Which TWO commands can be used to lock a user account? (Choose two.)
Locks account.
Why this answer
passwd -l locks the password, usermod -L locks the account. Both prevent login.
75 of 125 questions · Page 1/2 · Lxp Security topic · Answers revealed
Which TWO commands can be used to lock a user account? (Choose two.)
Locks account.
Why this answer
passwd -l locks the password, usermod -L locks the account. Both prevent login.
A security administrator is reviewing file permissions on a Linux system. They want to ensure that the /etc/shadow file is only readable by the root user. Which two commands can be used to set the correct permissions?
Ensures owner and group are root.
Why this answer
Option A is correct because the chown root:root /etc/shadow command changes both the owner and group of the /etc/shadow file to root. This ensures that only the root user has ownership, which is a prerequisite for setting restrictive permissions. However, the question asks for commands to set the correct permissions, and while ownership change is important, the primary requirement is that the file is only readable by root, which is achieved by setting permissions to 600 (owner read/write, no access for group or others).
Thus, chmod 600 /etc/shadow (Option C) is also correct, making A and C the two commands that together ensure the file is only readable by root.
Exam trap
The trap here is that candidates often confuse the purpose of chown and chmod, thinking that changing ownership alone (Option A) is sufficient to restrict access, when in fact the permission bits (like 600) must also be set to deny group and others access, or they mistakenly choose chmod 640 (Option D) assuming the shadow group is acceptable, but the question explicitly requires only root to have read access.
A file named 'webapp.conf' is being served by Apache but users get a 'Permission denied' error. The SELinux context of the file is 'unconfined_u:object_r:admin_home_t:s0'. What is the most appropriate command to fix the SELinux context?
This adds a default context rule and restores it. Both B and D could work, but D is more permanent. Since the question asks for 'most appropriate', D ensures persistence. However, B is also correct but may not be persistent if the file path is not covered by policy. In practice, D is better. But given options, D is more comprehensive. I'll choose D as correct.
Why this answer
Both options A and D are correct. Option D uses restorecon to apply the default SELinux context for the file's path, which can set httpd_sys_content_t if the path has a defined mapping. Option A first adds a persistent rule with semanage fcontext, then applies it with restorecon, ensuring the correct context regardless of the file's location and making the change survive system relabeling.
While both resolve the 'Permission denied' error, A is the most appropriate because it guarantees persistence and correctness even if the default mapping is missing.
Exam trap
The trap is that candidates often choose chcon (option C) because it works immediately without additional commands. However, chcon changes are not persistent across file relabeling (e.g., after a full restorecon or system policy update), making semanage fcontext the recommended approach for a permanent fix.
How to eliminate wrong answers
Option B is wrong because 'setenforce 0' disables SELinux entirely, which is a security risk and not a proper fix for the context mismatch; it only masks the issue. Option C is wrong because 'chcon -t httpd_sys_content_t webapp.conf' changes the context temporarily but does not update the SELinux policy database, so the change will be lost after a file system relabel or 'restorecon' run. Option D is wrong because 'restorecon -v webapp.conf' alone will reset the file to its default context based on the current policy, but since no persistent rule exists for this file, it will revert to 'admin_home_t' (or another default) and not fix the permission error.
Which file contains the password aging information such as minimum and maximum days between password changes?
Contains password aging fields: min, max, warn, inactive, expire.
Why this answer
/etc/shadow stores password hashes and aging fields like min, max, warn, and inactive days. /etc/passwd has basic user info, /etc/login.defs has system defaults, and /etc/security/limits.conf sets resource limits.
A security analyst needs to see a list of failed login attempts on a Linux system. Which command displays this information from the /var/log/secure log?
lastb displays bad login attempts from /var/log/btmp.
Why this answer
lastb shows failed login attempts based on /var/log/btmp. last shows successful logins, lastlog shows last login per user, faillog is an older command.
A security policy requires that system logs be rotated weekly and kept for 4 weeks. Which configuration file should be modified to achieve this for /var/log/syslog?
Main configuration file for logrotate.
Why this answer
Log rotation is managed by logrotate, not by rsyslog or syslog itself. The /etc/logrotate.conf file contains global rotation settings, including frequency (weekly) and retention count (rotate 4). Adding or modifying a configuration block for /var/log/syslog in logrotate.conf (or a file in /etc/logrotate.d/) directly implements the policy requirement.
Exam trap
Cisco often tests the distinction between log generation (rsyslog.conf) and log rotation (logrotate.conf), so candidates mistakenly choose /etc/rsyslog.conf because they associate it with log management, not realizing rotation is a separate function.
How to eliminate wrong answers
Option A is wrong because /etc/security/limits.conf controls system resource limits (e.g., file handles, processes) per user via PAM, not log rotation. Option B is wrong because /etc/rsyslog.conf configures the rsyslog daemon’s logging rules, outputs, and facilities, but does not handle rotation or retention of log files. Option D is wrong because /etc/audit/auditd.conf configures the audit daemon (auditd) for kernel audit events, not general system log rotation.
A system administrator needs to ensure that the Apache web server can read files in /var/www/html, which has the SELinux context httpd_sys_content_t. However, Apache is unable to access the files. What command should be used to apply the correct context to the directory and its contents?
