CCNA Linux Security Questions

21 of 96 questions · Page 2/2 · Linux Security topic · Answers revealed

76
MCQhard

A Linux administrator is configuring a firewall using iptables to allow incoming HTTP and HTTPS traffic but block all other incoming traffic. Which set of rules should be applied?

A.iptables -P INPUT DROP; iptables -A INPUT -p tcp -j ACCEPT
B.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 80 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT; iptables -A INPUT -j DROP
C.iptables -P INPUT DROP; iptables -A INPUT -p tcp --dport 80 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
D.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 80 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
AnswerC

Default DROP blocks all; allow only HTTP/HTTPS.

Why this answer

Option C is correct because it sets the default policy for the INPUT chain to DROP, which blocks all incoming traffic by default, and then explicitly adds rules to ACCEPT TCP traffic on ports 80 (HTTP) and 443 (HTTPS). This implements a whitelist approach: only the specified services are allowed, and all other incoming packets are dropped by the default policy. The order is critical — the ACCEPT rules must be evaluated before the default DROP policy takes effect for unmatched traffic.

Exam trap

The trap here is that candidates often confuse the default policy with explicit rules, thinking that setting a default ACCEPT and then adding a DROP rule at the end will block all other traffic, but the default policy is evaluated only after all rules are checked, so a default ACCEPT will allow unmatched traffic regardless of a final DROP rule.

How to eliminate wrong answers

Option A is wrong because it sets the default policy to DROP but then adds a rule that accepts all TCP traffic regardless of destination port, which would allow all TCP-based traffic (including SSH, SMTP, etc.), not just HTTP and HTTPS. Option B is wrong because it sets the default policy to ACCEPT, which allows all incoming traffic by default, and then adds ACCEPT rules for ports 80 and 443 (which are redundant since the default already accepts everything), and finally adds a DROP rule that would only affect packets not matched by the earlier ACCEPT rules — but because the default policy is ACCEPT, the final DROP rule is effectively useless for traffic that doesn't match the earlier rules (since the default already accepts it). Option D is wrong because it sets the default policy to ACCEPT, which permits all incoming traffic, and then adds ACCEPT rules for ports 80 and 443 (which are unnecessary), but does not include any rule to block other traffic, so all incoming traffic is allowed.

77
MCQmedium

An administrator needs to ensure that the SSH service only allows key-based authentication and disables password authentication. Which configuration file and directive should be modified?

A./etc/ssh/sshd_config; PasswordAuthentication yes
B./etc/ssh/sshd_config; PubkeyAuthentication no
C./etc/ssh/ssh_config; PasswordAuthentication no
D./etc/ssh/sshd_config; PasswordAuthentication no
AnswerD

Correct file and directive to disable password authentication.

Why this answer

Option D is correct because the SSH server configuration file is /etc/ssh/sshd_config, and setting 'PasswordAuthentication no' disables password-based logins, forcing key-based authentication. This directive must be set on the server side (sshd_config), not the client side (ssh_config), to enforce the policy for all incoming SSH connections.

Exam trap

The trap here is confusing the client configuration file (/etc/ssh/ssh_config) with the server configuration file (/etc/ssh/sshd_config), leading candidates to select option C, which would have no effect on the SSH server's authentication behavior.

How to eliminate wrong answers

Option A is wrong because 'PasswordAuthentication yes' would enable password authentication, which is the opposite of the required outcome. Option B is wrong because 'PubkeyAuthentication no' would disable public key authentication, preventing key-based access entirely. Option C is wrong because /etc/ssh/ssh_config is the client-side configuration file; modifying it only affects outgoing SSH connections from that host, not incoming connections to the SSH server.

78
MCQhard

An administrator is configuring a Linux firewall to allow incoming SSH (port 22) and HTTPS (port 443) traffic while denying all other incoming traffic. Using iptables, which set of commands achieves this?

