C is wrong because `httpd_enable_homedirs` is a boolean that controls access to user home directories, not log directory labeling; it does not set any file context. Option D is wrong because `httpd_t` is a process domain type, not a file type; assigning a process type to a directory would break SELinux labeling and prevent proper access.

61
MCQmedium

The company password policy requires minimum length, complexity, and that passwords cannot be based on dictionary words. Which file should be edited to configure these settings via pam_pwquality?

A./etc/security/pwquality.conf
B./etc/login.defs
C./etc/pam.d/system-auth
D./etc/pam.d/password-auth
AnswerA

This file contains the pam_pwquality parameters such as minlen, dcredit, ucredit, ocredit, and lcredit.

Why this answer

The pam_pwquality module enforces password quality rules such as minimum length, complexity, and dictionary checks. Its configuration file is /etc/security/pwquality.conf, where parameters like minlen, dcredit, ucredit, lcredit, ocredit, and dictcheck are set. Editing this file directly controls the PAM module's behavior without modifying PAM service files.

Exam trap

The trap here is that candidates confuse the PAM service file (which invokes the module) with the module's configuration file, leading them to choose /etc/pam.d/system-auth or /etc/pam.d/password-auth instead of /etc/security/pwquality.conf.

How to eliminate wrong answers

Option B is wrong because /etc/login.defs controls shadow password suite parameters (e.g., PASS_MAX_DAYS, PASS_MIN_LEN) but does not configure pam_pwquality settings. Option C is wrong because /etc/pam.d/system-auth is a PAM service file that includes pam_pwquality via a 'password requisite pam_pwquality.so' line, but it does not contain the configuration parameters themselves. Option D is wrong because /etc/pam.d/password-auth is another PAM service file (often used for non-system logins) that similarly invokes pam_pwquality but is not the configuration file for its settings.

62
MCQmedium

A system administrator notices that an unauthorized user gained access to a server via SSH using a compromised user account. Which security measure should be implemented to prevent such attacks in the future?

A.Configure SSH to use key-based authentication only
B.Disable SSH and use Telnet
C.Enforce a complex password policy
D.Allow all users to use sudo without passwords
AnswerA

Key-based authentication is more secure and prevents password attacks.

Why this answer

Option A is correct because configuring SSH to use key-based authentication only eliminates the risk of password-based attacks, such as brute-force or credential theft. Since the compromised user account was accessed via SSH using a password, disabling password authentication and requiring a private key ensures that an attacker cannot log in even if they obtain the user's password hash. This aligns with the principle of least privilege and strong authentication, as SSH keys are cryptographically bound to the client and are not transmitted over the network.

Exam trap

CompTIA often tests the misconception that a strong password policy is sufficient to prevent unauthorized access, but the trap here is that password-based authentication is inherently vulnerable to credential reuse, phishing, and offline cracking, whereas key-based authentication provides cryptographic proof of identity that cannot be easily stolen or guessed.

How to eliminate wrong answers

Option B is wrong because disabling SSH and using Telnet would actually decrease security, as Telnet transmits all data, including credentials, in cleartext, making it trivial for attackers to intercept. Option C is wrong because while a complex password policy can make passwords harder to guess, it does not prevent attacks where the password is already compromised (e.g., via phishing or a data breach); SSH key-based authentication is a stronger, passwordless alternative. Option D is wrong because allowing all users to use sudo without passwords removes all authorization checks for privilege escalation, which would increase the attack surface and allow a compromised account to gain root access without any additional authentication.

63
MCQhard

An administrator is configuring a chroot jail for an SFTP user. Which directive in /etc/ssh/sshd_config is used for this purpose?

A.ChrootDirectory /home/%u
B.Subsystem sftp internal-sftp
C.ForceCommand internal-sftp
D.Match Group sftpusers
AnswerA

This sets the chroot directory for the user.

Why this answer

The ChrootDirectory directive in /etc/ssh/sshd_config specifies the path to the directory that will be used as a chroot jail for the user. When set to /home/%u, %u is replaced by the username, confining the SFTP user to their home directory. This is the standard way to restrict an SFTP user's file system access to a specific directory tree.

Exam trap

The trap here is that candidates confuse the directive that enables SFTP (Subsystem or ForceCommand) with the directive that actually creates the chroot jail (ChrootDirectory), leading them to select a functional but incomplete option.