Correct. restorecon applies the default context recursively.
Why this answer
The directory /var/www/html already has the correct SELinux type (httpd_sys_content_t) as stated, but Apache cannot access the files. This suggests that the file contexts are not correctly applied or are mislabeled. The restorecon -Rv command resets the SELinux context of the directory and its contents to the default policy-defined context (httpd_sys_content_t), ensuring consistent labeling.
This directly resolves the access issue without needing to define or change the context type.
Exam trap
The trap here is that candidates assume the context is missing and choose `chcon` or `semanage fcontext` to set it, when in fact the context is already present but not applied correctly, and `restorecon` is the proper tool to enforce the policy-defined context.
How to eliminate wrong answers
Option A is wrong because `chcon -R -t httpd_sys_content_t` changes the SELinux context temporarily and does not persist after a file system relabel; it also assumes the context is missing when it is already present, and using it could overwrite any correct context with a non-persistent one. Option C is wrong because `fixfiles -R restore` is not a valid command; the correct syntax is `fixfiles restore` or `fixfiles -R` with a directory path, but `fixfiles` is used for bulk relabeling and is not the appropriate tool for a single directory context restoration. Option D is wrong because `semanage fcontext -a -t httpd_sys_content_t` adds a new file context mapping to the SELinux policy database, which is unnecessary since the correct type is already defined in the policy; this command would create a duplicate rule and does not apply the context to the files immediately.
An administrator is configuring auditd to monitor changes to the /etc/passwd file. Which three commands are part of the auditd toolset for setting up and reviewing audit rules?
Generates summary reports from audit logs.
Why this answer
auditctl adds rules, ausearch searches logs, aureport generates reports. auditd is the daemon, not a command for rules. aulog is not a standard tool.
A system administrator wants to limit the number of simultaneous logins for a user to 2. Which file and parameter should be configured?
Correct: limits.conf with hard maxlogins limits login count.
Why this answer
Option B is correct because the `/etc/security/limits.conf` file allows setting resource limits per user or group, and the `maxlogins` parameter specifically controls the maximum number of simultaneous logins for a user. The syntax `username hard maxlogins 2` enforces a hard limit of 2 concurrent sessions for that user, which is the exact requirement. This limit is enforced by the PAM module `pam_limits.so`, which must be configured in the appropriate PAM stack file (e.g., `/etc/pam.d/login` or `/etc/pam.d/sshd`).
Exam trap
Cisco often tests the distinction between `maxlogins` (simultaneous logins) and `nproc` (number of processes), and the difference between `soft` and `hard` limits, causing candidates to confuse process limits with login limits or choose a group-based entry when a per-user entry is required.
How to eliminate wrong answers
Option A is wrong because `/etc/pam.d/login` is a PAM service configuration file, not a resource limit file; the line `session required pam_limits.so` is necessary to enable `pam_limits.so` but does not itself set any limit. Option C is wrong because `@users` refers to a group named 'users', not a specific username, and the question explicitly asks to limit a single user, not a group. Option D is wrong because `soft nproc 2` limits the number of processes (nproc) for the user, not the number of simultaneous logins (maxlogins), and using a soft limit allows the user to exceed it temporarily, which does not enforce a hard cap of 2 logins.
Allows established and related connections.
Why this answer
The correct approach: set default policy to DROP on INPUT, then allow established/related connections, then allow SSH. The other options either drop all (blocking SSH), use wrong chain, or allow all.
A user reports they cannot log in after three failed password attempts. The system uses PAM with pam_faillock. Which command can the administrator use to view the number of failed attempts for the user?
Displays failed login attempts for the user.
Why this answer
pam_tally2 --user username shows the count of authentication failures.
A file on an SELinux-enabled system has the security context 'unconfined_u:object_r:httpd_sys_content_t:s0'. A web server needs to read it, but it is being denied. Which command changes the context to allow access?
Changes the type to httpd_sys_content_t, allowing web server read access.
Why this answer
Option A is correct because the file already has the correct SELinux type `httpd_sys_content_t`, but the context shown includes `unconfined_u:object_r:httpd_sys_content_t:s0`. The web server is denied because the file's SELinux context may have been misapplied or the file was moved from a different location, causing the type to be incorrect. The `chcon -t httpd_sys_content_t` command directly changes the file's SELinux type to the one required for Apache to read it, without modifying the policy or requiring a relabel.
Exam trap
Cisco often tests the distinction between `chcon` (immediate, temporary context change) and `semanage fcontext` + `restorecon` (persistent, policy-based change), tricking candidates into choosing the persistent method when the question asks for a quick fix to allow access.
How to eliminate wrong answers
Option B is wrong because `setsebool -P httpd_read_content on` toggles a boolean that controls whether Apache can read content from certain directories, but it does not change the file's SELinux context; the file's type must already match for the boolean to be effective. Option C is wrong because `semanage fcontext -a -t httpd_sys_content_t /path/to/file` adds a file context mapping to the SELinux policy database, but it does not immediately change the context of the existing file; a subsequent `restorecon` would be needed to apply it. Option D is wrong because `restorecon -v /path/to/file` restores the file's context based on the default policy mapping, but if the file's path is not defined in the policy with the correct type, it will not set `httpd_sys_content_t` and may leave the file with an incorrect type.