A.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
B.iptables -P INPUT DROP; iptables -A INPUT -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
C.iptables -P FORWARD DROP; iptables -A INPUT -p tcp --dport 22 -j ACCEPT; iptables -A INPUT -p tcp --dport 443 -j ACCEPT
D.iptables -P INPUT ACCEPT; iptables -A INPUT -p tcp --dport 22 -j DROP; iptables -A INPUT -p tcp --dport 443 -j DROP
AnswerB

Default DROP drops all incoming packets, then specific ACCEPT rules allow SSH and HTTPS.

Why this answer

Option B is correct because it first sets the default policy on the INPUT chain to DROP, which denies all incoming traffic by default. It then adds rules to explicitly ACCEPT incoming TCP traffic on ports 22 (SSH) and 443 (HTTPS), achieving the requirement of allowing only those two services while dropping everything else.

Exam trap

CompTIA often tests the distinction between the INPUT and FORWARD chains, and the trap here is that candidates mistakenly set the default policy on FORWARD instead of INPUT, thinking it controls incoming traffic to the local host.

How to eliminate wrong answers

Option A is wrong because it sets the default INPUT policy to ACCEPT, which allows all incoming traffic by default, then adds ACCEPT rules for ports 22 and 443 — this does not deny other traffic, it just redundantly accepts those ports. Option C is wrong because it sets the default policy on the FORWARD chain to DROP, but the requirement is about incoming traffic to the local system, which is governed by the INPUT chain, not FORWARD; the INPUT chain's default policy remains ACCEPT, so all incoming traffic is still allowed. Option D is wrong because it sets the default INPUT policy to ACCEPT and then adds DROP rules for ports 22 and 443, which would block SSH and HTTPS while allowing all other traffic — the exact opposite of the requirement.

79
MCQmedium

An administrator wants to restrict SSH access to only users in the 'sshusers' group. Which configuration should be added to /etc/ssh/sshd_config?

A.AllowUsers sshusers
B.DenyUsers sshusers
C.AllowGroups sshusers
D.PermitRootLogin no
AnswerC

This allows only users in the sshusers group.

Why this answer

Option C is correct because the `AllowGroups` directive in `/etc/ssh/sshd_config` restricts SSH login to users who are members of the specified group. By setting `AllowGroups sshusers`, only users belonging to the 'sshusers' group will be permitted to authenticate via SSH, while all others are denied. This matches the administrator's requirement precisely.

Exam trap

The trap here is that candidates confuse `AllowUsers` (which matches usernames) with `AllowGroups` (which matches group names), leading them to incorrectly select Option A thinking it applies to the group name.

How to eliminate wrong answers

Option A is wrong because `AllowUsers` specifies individual usernames, not groups; `AllowUsers sshusers` would only allow a user literally named 'sshusers', not members of the group. Option B is wrong because `DenyUsers` explicitly denies specific users; `DenyUsers sshusers` would block the user named 'sshusers', which is the opposite of the requirement. Option D is wrong because `PermitRootLogin no` only prevents root from logging in via SSH, but does nothing to restrict access based on group membership.

80
MCQeasy

A system administrator wants to ensure that the /tmp directory is mounted with noexec to prevent code execution from temporary files. Which file should be modified to persist this across reboots?

A./etc/mtab
B./etc/fstab
C./etc/sysconfig/network
D./etc/security/limits.conf
AnswerB

Used to define persistent mount options.

Why this answer

The /etc/fstab file is the system configuration file that defines how disk partitions, block devices, and remote filesystems are mounted at boot time. Adding the noexec mount option to the /tmp entry in /etc/fstab ensures that the /tmp directory is mounted with the noexec flag persistently across reboots, preventing execution of binaries from temporary files.

Exam trap

The trap here is that candidates may confuse /etc/mtab (a runtime snapshot) with /etc/fstab (the persistent configuration file), or think that modifying /etc/mtab will make changes permanent, when in fact it is overwritten on every mount event.

How to eliminate wrong answers

Option A is wrong because /etc/mtab is a dynamically generated file that lists currently mounted filesystems; modifying it does not persist mount options across reboots. Option C is wrong because /etc/sysconfig/network is used for network configuration (e.g., hostname, gateway) and has no role in filesystem mount options. Option D is wrong because /etc/security/limits.conf is used to set per-user resource limits (e.g., file size, number of processes) via PAM, not to control filesystem mount behavior.