How to eliminate wrong answers

Option B is wrong because Subsystem sftp internal-sftp enables the built-in SFTP subsystem but does not itself enforce a chroot jail; it must be combined with ChrootDirectory or other restrictions. Option C is wrong because ForceCommand internal-sftp forces the user to use only SFTP (not SSH shell), but it does not confine the user to a specific directory; chroot requires ChrootDirectory. Option D is wrong because Match Group sftpusers is a conditional block that applies settings to a group, but it is not a directive that sets the chroot path; ChrootDirectory must be placed inside or outside the Match block to actually define the jail.

64
MCQeasy

A Linux administrator needs to implement file integrity monitoring to detect unauthorized changes to critical system binaries. The administrator decides to use the 'aide' tool. After installing AIDE and initializing the database with 'aide --init', the database is placed at /var/lib/aide/aide.db.new.gz. The administrator then runs 'aide --check' and receives several warnings about files in /tmp being modified. However, the administrator is not concerned about /tmp. What is the simplest way to exclude the /tmp directory from future checks?

A.Run 'aide --update' to update the database with current state of /tmp
B.Move the database to a different location so /tmp is not included
C.Run 'aide --check --verbose' to see more details and manually ignore /tmp messages
D.Edit /etc/aide.conf to add a '!/tmp' directive to exclude /tmp from checking, then run 'aide --init' to rebuild the database
AnswerD

The exclamation mark in aide.conf excludes a directory from monitoring.

Why this answer

Option D is correct because AIDE uses a configuration file (/etc/aide.conf) to define which directories and files to monitor. Adding '!/tmp' to this file tells AIDE to exclude the /tmp directory from all future checks. After editing the configuration, running 'aide --init' rebuilds the database based on the new rules, ensuring /tmp is no longer tracked.

Exam trap

The trap here is that candidates may think '--update' or moving the database will exclude directories, when in fact only the configuration file controls which paths are monitored.

How to eliminate wrong answers

Option A is wrong because 'aide --update' updates the database to reflect the current state of /tmp, which would record the modified files as the new baseline, not exclude /tmp from future checks. Option B is wrong because moving the database does not change the configuration; AIDE still checks the paths defined in /etc/aide.conf, and /tmp would remain included. Option C is wrong because '--check --verbose' only provides more detailed output but does not suppress warnings or alter the configuration; the administrator would still see warnings about /tmp in every subsequent check.

65
MCQhard

A server running Ubuntu 22.04 has AppArmor enabled. After installing a new application, the application is denied access to certain files even though the permissions are correct. The administrator checks the AppArmor profile and finds it is in enforce mode. Which command can be used to temporarily set the profile to complain mode to generate log entries for needed accesses?

A.systemctl restart apparmor
B.aa-enforce /usr/bin/application
C.aa-complain /usr/bin/application
D.apparmor_parser -r /etc/apparmor.d/usr.bin.application
AnswerC

Sets profile to complain mode, logging denials.

Why this answer

Option C, `aa-complain /usr/bin/application`, is correct because it sets the specified AppArmor profile to complain mode, which logs policy violations without blocking access. This allows the administrator to identify which accesses the application needs by reviewing the generated log entries, typically in `/var/log/syslog` or via `ausearch`, while the application continues to run.

Exam trap

The trap here is that candidates confuse `aa-complain` with `aa-enforce` or think that restarting the AppArmor service or reloading the profile will change the mode, when in fact only `aa-complain` or `aa-enforce` directly alter the profile's operational mode.

How to eliminate wrong answers

Option A is wrong because `systemctl restart apparmor` restarts the entire AppArmor service, which does not change the mode of an individual profile to complain mode; it only reloads all profiles in their current state. Option B is wrong because `aa-enforce /usr/bin/application` sets the profile to enforce mode, which is the opposite of what is needed—it would continue blocking access rather than logging. Option D is wrong because `apparmor_parser -r /etc/apparmor.d/usr.bin.application` reloads the profile from disk but does not change its mode; the profile remains in enforce mode if that is how it was defined.

66
Matchingmedium

Match each Linux networking command to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Show/manipulate routing, devices, tunnels

Investigate sockets

Manage NetworkManager

Capture network packets

Network exploration/security scanning

Why these pairings

These commands are essential for network troubleshooting.

67
MCQeasy

A system administrator needs to ensure that only specific users can execute the 'sudo' command. Which configuration file should be modified?

A./etc/sudoers
B./etc/shadow
C./etc/passwd
D./etc/group
AnswerA

This file specifies which users or groups can run sudo and which commands.