A security analyst notices repeated failed login attempts on a Linux server. They want to lock the account after 3 failed attempts using PAM. Which PAM module should be configured in /etc/pam.d/sshd or /etc/pam.d/system-auth?
Correct: pam_faillock provides account lockout based on failed attempts.
Why this answer
pam_faillock is used to lock accounts after failed attempts. It can be configured to deny access after a specified number of failures.
A security audit reveals that a Linux system allows password-based SSH logins and has weak password policies. Which THREE actions should the administrator take to improve security? (Choose three.)
Prevents brute force.
Why this answer
Disabling password authentication, enforcing password complexity via pam_pwquality, and setting account lockout via pam_faillock are three strong measures. Changing SSH port is a minor hardening but not as effective as the other three. Enabling root login is bad.
A server running nftables has a rule set that allows incoming SSH from the management network (192.168.1.0/24). An administrator needs to insert a rule to drop SSH from all other sources. Which nft command accomplishes this? Assume the input chain is 'input' and the table is 'inet filter'.
This drops SSH from sources not within the management network.
Why this answer
The correct command is A. The existing rule allows SSH from 192.168.1.0/24. To drop SSH from all other sources, we need a rule that matches packets with source IP address not in that subnet and destination port 22, and then drops them.
The `add rule` subcommand appends the rule to the chain, which is appropriate because the allow rule for the management network should remain first. Using `ip saddr != 192.168.1.0/24` properly negates the source subnet. Option B drops SSH from any source (including the management network), which would block the allowed traffic.
Option C replaces an existing rule by handle but does not specify the source condition. Option D accepts SSH from all sources, which is not desired. Therefore, A is correct.
Exam trap
Candidates often confuse 'add' vs 'insert' in nftables. The question says 'insert a rule', but the correct approach is to append a drop rule after the allow rule. Adding the drop rule before the allow rule would make the allow rule irrelevant. 'Add rule' appends, which is correct here.
An administrator needs to harden SSH access. Which TWO settings in /etc/ssh/sshd_config are recommended to improve security? (Choose two.)
Prevents direct root login.
Why this answer
Option B is correct because setting `PermitRootLogin no` disables direct root login via SSH, forcing administrators to log in as a regular user and then use `su` or `sudo` for privileged commands. This prevents attackers from targeting the root account directly and ensures all root-level actions are logged under the individual user's session. Option D is correct because setting `PasswordAuthentication no` disables password-based authentication, requiring the use of SSH key pairs, which are resistant to brute-force attacks and credential stuffing.
Exam trap
The trap here is that candidates often think changing the default SSH port (Option E) is a strong security measure, but the exam considers it a weak control compared to disabling root login and password authentication, which directly address authentication vulnerabilities.
A Linux administrator needs to add a new user named 'jdoe' with a home directory and a bash shell. Which command accomplishes this?
This creates the home directory and sets the shell.
Why this answer
The useradd command with -m creates the home directory and -s sets the shell. useradd -m -s /bin/bash jdoe is correct.
An administrator needs to prevent a specific user 'bob' from logging in via SSH while allowing other users. Which configuration directive should be added to /etc/ssh/sshd_config?
By listing other users, bob is implicitly denied.
Why this answer
Option A is correct because the AllowUsers directive in /etc/ssh/sshd_config explicitly lists the usernames that are permitted to log in via SSH. By specifying 'AllowUsers alice charlie', only those users are allowed SSH access, effectively blocking user 'bob' without needing a DenyUsers directive. This directive is processed before authentication, so any user not in the list is immediately rejected.
Exam trap
The trap here is that candidates often choose DenyUsers bob because it seems intuitive to block a specific user, but the question's requirement to 'prevent bob while allowing other users' is best met by AllowUsers with a whitelist, which is a common exam trick to test understanding of whitelist vs. blacklist logic.
How to eliminate wrong answers
Option B is wrong because PermitRootLogin no only prevents the root user from logging in via SSH; it has no effect on regular users like 'bob'. Option C is wrong because DenyUsers bob would explicitly block 'bob', but the question asks for a directive that prevents 'bob' while allowing other users; while DenyUsers works, the correct answer is AllowUsers as it is the more direct and commonly tested approach for this scenario. Option D is wrong because AllowUsers bob would permit only 'bob' to log in, blocking all other users including alice and charlie, which is the opposite of the requirement.
Which THREE of the following commands are used to manage iptables rules? (Select THREE.)
Inserts a rule at a specified position.
Why this answer
iptables is used with options -A (append), -I (insert), -D (delete). -L lists rules, -F flushes. -j is for target, not a command itself. -p is for protocol. -s is source.
An administrator wants to restrict SSH access to only users in the 'sshusers' group. Which configuration directive should be added to /etc/ssh/sshd_config?
AllowGroups allows only users in the specified group to log in via SSH.
Why this answer
The AllowGroups directive in sshd_config restricts SSH access to users who are members of the specified group(s).
An administrator is configuring sudo access for a group of developers. They should be able to run any command as root, but only after authenticating with their own password. Which TWO configuration lines in /etc/sudoers would achieve this? (Select TWO.)