81
MCQhard

An administrator needs to audit all write operations to the /etc/shadow file. Which audit rule should be added to /etc/audit/rules.d/audit.rules?

A.-w /etc/shadow -k identity
B.-w /etc/shadow -p rwxa
C.-a always,exit -S open -F path=/etc/shadow
D.-w /etc/shadow -p wa
AnswerD

This watches /etc/shadow for write and attribute changes, which includes modifications.

Why this answer

Option D is correct because the audit rule `-w /etc/shadow -p wa` uses the `-w` (watch) flag to monitor the file for write (`w`) and attribute change (`a`) permissions, which captures all write operations to `/etc/shadow`. This is the standard syntax for auditing file writes in Linux auditd, and it directly meets the requirement to audit write operations without unnecessary syscall filtering.

Exam trap

The trap here is that candidates often confuse the `-p` permission flags with syscall-based rules, mistakenly choosing option C because they think `-S open` captures all writes, but they overlook that writes can occur via other syscalls (like `write`) and that `-w -p wa` is the correct, simpler approach for file-based auditing.

How to eliminate wrong answers

Option A is wrong because `-k identity` only adds a key label to the audit record but does not specify any permission filters (`-p`), so it would log all accesses (read, write, execute, attribute change) to `/etc/shadow`, not just write operations. Option B is wrong because `-p rwxa` monitors read (`r`), write (`w`), execute (`x`), and attribute change (`a`) — this is overly broad and would generate excessive audit records for reads and executes, not just writes. Option C is wrong because `-a always,exit -S open -F path=/etc/shadow` uses the `open` syscall, which captures file opens but not all write operations (e.g., writes via `write` syscall on an already open file descriptor would be missed); it also lacks the `-p wa` permission filter that directly targets write and attribute changes.

82
MCQeasy

Refer to the exhibit. After adding a firewall rule, the web server becomes unreachable from the internal network 192.168.1.0/24. Which line is the cause?

A.Default policy (INPUT ACCEPT)
B.Missing rule for RELATED traffic
C.Line: -A INPUT -p tcp --dport 80 -j DROP
D.Line: -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
AnswerC

This rule drops all HTTP traffic, including from 192.168.1.0/24, before an ACCEPT rule.

Why this answer

Option C is correct because the firewall rule `-A INPUT -p tcp --dport 80 -j DROP` explicitly drops all incoming TCP traffic destined for port 80, regardless of source. Since the web server listens on port 80, this rule blocks all HTTP requests, including those from the internal network 192.168.1.0/24. The rule is placed before any ACCEPT rule for the same port, so the DROP action takes precedence, making the server unreachable.

Exam trap

The trap here is that candidates may focus on the source IP restriction in option D and assume it is the cause, overlooking the fact that iptables processes rules in order and a preceding DROP rule for the same port will block all traffic, including from the allowed subnet.

How to eliminate wrong answers

Option A is wrong because the default policy of ACCEPT on the INPUT chain would allow traffic by default, but the explicit DROP rule for port 80 overrides that default, so the default policy is not the cause. Option B is wrong because RELATED traffic is associated with connection tracking (e.g., FTP data connections) and is not relevant to HTTP traffic on port 80; the issue is a direct DROP rule, not a missing RELATED rule. Option D is wrong because while it correctly allows traffic from 192.168.1.0/24 to port 80, it is placed after the DROP rule (line order matters in iptables), so the DROP rule is matched first and the ACCEPT rule is never evaluated.

83
Multi-Selecthard

A security audit identified that the /tmp directory is world-writable. Which THREE steps should be taken to secure /tmp on a Linux system? (Select THREE.)

Select 3 answers
A.Set the sticky bit on /tmp
B.Remove world-writable permission from /tmp
C.Mount /tmp with the nosuid option
D.Mount /tmp with the noexec option
E.Mount /tmp with the exec option
AnswersA, C, D

Prevents users from deleting others' files.