Why this answer

The /etc/sudoers file controls which users and groups can execute commands with elevated privileges via the sudo utility. It uses a specific syntax to define user privileges, such as 'username ALL=(ALL) ALL', and must be edited with the visudo command to prevent syntax errors that could lock out administrative access. Modifying this file is the standard method for granting or restricting sudo access on Linux systems.

Exam trap

CompTIA often tests the misconception that /etc/group or /etc/passwd controls sudo privileges, but only /etc/sudoers (or files in /etc/sudoers.d/) defines sudo access, and it must be edited with visudo to enforce syntax checking.

How to eliminate wrong answers

Option B is wrong because /etc/shadow stores encrypted user passwords and password aging information, not sudo permissions. Option C is wrong because /etc/passwd contains basic user account information (username, UID, GID, home directory, shell) but does not control sudo access. Option D is wrong because /etc/group defines user group memberships, but sudo privileges are not managed through this file; while groups can be referenced in /etc/sudoers, the file itself is not the configuration file for sudo permissions.

68
MCQeasy

A junior administrator accidentally modified the /etc/sudoers file and now users report not being able to use sudo. Which command should be used to safely edit the sudoers file?

A.visudo
B.chmod 400 /etc/sudoers
C.echo 'user ALL=(ALL) ALL' >> /etc/sudoers
D.usermod -aG wheel user
AnswerA

visudo safely edits /etc/sudoers with syntax checking and file locking.

Why this answer

The `visudo` command is the correct and safe way to edit the `/etc/sudoers` file because it locks the file against concurrent edits, performs syntax validation before saving, and prevents saving a malformed configuration that could break sudo entirely. This ensures that even if the administrator makes a mistake, the original valid file is preserved, avoiding the exact scenario described where users lose sudo access.

Exam trap

The trap here is that candidates may think any method that writes to the file (like `echo` or `chmod`) can fix the issue, but only `visudo` provides the syntax validation and locking necessary to safely edit the sudoers file without breaking sudo.

How to eliminate wrong answers

Option B is wrong because `chmod 400 /etc/sudoers` sets the file to read-only for the owner, which does not repair syntax errors or restore functionality; it only changes permissions and may even prevent `visudo` from writing a corrected file. Option C is wrong because using `echo` with a redirect appends text without any syntax checking, and if the appended line is malformed or duplicates entries, it can corrupt the file and break sudo. Option D is wrong because `usermod -aG wheel user` adds a user to the wheel group, which is unrelated to fixing a broken sudoers file; it does not validate or repair the syntax of `/etc/sudoers`.

69
MCQmedium

A security policy requires that SSH access be allowed only from the internal management subnet 10.10.10.0/24. Which firewalld rich rule should be added?

A.firewall-cmd --permanent --add-port=22/tcp --add-source=10.10.10.0/24
B.firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.10.10.0/24" service name="ssh" accept'
C.firewall-cmd --add-source=10.10.10.0/24 --add-service=ssh
D.iptables -A INPUT -s 10.10.10.0/24 -p tcp --dport 22 -j ACCEPT
AnswerB

This rich rule binds the source address to the SSH service.

Why this answer

Option B is correct because it uses the firewalld rich-rule syntax to explicitly define an IPv4 rule that accepts SSH traffic only from the 10.10.10.0/24 source subnet. Rich rules provide granular control over source addresses, services, and actions, which is required by the security policy. The `--add-rich-rule` option allows specifying the rule family, source address, service name, and accept action in a single, persistent rule.

Exam trap

The trap here is that candidates confuse `--add-source` (which binds a source to a zone) with a rule filter, or they think `--add-port` combined with `--add-source` creates a source-restricted port rule, when in fact firewalld requires a rich rule to enforce source-based service restrictions.

How to eliminate wrong answers

Option A is wrong because `--add-port=22/tcp --add-source=10.10.10.0/24` is not valid firewalld syntax; `--add-source` is a zone-level option that sets a source binding, not a rule filter, and `--add-port` opens the port to all sources, ignoring the intended restriction. Option C is wrong because `--add-source=10.10.10.0/24 --add-service=ssh` adds the source to a zone and enables the SSH service for the entire zone, but does not restrict SSH access to only that source; it allows SSH from any source that matches the zone's default rules. Option D is wrong because it uses `iptables` directly, which bypasses firewalld's management and dynamic zone logic; the question specifically asks for a firewalld rich rule, and direct iptables commands are not integrated with firewalld's persistent configuration.