Gives developers full sudo access with password prompt (default).
Why this answer
Option D is correct because the syntax `%developers ALL=(ALL) ALL` grants members of the `developers` group permission to run any command as any user (including root) on any host, and by default sudo requires the user's own password for authentication. Option E is also correct because `PASSWD: ALL` explicitly enforces password authentication for all commands, overriding any global `!authenticate` or `NOPASSWD` settings. Together, these two lines ensure the developers must authenticate with their own password before executing commands as root.
Exam trap
The trap here is that candidates often confuse the default behavior of sudo (which requires a password) with the explicit `PASSWD` tag, and may incorrectly select `NOPASSWD` options or miss that `PASSWD: ALL` is needed to override potential global `!authenticate` settings or to make the requirement explicit.
A security auditor notices that a service account's password never expires. The company policy requires password rotation every 60 days. Which command will enforce this policy for the service account?
This sets max age and forces immediate password change.
Why this answer
chage -M 60 sets the maximum password age to 60 days. To also force a password change on next login, use -d 0.
An AppArmor profile for a web server is in complain mode. After testing, the administrator wants to enforce the profile. Which command accomplishes this?
Correct command.
Why this answer
The correct command to enforce an AppArmor profile that is currently in complain mode is `aa-enforce`. This command switches the profile from complain (log-only) to enforce (block violations) mode. The option `-r` in `apparmor_parser` reloads the profile but does not change its mode; `aa-complain` sets it to complain mode, and `aa-status` only displays status.
Exam trap
The trap here is that candidates confuse `apparmor_parser -r` (which reloads the profile but does not change its mode) with the mode-switching commands `aa-enforce` and `aa-complain`, leading them to choose option A incorrectly.
How to eliminate wrong answers
Option A is wrong because `apparmor_parser -r` reloads the profile from disk but does not change its operational mode; it would reload the profile in its current mode (complain), not enforce. Option C is wrong because `aa-complain` sets the profile to complain mode, which is the opposite of what the administrator wants. Option D is wrong because `aa-status` is used to display the status of loaded AppArmor profiles, not to change their enforcement mode.
A Linux administrator needs to ensure that user passwords expire after 90 days. Which command should be used to enforce this policy?
chage -M sets the maximum password age in days.
Why this answer
The `chage -M 90 username` command sets the maximum number of days a password is valid before it must be changed, enforcing a 90-day expiration policy. This directly modifies the `PASS_MAX_DAYS` field in `/etc/shadow` for the specified user, which the system checks during authentication.
Exam trap
The trap here is that candidates confuse `passwd -x` (which does set max days but is less commonly used and not the recommended tool for policy enforcement) with `chage -M`, or they misremember `usermod -e` as password aging when it actually controls account expiry.
How to eliminate wrong answers
Option B is wrong because `passwd -x 90 username` is not a valid syntax; the `passwd` command uses `-x` to set the maximum password age, but it requires a numeric argument and the correct form is `passwd -x 90 username` (note: this is actually valid on some systems, but the XK0-005 exam expects `chage` as the standard tool for aging policies). Option C is wrong because `passwd -e 90 username` is invalid; `passwd -e` forces password expiration immediately (sets the last change date to 0), not a 90-day interval. Option D is wrong because `usermod -e 90 username` sets the account expiration date (in YYYY-MM-DD format), not the password aging policy.
Which command displays the current SELinux mode?
getenforce shows the current SELinux mode.
Why this answer
getenforce displays whether SELinux is enforcing, permissive, or disabled.
A security administrator is reviewing SSH configuration. Which TWO settings enhance security by limiting authentication attempts and preventing password-based logins? (Choose two.)
Limits number of authentication attempts.
Why this answer
MaxAuthTries sets maximum authentication attempts. PasswordAuthentication no disables password auth, forcing key-based.
Adds the SSH service to the default zone permanently.
A security team wants to restrict SSH access to only users in the 'sshusers' group. Which configuration line in /etc/ssh/sshd_config achieves this?
Allows only members of sshusers group.
Why this answer
Option B is correct because the `AllowGroups` directive in `/etc/ssh/sshd_config` restricts SSH login to users who are members of the specified group. By setting `AllowGroups sshusers`, only users in the 'sshusers' group are permitted to authenticate via SSH, meeting the security team's requirement.
Exam trap
The trap here is confusing `AllowGroups` with `AllowUsers`; candidates often select `AllowUsers sshusers` thinking it applies to a group, but it only matches a literal username, not group membership.
How to eliminate wrong answers
Option A is wrong because `DenyGroups sshusers` would block users in the 'sshusers' group from SSH access, which is the opposite of what is required. Option C is wrong because `AllowUsers sshusers` specifies a username, not a group; it would only allow a user literally named 'sshusers' to log in, not all members of the group. Option D is wrong because `Subsystem sftp /usr/lib/openssh/sftp-server` configures the SFTP subsystem and has no effect on restricting SSH access based on group membership.
A Linux administrator wants to prevent users from reusing their last five passwords. Which PAM module should be configured?
pam_pwhistory maintains a history of previous passwords and can reject reuse.