Why this answer

Option A is correct because setting the sticky bit on /tmp prevents users from deleting or renaming files owned by other users, even though the directory is world-writable. This is a standard security hardening measure for shared temporary directories.

Exam trap

The trap here is that candidates may think removing world-writable permissions is the correct fix, but that would break system functionality; instead, the sticky bit and mount options are the proper hardening steps without breaking compatibility.

84
Multi-Selecthard

Which TWO commands are used to manage SSH key-based authentication processes? (Choose exactly two.)

Select 2 answers
A.ssh-keygen
B.ssh-add
C.ssh-copy-id
D.ssh-keyscan
E.ssh-agent
AnswersA, C

Generates public/private key pairs for SSH.

Why this answer

The `ssh-keygen` command generates the public and private key pair used for SSH key-based authentication, while `ssh-copy-id` installs the public key on a remote server's `~/.ssh/authorized_keys` file, enabling passwordless login. Together, they form the core workflow for setting up SSH key authentication.

Exam trap

CompTIA often tests the distinction between key generation/distribution commands (`ssh-keygen`, `ssh-copy-id`) and agent management commands (`ssh-agent`, `ssh-add`), leading candidates to mistakenly select agent-related options for managing authentication processes.

85
MCQmedium

A security policy requires that user passwords must expire every 90 days. Which command can enforce this policy for user 'jsmith'?

A.usermod -e 90 jsmith
B.chage -M 90 jsmith
C.passwd -x 90 jsmith
D.chfn -f 90 jsmith
AnswerB

Sets the maximum password age to 90 days.

Why this answer

The `chage -M 90 jsmith` command sets the maximum number of days a password is valid for user 'jsmith' to 90, which enforces the 90-day expiration policy. The `-M` option directly modifies the `PASS_MAX_DAYS` field in `/etc/shadow`, and `chage` is the standard tool for managing password aging on Linux systems.

Exam trap

The trap here is that candidates confuse `usermod -e` (account expiry) with `chage -M` (password expiry), or assume `passwd -x` works without the correct syntax, leading them to pick a command that either targets the wrong attribute or has an invalid option order.

How to eliminate wrong answers

Option A is wrong because `usermod -e` sets the account expiration date (in YYYY-MM-DD format), not the password aging interval; `-e 90` would be interpreted as a date offset from epoch, not a day count. Option C is wrong because `passwd -x 90` is not a valid syntax; the `passwd` command uses `-x` to set maximum password days, but it requires the username immediately after the option (e.g., `passwd -x 90 jsmith`), and even then it is less commonly used than `chage` for policy enforcement. Option D is wrong because `chfn -f 90` changes the user's full name (GECOS field), not password expiration; `-f` expects a string, not a numeric day value.

86
MCQhard

A company is implementing a security policy that requires all files created in a shared directory /data to be owned by the group 'engineers' and have group read/write permissions, regardless of the user's umask. Which approach should be used?

A.Set the setgid bit only on /data
B.Set the sticky bit on /data
C.Configure ACL default permissions only on /data
D.Set the setgid bit and configure ACL default permissions on /data
AnswerD

Setgid forces group inheritance, and ACL defaults set the desired permissions on new files.

Why this answer

Option D is correct because setting the setgid bit ensures new files inherit the group, and configuring ACL default entries sets the default permissions for new files. A is for deletion prevention, B alone doesn't set files' group, C alone doesn't set group inheritance.

87
MCQeasy

A security audit reveals that the /etc/shadow file has permissions 777. Which command should be used to correct this vulnerability?

A.chmod 660 /etc/shadow
B.chmod 600 /etc/shadow
C.chmod 644 /etc/shadow
D.chmod 640 /etc/shadow
AnswerB

Only root can read/write.

Why this answer

The /etc/shadow file stores hashed user passwords and must be readable only by root to prevent unauthorized access. Permissions 777 allow any user to read, write, and execute the file, which is a critical security vulnerability. The correct command is `chmod 600 /etc/shadow`, which sets read and write permissions for the owner (root) only, denying all access to group and others.