70
MCQeasy

You are a systems administrator for a small company. The company uses a Linux server running Ubuntu 22.04 LTS that hosts a web application and a PostgreSQL database. The server has two network interfaces: eth0 (public IP) and eth1 (private IP). The web application listens on port 443 (HTTPS) on eth0, and the PostgreSQL database listens on port 5432 on eth1. The company security policy requires that only the web application should be accessible from the internet; all other ports must be blocked on the public interface. Additionally, SSH access should be allowed only from the internal network (192.168.1.0/24). The current iptables rules are as follows: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT There are no other rules. You need to implement the security policy using iptables. Which of the following sets of commands will achieve the required security policy?

A.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
B.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
C.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
D.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
AnswerA

This correctly implements the policy.

Why this answer

Option A is correct because it sets the default policy to DROP, allows established/related connections, permits HTTPS (port 443) on eth0, restricts SSH (port 22) to the internal network (192.168.1.0/24) on eth1, and then allows all traffic on eth1. This ensures that only the web application is accessible from the internet, SSH is limited to the internal network, and all internal traffic on eth1 is permitted, including PostgreSQL on port 5432.

Exam trap

The trap here is that candidates often forget to allow all traffic on the internal interface (eth1) after setting a default DROP policy, mistakenly thinking that only specific ports need to be opened, which would block essential internal services like PostgreSQL.

How to eliminate wrong answers

Option B is wrong because it places the SSH rule before the HTTPS rule, but more critically, it does not include a rule to allow all traffic on eth1, which would block internal services like PostgreSQL. Option C is wrong because it is identical to Option B and also lacks the rule to allow all traffic on eth1, thus blocking internal database access. Option D is wrong because it allows SSH from any source (no -i eth1 or -s 192.168.1.0/24 restriction), violating the security policy that SSH should only be allowed from the internal network.

71
Multi-Selecthard

An administrator notices that a user's crontab file is not executing. Which two commands can the administrator use to verify the user's crontab configuration? (Select TWO.)

Select 2 answers
A.crontab -e -u username
B.crontab -l -u username
C.cat /var/spool/cron/crontabs/username
D.systemctl status cron
E.grep username /etc/crontab
AnswersB, C

Lists the contents of the specified user's crontab.

Why this answer

Option B is correct because `crontab -l -u username` lists the current crontab entries for the specified user, allowing the administrator to verify the configured jobs. Option C is correct because on many Linux distributions, user crontab files are stored as plain text files under `/var/spool/cron/crontabs/username`, and reading that file directly shows the same content. Both commands let the administrator inspect the exact cron schedule and commands for that user.

Exam trap

The trap here is that candidates confuse commands that verify the cron daemon's status (like `systemctl status cron`) with commands that inspect the actual crontab content, or they mistakenly think editing (`-e`) is the same as listing (`-l`).

72
Drag & Dropmedium

Drag and drop the steps to recover a forgotten root password in single-user mode in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Root password recovery involves booting into single-user mode and remounting root as rw.

73
MCQhard

A company uses a Linux server running Ubuntu 22.04 LTS as a file server to share documents via Samba. The server has been in operation for over a year without issues. Following a routine system update that included kernel patches and updated Samba packages, users began reporting that they could no longer access any shared folders. The administrator verifies that the smbd and nmbd services are running and have not failed. The Samba configuration has not been changed recently. The server uses ufw as its firewall. When the administrator runs 'ufw status', the output shows that only SSH (port 22) is allowed. The administrator checks for SELinux but finds it is not installed; however, AppArmor is active and the smbd profile is in enforce mode. The administrator examines the AppArmor logs and finds no denials related to smbd. Which of the following is the most likely reason for the connectivity failure?

A.The firewall is blocking Samba ports 137, 138, 139, and 445.
B.The Samba configuration file was corrupted during the update.
C.The kernel update changed the default file system mount options, restricting access.
D.The AppArmor profile is preventing smbd from binding to network interfaces.
AnswerA

ufw only allows SSH; Samba ports are not permitted.

Why this answer

The firewall (ufw) is only allowing SSH (port 22), which means Samba ports 137/138 (NetBIOS), 139 (SMB over NetBIOS), and 445 (SMB over TCP) are blocked. Since the smbd and nmbd services are running and AppArmor shows no denials, the most likely cause is that the firewall rules were reset or not updated after the system update, preventing Samba traffic from reaching the server.