Why this answer
The pam_pwhistory module is specifically designed to enforce password history policies by storing a user's previous passwords in a separate file (e.g., /etc/security/opasswd) and preventing reuse of those passwords. By configuring the 'remember' option in the PAM stack, the administrator can set the number of previous passwords that cannot be reused, such as 'remember=5' to block the last five passwords.
Exam trap
The trap here is that candidates often confuse pam_pwquality (which enforces password strength) with pam_pwhistory (which enforces password reuse prevention), leading them to select pam_pwquality when the question specifically asks about preventing reuse of previous passwords.
How to eliminate wrong answers
Option A is wrong because pam_faillock is used to lock user accounts after a specified number of failed login attempts, not to enforce password history or reuse restrictions. Option B is wrong because pam_pwquality is used to enforce password complexity requirements (e.g., length, character classes) and does not track or prevent reuse of previous passwords. Option C is wrong because pam_unix handles traditional Unix authentication, password updates, and shadow password management, but it does not have built-in support for password history tracking; that functionality is delegated to pam_pwhistory.
A system administrator is configuring firewalld on a Linux server. They want to allow incoming HTTPS traffic permanently for the public zone. Which command should be used?
This adds the HTTPS service to the public zone permanently.
Why this answer
Option D is correct because the `firewall-cmd --add-service=https --zone=public --permanent` command adds the HTTPS service (TCP port 443) to the public zone and makes the rule persistent across reboots. The `--permanent` flag ensures the change survives a firewall reload or system restart, and the `--zone=public` targets the correct network zone for incoming traffic.
Exam trap
The trap here is that candidates often forget the `--permanent` flag or confuse the order of arguments, leading them to choose Option A (runtime-only change) or Option B (invalid syntax), while Option C works but is not the best practice for service-based rules.
How to eliminate wrong answers
Option A is wrong because it lacks the `--permanent` flag, so the rule only applies to the runtime configuration and will be lost after a firewall reload or reboot. Option B is wrong because the syntax is invalid: `--service` is not a valid option, and the flags are in the wrong order; the correct syntax is `--add-service` followed by the service name. Option C is wrong because while it uses the correct `--permanent` and `--zone` flags, it specifies a port number instead of the service name; using the service name is preferred for clarity and ensures the correct protocol (TCP) is applied, as HTTPS always uses TCP.
An administrator is configuring log rotation for /var/log/auth.log. They want logs to be rotated weekly, compressed, and kept for 12 weeks. Which logrotate configuration directive achieves this?
This is the correct logrotate syntax.
Why this answer
weekly, compress, and rotate 12 set the desired behavior. The other options have incorrect parameters.
After modifying a PAM configuration file for sshd, a user reports they cannot log in. Which command can be used to verify the syntax of the PAM configuration without affecting running services?
On Debian systems, this command can reconfigure PAM and validate module entries.
Why this answer
The `pam-auth-update --package` command is used to verify and apply PAM configuration changes without restarting services. It checks the syntax of PAM configuration files and ensures they are valid, preventing lockouts like the one described. This is the correct tool for testing PAM syntax in Debian-based systems, as it integrates with the system's PAM profile management.
Exam trap
The trap here is that candidates confuse PAM module commands (like `pam_tally2` or `pam_faillock`) with syntax validation tools, or assume `pam_unix` can be run as a standalone command for testing.
How to eliminate wrong answers
Option A is wrong because `pam_unix -t` is not a valid command; `pam_unix` is a PAM module, not a command-line tool for syntax checking. Option C is wrong because `pam_tally2 --check` is used to display login failure counts, not to verify PAM configuration syntax. Option D is wrong because `pam_faillock --test` is used to test faillock configuration for account locking, not to validate general PAM syntax.
A technician needs to generate a self-signed certificate for an internal web server. Which OpenSSL command creates a new private key and a certificate signing request (CSR) in one step?
One-step creation of key and CSR.
Why this answer
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr creates both key and CSR.
After configuring AppArmor, an administrator wants to verify the status of all profiles and switch a profile from complain to enforce mode. Which THREE commands are appropriate? (Choose three.)
Shows status of all AppArmor profiles.
Why this answer
B is correct because `aa-status` is the standard command to display the current status of all AppArmor profiles, including which are in enforce or complain mode. This directly meets the administrator's need to verify profile status before switching modes.
Exam trap
The trap here is that candidates confuse `aa-complain` with `aa-enforce` or think that reloading a profile with `apparmor_parser` changes its mode, when in fact the mode is set separately via the `aa-*` utilities.
A security audit reveals that users can change their password without meeting complexity requirements. Which PAM module should be configured to enforce password complexity?
pam_pwquality enforces password strength rules.
Why this answer
pam_pwquality is the module that enforces password quality rules like length, character classes, etc.
A security analyst wants to ensure that users cannot change their password more than once every 7 days. Which command and option should be used to enforce this policy for user 'jsmith'?
-m sets minimum days between password changes.
Why this answer
The `chage -m 7 jsmith` command sets the minimum number of days required between password changes for user jsmith to 7 days. The `-m` option of `chage` specifically controls the minimum password age, preventing the user from changing their password more than once every 7 days.