Exam trap

The trap here is that candidates often confuse the required permissions for /etc/shadow with those for /etc/passwd (which is 644), leading them to choose 644 or 640 instead of the more restrictive 600.

How to eliminate wrong answers

Option A is wrong because 660 grants read and write to both owner and group, which would allow members of the group (often 'shadow') to read password hashes, violating the principle of least privilege. Option C is wrong because 644 grants read access to everyone, exposing password hashes to all users on the system. Option D is wrong because 640 grants read access to the group, which is still too permissive for a file containing sensitive password data.

88
MCQhard

An administrator needs to ensure that /var/log/secure is only readable by members of the 'adm' group and is not accessible by any other user. Additionally, new files created in /var/log should inherit the group ownership 'adm'. Which set of commands achieves this?

A.setfacl -m u::rwx,g::rwx,o::--- /var/log/secure; chmod g+s /var/log
B.chgrp adm /var/log; chmod g+s /var/log; setfacl -m g:adm:rx /var/log/secure
C.chown :adm /var/log/secure; chmod 640 /var/log/secure
D.usermod -aG adm $(whoami); chmod 640 /var/log/secure
AnswerB

Sets group ownership, sgid on directory, and ACLs to make /var/log/secure readable by adm group only.

Why this answer

Option B correctly sets the group ownership of /var/log to 'adm' with `chgrp adm /var/log`, enables the setgid bit on the directory with `chmod g+s /var/log` so new files inherit the 'adm' group, and uses `setfacl -m g:adm:rx /var/log/secure` to grant only the 'adm' group read and execute access to the secure log file, while removing permissions for others via the default ACL mask.

Exam trap

CompTIA often tests the distinction between setting group ownership on a file versus a directory, and the requirement to use the setgid bit for inheritance, which candidates frequently overlook by only changing permissions on the file itself.

How to eliminate wrong answers

Option A is wrong because `setfacl -m u::rwx,g::rwx,o::---` sets permissions for the file owner and group owner (not the 'adm' group) and does not change group ownership or set the setgid bit on the directory; it also grants execute to the group, which is unnecessary for a log file. Option C is wrong because `chown :adm /var/log/secure` changes only the group of the file, but `chmod 640` gives read to the owner and group, and does not restrict access exclusively to the 'adm' group (the file's group is 'adm', but other users have no access, which is correct for the file, but it fails to ensure new files in /var/log inherit the 'adm' group because it does not set the setgid bit on /var/log). Option D is wrong because `usermod -aG adm $(whoami)` adds the current user to the 'adm' group but does not change the group ownership of /var/log/secure or /var/log, and `chmod 640` does not enforce inheritance for new files; it also does not restrict access to only the 'adm' group if the file's group is not 'adm'.

89
MCQeasy

A junior administrator is tasked with setting up a file server using NFS on a Linux server. The /etc/exports file currently contains: /srv/nfs *(rw,sync,no_subtree_check). The administrator wants to restrict access to only the 192.168.10.0/24 network and require clients to use a privileged port (less than 1024) for added security. Additionally, the administrator wants to prevent root users on the client from having root access to the NFS share. Which exports configuration meets these requirements?

A./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,no_all_squash)
B./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,insecure,root_squash)
C./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,secure,root_squash)
D./srv/nfs 192.168.10.0/24(rw,sync,no_subtree_check,secure,no_root_squash)
AnswerC

secure restricts to privileged ports, root_squash maps root to nobody.

Why this answer

Option C is correct because it restricts access to the 192.168.10.0/24 network, uses the 'secure' option to require client connections from a privileged port (less than 1024), and applies 'root_squash' to map root users on the client to the anonymous 'nobody' user, preventing root-level access to the NFS share.

Exam trap

The trap here is that candidates often confuse 'secure' with 'insecure' — the 'secure' option requires privileged ports, while 'insecure' allows any port, and many mistakenly think 'insecure' is needed for security or that 'no_root_squash' is the default safe behavior.