Exam trap

The trap here is that candidates may focus on AppArmor or SELinux because they are security modules, but the absence of denials in AppArmor logs and the explicit ufw output showing only SSH allowed points directly to the firewall as the culprit.

How to eliminate wrong answers

Option B is wrong because the administrator verified that the Samba configuration has not been changed recently, and the services are running without errors, so corruption is unlikely. Option C is wrong because kernel updates do not change default file system mount options; mount options are set in /etc/fstab or at mount time and are not altered by kernel patches. Option D is wrong because the administrator checked AppArmor logs and found no denials related to smbd, indicating the profile is not blocking network binding.

74
MCQmedium

An Apache web server hosted on a Linux system is unable to connect to a backend database server on port 3306. Based on the exhibit, which action should the administrator take to resolve the issue?

A.Set the httpd_can_network_connect boolean to on.
B.Disable SELinux by setting SELINUX=disabled in /etc/selinux/config.
C.Enable the httpd_enable_home_dirs boolean.
D.Change the SELinux context of the index.html file to httpd_sys_content_t.
AnswerA

This boolean controls whether httpd can initiate outbound network connections.

Why this answer

The Apache web server cannot connect to the backend database server on port 3306 because SELinux is blocking the outbound network connection. The boolean `httpd_can_network_connect` controls whether the httpd daemon is allowed to initiate outbound TCP connections to remote hosts. Setting this boolean to `on` permits Apache to connect to the database server, resolving the connectivity issue without disabling SELinux entirely.

Exam trap

CompTIA often tests the misconception that SELinux issues are always file-context problems, leading candidates to choose a file-context fix (Option D) when the actual issue is a network connection boolean.

How to eliminate wrong answers

Option B is wrong because disabling SELinux entirely (SELINUX=disabled) removes all SELinux protections, which is an insecure and overly broad solution that violates the principle of least privilege; the correct approach is to enable only the specific boolean needed. Option C is wrong because the `httpd_enable_home_dirs` boolean controls whether httpd can access user home directories (e.g., for UserDir), not outbound network connections to a database server. Option D is wrong because changing the SELinux context of `index.html` to `httpd_sys_content_t` affects file access for serving web content, not the ability of httpd to make outbound TCP connections to a remote database.

75
MCQhard

A company's web server running Apache on CentOS 7 has been compromised. The attacker exploited a vulnerability in the web application and gained access to the system as the 'apache' user. The administrator wants to prevent similar attacks in the future by hardening the server. Currently, the Apache process runs as the 'apache' user and can execute arbitrary code. The administrator considers enabling SELinux with targeted policy to confine the httpd daemon. However, after setting SELinux to enforcing and installing the 'httpd' SELinux package, the web server fails to serve pages over HTTPS. The administrator checks the audit log (/var/log/audit/audit.log) and sees denials related to port binding. What is the most likely cause of the issue?

A.The SSL certificate files have incorrect SELinux context (e.g., httpd_sys_content_t instead of cert_t)
B.The httpd binary must have the httpd_exec_t context
C.The boolean httpd_enable_homedirs must be enabled to allow HTTPS
D.The port 443 is not labeled with the http_port_t type; use semanage port -a -t http_port_t -p tcp 443
AnswerD

SELinux requires ports to be labeled for the daemon to bind. Without this, httpd cannot listen on 443.

Why this answer

The issue is that SELinux is blocking Apache from binding to port 443 because that port is not labeled with the http_port_t type. By default, SELinux only allows httpd to bind to ports that have the http_port_t context (e.g., 80, 443, 8080). If port 443 lacks this label, the httpd process will be denied permission to bind, even though the firewall may allow it.

The administrator must use `semanage port -a -t http_port_t -p tcp 443` to assign the correct SELinux port type.

Exam trap

The trap here is that candidates often focus on file contexts or booleans, overlooking that SELinux also controls network port access via port labeling, which is a distinct and frequently tested concept in the XK0-005 exam.

How to eliminate wrong answers

Option A is wrong because the SELinux context for SSL certificate files should be cert_t or httpd_sys_content_t, but incorrect file context would cause read/access denials, not port binding denials. Option B is wrong because the httpd binary already has the httpd_exec_t context by default when installed via the httpd package; this context is required for execution, not for port binding. Option C is wrong because the httpd_enable_homedirs boolean controls whether httpd can access user home directories, not whether it can bind to HTTPS ports.

Page 1 of 2 · 96 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Linux Security questions.