Exam trap
The trap here is confusing the `-m` (minimum days) and `-M` (maximum days) options of `chage`, as candidates often mix up which option controls the minimum interval between password changes versus the password expiration period.
How to eliminate wrong answers
Option A is wrong because `usermod -e` sets an account expiration date, not a minimum password age. Option C is wrong because `chage -M` sets the maximum password age (how long a password is valid), not the minimum interval between changes. Option D is wrong because `passwd -n` is not a valid option; the correct command to set minimum password age is `chage -m`, not `passwd`.
A Linux server fails to boot after an administrator edits /etc/selinux/config and sets SELINUX=disabled. What is the most likely reason for the boot failure?
SELINUX accepts enforcing, permissive, or disabled; 0 is invalid and may cause boot failure.
Why this answer
Setting SELINUX=disabled is valid and should not prevent booting. However, if the administrator incorrectly set SELINUX=0 or made a syntax error, the system might fail. But the most common issue is that disabling SELinux can cause services that rely on SELinux contexts to fail, but it doesn't prevent boot.
Actually, disabling SELinux is allowed. A better distractor: The system will boot but services may fail. However, the question says 'fails to boot' – a common misconfiguration is setting SELINUX=disabled in /etc/selinux/config but not running 'fixfiles onboot' or not changing the kernel parameters.
Actually, the most likely reason is that the administrator set SELINUX=0 instead of disabled, or made a typo. But given the options, the correct answer is that the system will boot normally (but with SELinux disabled). However, since the question states 'fails to boot', we need a plausible scenario.
Let's adjust: The admin might have set SELINUX=0 which is invalid. I'll rewrite the stem: 'A Linux server fails to boot after an administrator edits /etc/selinux/config. What is the most likely cause?'
An administrator wants to force a password change for user 'alice' on next login. Which command is appropriate?
Correct: --expire forces immediate password change.
Why this answer
The passwd --expire command forces password expiration, so the user must change password on next login.
A Linux administrator wants to monitor changes to the /etc/passwd file for security auditing. Which auditctl command should be used?
Correctly watches for write and attribute changes.
Why this answer
auditctl -w /etc/passwd -p wa -k passwd_change watches for write and attribute changes.
A Linux administrator needs to implement password complexity rules requiring at least one uppercase letter, one digit, and a minimum length of 10 characters. Which two PAM configuration entries would be used? (Choose TWO.)
Enforces minimum length and requires uppercase and digit.
Why this answer
Option C is correct because the `pam_pwquality.so` module enforces password complexity rules. The `minlen=10` parameter sets the minimum password length to 10 characters, `ucredit=1` requires at least one uppercase letter, and `dcredit=1` requires at least one digit. The `requisite` control ensures that if these checks fail, authentication is immediately denied without further processing.
Exam trap
Cisco often tests the distinction between `pam_pwquality.so` (complexity) and `pam_pwhistory.so` (history), and candidates may confuse `auth` modules (like `pam_faillock.so`) with `password` modules, or forget that `pam_unix.so` does not enforce complexity rules.
To limit the number of processes a user can create, which file should be configured?
This file defines hard and soft limits for resources like nproc.
Why this answer
/etc/security/limits.conf sets resource limits per user/group, including nproc (number of processes).
Which command displays the current SELinux mode?
Displays current mode.
Why this answer
getenforce displays the current SELinux mode (Enforcing, Permissive, Disabled). sestatus provides more detail including mode and policy version. setenforce changes mode, getsebool shows booleans.
A system administrator needs to configure sudo so that members of the 'wheel' group can execute any command without a password. Which line should be added to /etc/sudoers (using visudo)?
Correct: % denotes group, NOPASSWD eliminates password prompt.
Why this answer
To allow wheel group to run all commands without a password, the line should be '%wheel ALL=(ALL) NOPASSWD: ALL'.
A security audit reveals that an SELinux boolean 'httpd_can_network_connect' is currently off, but a web application requires Apache to connect to a database server. Which command should the administrator use to enable this boolean persistently?
Correctly sets the boolean persistently.
Why this answer
setsebool -P makes the change persistent across reboots.
Which command displays the current SELinux mode (e.g., enforcing, permissive, disabled)?
Correct. getenforce prints enforcing, permissive, or disabled.
Why this answer
getenforce shows the current mode. getsebool shows boolean values. sestatus shows more detailed status including mode and policy. seinfo shows policy information.
Which command can be used to generate an SSH key pair for user authentication?
ssh-keygen generates SSH key pairs.
Why this answer
The `ssh-keygen` command is the standard tool for generating SSH key pairs (public and private keys) used for user authentication. It creates RSA, ECDSA, Ed25519, or DSA key files (e.g., `~/.ssh/id_rsa` and `~/.ssh/id_rsa.pub`) and supports options like `-t` for key type and `-b` for bit length, directly enabling passwordless login via public key authentication.
Exam trap
The trap here is that candidates confuse `ssh-keygen` (key generation) with `ssh-copy-id` (key deployment) or `ssh-add` (key loading), leading them to pick a command that manages existing keys rather than creating new ones.