How to eliminate wrong answers

Option A is wrong because 'no_all_squash' does not prevent root access; it actually preserves the UID mapping, including root, which is the opposite of what is required. Option B is wrong because 'insecure' allows clients to connect from non-privileged ports (1024 or higher), violating the requirement to use a privileged port. Option D is wrong because 'no_root_squash' allows root users on the client to retain root access to the share, directly contradicting the requirement to prevent that.

90
Drag & Dropmedium

Drag and drop the steps to configure a firewall rule using iptables to allow SSH in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall configuration typically involves adding allow rules before setting default drop and saving.

91
MCQhard

A security audit reveals that a server's /etc/shadow file is readable by all users. Which command would correctly fix the permissions?

A.chmod 644 /etc/shadow
B.chmod 600 /etc/shadow
C.chmod 640 /etc/shadow
D.chmod 640 /etc/shadow && chown root:shadow
AnswerB

This restricts read and write access to root only.

Why this answer

Option A is correct because 'chmod 600 /etc/shadow' sets the file to be readable and writable only by the owner (root), which is the standard permission. Option B (640) allows group read access. Option C (644) allows world read.

Option D includes a chown that is unnecessary.

92
MCQeasy

Which tool is used for encrypting files with public-key cryptography on Linux systems?

A.bcrypt
B.LUKS
C.OpenSSL
D.GnuPG
AnswerD

Implements the OpenPGP standard for encrypting and signing data.

Why this answer

GnuPG (GNU Privacy Guard) is the correct tool because it implements the OpenPGP standard (RFC 4880) for encrypting and signing files using public-key cryptography. It allows users to generate a key pair, encrypt a file with the recipient's public key, and decrypt it with the corresponding private key, making it the standard Linux utility for asymmetric file encryption.

Exam trap

The trap here is that candidates confuse OpenSSL's ability to perform asymmetric operations (e.g., `openssl rsautl`) with it being the standard tool for public-key file encryption, while GnuPG is the dedicated utility for OpenPGP-compliant file encryption on Linux.

How to eliminate wrong answers

Option A is wrong because bcrypt is a password-hashing function based on the Blowfish cipher, designed for securely storing passwords, not for encrypting files with public-key cryptography. Option B is wrong because LUKS (Linux Unified Key Setup) is a disk encryption specification that encrypts entire block devices using symmetric keys, not public-key cryptography for individual files. Option C is wrong because OpenSSL is a cryptographic library that supports symmetric and asymmetric encryption, but it is primarily a toolkit for SSL/TLS protocols and command-line encryption of data using symmetric ciphers (e.g., `openssl enc`), not a dedicated public-key file encryption tool like GnuPG.

93
MCQhard

A company's security policy requires that all user passwords must expire every 90 days. The administrator runs 'chage -M 90 jdoe' for user jdoe. Which additional step ensures that the password expiration policy is enforced for all new users?

A.Set PASS_MAX_DAYS 90 in /etc/login.defs
B.Add 'password required pam_unix.so remember=5' to /etc/pam.d/system-auth
C.Set EXPIRE=90 in /etc/default/useradd
D.Modify /etc/shadow to set max days for each user
AnswerA

This sets the default maximum password age for new users.

Why this answer

Option A is correct because /etc/login.defs contains default values used by useradd and other tools when creating new users. Setting PASS_MAX_DAYS 90 in this file ensures that every new user account created will automatically have a 90-day password expiration, enforcing the policy globally without manual intervention.

Exam trap

The trap here is that candidates confuse the purpose of /etc/login.defs (defaults for new users) with /etc/shadow (current user settings) or think that modifying a single user's policy with chage will propagate to all users.

How to eliminate wrong answers

Option B is wrong because the pam_unix.so remember=5 setting controls password history (preventing reuse of the last 5 passwords), not the maximum password age. Option C is wrong because /etc/default/useradd does not contain an EXPIRE parameter; the correct parameter for account expiration is EXPIRE (which sets an absolute expiry date), but there is no PASS_MAX_DAYS equivalent in that file. Option D is wrong because modifying /etc/shadow manually for each user is not scalable and does not enforce the policy for future new users; it only applies to existing accounts.