How to eliminate wrong answers
Option A is wrong because `ssh-keyscan` is used to gather SSH public host keys from remote servers, not to generate user key pairs. Option C is wrong because `ssh-copy-id` installs an existing public key onto a remote server's `authorized_keys` file, but does not generate keys itself. Option D is wrong because `ssh-add` adds private key identities to the SSH authentication agent (`ssh-agent`), but it cannot create new key pairs.
Correctly adds the service permanently and reloads.
A user reports being unable to log in because the password is locked. The administrator needs to unlock the account. Which command should be used?
Correct: -u unlocks the account.
Why this answer
passwd -u unlocks a locked account. usermod -U also works. Among options, passwd -u is correct.
A system administrator needs to configure PAM to lock a user account after 5 failed login attempts for 15 minutes. Which two PAM modules and configuration lines are appropriate? (Select TWO.)
pam_tally2 can also be used for account lockout with similar options.
Why this answer
pam_faillock can be used to lock accounts after failed attempts. The 'deny' option sets the threshold, and 'unlock_time' sets the lockout duration. Alternatively, pam_tally2 can be used with similar options.
Which of the following correctly describes the purpose of the /etc/shadow file?
Correct.
Why this answer
The /etc/shadow file stores encrypted (hashed) user passwords and password aging information such as the date of last password change, minimum/maximum password age, and account expiration. This file is readable only by root to protect password hashes from unauthorized access, unlike /etc/passwd which is world-readable.
Exam trap
The trap here is that candidates confuse the purpose of /etc/shadow with /etc/passwd, mistakenly thinking /etc/shadow stores UID, GID, and shell, when in fact those are in /etc/passwd and /etc/shadow specifically holds password hashes and aging data.
How to eliminate wrong answers
Option A is wrong because the list of users who can use sudo is stored in /etc/sudoers (or /etc/sudoers.d/), not in /etc/shadow. Option B is wrong because group memberships and group passwords are stored in /etc/group and /etc/gshadow, not in /etc/shadow. Option C is wrong because user account information including UID, GID, and shell is stored in /etc/passwd, not in /etc/shadow.
An administrator wants to enforce an account lockout policy after five failed login attempts on a Linux system. Which PAM module should be added to the authentication stack?
pam_faillock locks accounts after a defined number of failures.
Why this answer
pam_faillock is used for account lockout after failed attempts. pam_unix handles authentication, pam_pwquality checks password strength, pam_tally2 is an older module.
A system administrator configures PAM to enforce account lockout after 3 failed login attempts. Which PAM module should be used?
pam_faillock manages account lockout based on failed attempts.
Why this answer
pam_faillock is the correct PAM module for enforcing account lockout after a specified number of failed login attempts. It tracks failed authentication attempts per user and can lock the account when the threshold (e.g., 3 attempts) is reached, typically by writing to a tally file like /var/log/faillock.
Exam trap
The trap here is that candidates may confuse pam_faillock with pam_tally2 (a legacy module) or assume pam_unix alone can enforce lockout, but pam_unix lacks built-in lockout tracking and requires pam_faillock or pam_tally2 for that feature.
How to eliminate wrong answers
Option B (pam_pwquality) is wrong because it enforces password quality rules (e.g., length, complexity) during password changes, not account lockout after failed logins. Option C (pam_securetty) is wrong because it restricts root login to terminals listed in /etc/securetty, not lockout policies. Option D (pam_unix) is wrong because it handles standard Unix authentication (e.g., verifying passwords via /etc/shadow) but does not provide account lockout functionality on its own.
A security policy requires that all users must have passwords with at least one uppercase letter, one digit, and a minimum length of 12 characters. Which PAM configuration file and module should be used to enforce this?
pam_pwquality.so enforces password complexity rules.
Why this answer
pam_pwquality is used for password complexity requirements. It is typically configured in /etc/pam.d/common-password (or system-auth, password-auth) with options like minlen, ucredit, dcredit.
A Linux administrator needs to add a new user named 'jdoe' with a home directory and default shell /bin/bash. Which command should be used?
Correct. useradd with -m creates home directory and -s sets shell.
Why this answer
The useradd command is used to create new users. The -m option creates the home directory, and -s sets the shell. usermod modifies existing users, passwd sets passwords, and chage manages password aging.
An administrator notices that a process is running with the context 'unconfined_u:unconfined_r:unconfined_t:s0'. What does this indicate about SELinux?
Unconfined domains have minimal restrictions.
Why this answer
The 'unconfined' domain means the process is not restricted by SELinux policy; it can run as if SELinux is disabled.
Which command displays the current SELinux mode?
Correct command.
Why this answer
The `getenforce` command displays the current SELinux mode as either Enforcing, Permissive, or Disabled. It directly queries the SELinux status from the kernel and returns the current enforcement state without requiring elevated privileges. This makes it the correct command for simply viewing the current mode.
Exam trap
The trap here is that candidates confuse `setenforce` (which changes the mode) with `getenforce` (which displays the mode), or they assume `sestatus` is the only command to check SELinux state, overlooking the simpler `getenforce` command specifically asked for the current mode.