94
MCQmedium

A security audit reveals that the /etc/shadow file has permissions 0644 and is owned by root:shadow. The auditor states that this is a security risk because any local user can read password hashes. The administrator wants to fix the permissions to ensure that only root and the shadow group can read the file, and no one else can read it. Additionally, the administrator wants to set the immutable attribute on the file to prevent accidental modification. Which set of commands achieves the desired state?

A.chmod 640 /etc/shadow; chattr +i /etc/shadow
B.chmod 640 /etc/shadow; chattr +a /etc/shadow
C.chmod 640 /etc/shadow; chmod +i /etc/shadow
D.chmod 600 /etc/shadow; chattr +i /etc/shadow
AnswerA

Sets permissions to owner rw, group r, others none; then sets immutable attribute.

Why this answer

Option A is correct because chmod 640 sets the file permissions to read/write for root (owner) and read-only for the shadow group, while removing all access for others. chattr +i sets the immutable attribute, which prevents any modifications (including deletion, renaming, or content changes) even by root until the attribute is removed. This satisfies the requirement that only root and the shadow group can read the file, and no one else can read it, while also protecting against accidental modification.

Exam trap

CompTIA often tests the distinction between chmod (file permissions) and chattr (extended attributes), and the trap here is that candidates may confuse the immutable attribute (+i) with the append-only attribute (+a) or mistakenly use chmod to set it.

How to eliminate wrong answers

Option B is wrong because chattr +a sets the append-only attribute, which only allows data to be appended to the file (e.g., for log files), but does not prevent modification or deletion of existing content, so it does not fully protect against accidental modification. Option C is wrong because chmod +i is not a valid command; the immutable attribute is set via chattr, not chmod. Option D is wrong because chmod 600 sets permissions to read/write only for root, removing read access for the shadow group, which violates the requirement that the shadow group should still be able to read the file.

95
Multi-Selecthard

Which TWO tools are specifically designed to detect rootkits on a Linux system?

Select 2 answers
A.lsof
B.rkhunter
C.netstat
D.clamav
E.chkrootkit
AnswersB, E

Rootkit hunter tool.

Why this answer

B is correct because rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits by comparing file hashes, checking for hidden processes, and analyzing system binaries for known rootkit signatures. It is specifically designed to detect rootkits on Linux systems.

Exam trap

The trap here is that candidates may confuse general system monitoring tools (lsof, netstat) or general antivirus (ClamAV) with specialized rootkit detection tools, but only rkhunter and chkrootkit are explicitly designed for that purpose.

96
MCQmedium

Refer to the exhibit. A web application running under Apache cannot write to /var/log/app.log. The file has permissions 664 and is owned by apache. What is the correct action to allow writes while maintaining SELinux policies?

A.Change the ownership to root.
B.Change the SELinux context of the file to httpd_log_t.
C.Set the httpd_can_network_connect boolean.
D.Disable SELinux for the httpd daemon.
AnswerB

Allows httpd_t to write to that file type.

Why this answer

The file /var/log/app.log has permissions 664 and is owned by apache, so the web server should be able to write to it. However, SELinux is blocking the write because the file's SELinux context does not match the type expected for files that Apache (httpd) is allowed to write to. Changing the SELinux context to httpd_log_t tells SELinux that this file is a log file that httpd can write to, which resolves the denial while keeping SELinux enforcing.

Exam trap

The trap here is that candidates see the file is owned by apache with 664 permissions and assume the issue is file ownership or permissions, overlooking that SELinux enforces its own access controls independent of standard Linux permissions.

How to eliminate wrong answers

Option A is wrong because changing ownership to root would actually prevent the apache user from writing to the file (since root owns it and the file has 664 permissions, the apache user is in the 'others' category and can only read). Option C is wrong because the httpd_can_network_connect boolean controls whether httpd can initiate outbound network connections, not file write permissions. Option D is wrong because disabling SELinux for the httpd daemon would weaken security unnecessarily; the correct approach is to apply the proper SELinux file context rather than bypassing the policy entirely.

← PreviousPage 2 of 2 · 96 questions total

Ready to test yourself?

Try a timed practice session using only Linux Security questions.