How to eliminate wrong answers
Option A is wrong because `selinuxenabled` only returns an exit code (0 if SELinux is enabled, 1 if disabled) and does not display the current mode. Option B is wrong because `sestatus` provides detailed SELinux status information including the mode, but it is not the command that specifically displays only the current mode; it shows additional context like policy version and loaded policy name. Option C is wrong because `setenforce` is used to change the SELinux mode (e.g., `setenforce 0` for permissive, `setenforce 1` for enforcing) and does not display the current mode.
A system administrator is hardening SSH and needs to disable root login and password authentication. Which two directives should be set in /etc/ssh/sshd_config?
These two settings disable root login and password auth.
Why this answer
Option C is correct because disabling root login and password authentication are two separate directives in sshd_config. PermitRootLogin no prevents direct SSH access for the root user, and PasswordAuthentication no disables password-based logins, forcing the use of key-based authentication. Both directives are required to meet the hardening goal.
Exam trap
The trap here is that candidates confuse ChallengeResponseAuthentication with PasswordAuthentication, or assume DenyUsers is a valid directive for blocking root, when the correct syntax is PermitRootLogin no.
How to eliminate wrong answers
Option A is wrong because ChallengeResponseAuthentication no disables challenge-response authentication (e.g., keyboard-interactive), but it does not disable password authentication; PasswordAuthentication must be explicitly set to no. Option B is wrong because DenyUsers root is not a valid sshd_config directive; the correct directive is PermitRootLogin no. Option D is wrong because PasswordAuthentication yes enables password authentication, which contradicts the requirement to disable it; PermitRootLogin prohibit-password allows root login with key-based authentication but does not disable password authentication for other users.
An administrator wants to generate a self-signed certificate and private key for testing. Which command creates both in one step?
Generates key and certificate in one command.
Why this answer
Option A is correct because the `openssl req -x509 -newkey rsa:2048` command generates a new private key (via `-newkey`) and immediately creates a self-signed X.509 certificate (via `-x509`) in a single step. The `-keyout` and `-out` flags specify the output files for the private key and certificate, respectively, and `-nodes` ensures the private key is not encrypted with a passphrase, which is typical for testing scenarios.
Exam trap
The trap here is that candidates often confuse `openssl req -new` (which creates a CSR) with `openssl req -x509` (which creates a self-signed certificate), leading them to pick option C, which requires a pre-existing key and does not generate both in one step.
How to eliminate wrong answers
Option B is wrong because `openssl genrsa` only creates an RSA private key; it does not generate a certificate, so it fails to produce both artifacts in one step. Option C is wrong because it uses `-key key.pem` to reference an existing private key file, meaning the private key must already exist; it does not create a new private key as part of the command. Option D is wrong because `openssl x509 -req` processes a Certificate Signing Request (CSR) and signs it with a provided key; it requires a pre-existing CSR and private key, so it does not generate both in one step.
This appends a rule to the INPUT chain to drop SSH from that source.
Why this answer
The correct syntax is iptables -A INPUT -p tcp --dport 22 -s 10.0.0.100 -j DROP. The chain is INPUT, protocol tcp, destination port 22, source IP, and target DROP.
A Linux administrator is troubleshooting a service that fails to start. The audit.log shows an AVC denial related to the httpd_t domain. The administrator wants to see the full denial message and generate a policy to allow the access. Which two commands should be used in conjunction?
ausearch retrieves the denial, and audit2allow creates a policy module to allow it.
Why this answer
The correct answer is D because `ausearch` retrieves the full AVC denial message from the audit log, and `audit2allow` generates a policy module to allow the denied access. Together, they enable the administrator to first identify the exact denial and then create a custom SELinux policy to permit the httpd_t domain's blocked action.
Exam trap
The trap here is that candidates confuse `ausearch` with `aureport` or `auditctl`, or think `restorecon` can fix AVC denials, when in fact only `ausearch` paired with `audit2allow` provides the complete solution for generating a custom policy from a denial message.
How to eliminate wrong answers
Option A is wrong because `auditctl` configures audit rules and does not retrieve denial messages, while `ausearch` alone cannot generate a policy. Option B is wrong because `restorecon` restores default SELinux contexts on files, which does not address AVC denials or generate policies. Option C is wrong because `aureport` summarizes audit events but does not produce a policy, and `audit2why` explains denials but does not generate an allow policy.
An administrator notices that an AppArmor profile is in complain mode for a service that should be enforcing. Which command changes the profile to enforce mode?
Enforces the specified profile.
Why this answer
aa-enforce sets a profile to enforce mode. aa-complain sets to complain, aa-status shows status, and apparmor_parser loads profiles.
An administrator is troubleshooting an AppArmor profile that is blocking a custom application. They want to set the profile to complain mode to gather violations without enforcing. Which command should they use?
Sets complain mode.
Why this answer
aa-complain sets the profile to complain mode.
A security audit has identified that several users have excessive sudo privileges. The administrator needs to review and modify sudo access. Which two files or commands would be used? (Choose TWO.)
Command to safely edit /etc/sudoers.
Why this answer
visudo is the recommended way to edit /etc/sudoers safely. The file /etc/sudoers contains the rules. /etc/sudoers.d/ is a directory for drop-in files. The other options are unrelated.
To harden SSH, an administrator needs to disable root login over SSH. Which directive should be set in /etc/ssh/sshd_config?
Correct directive to disable root login.
Why this answer
PermitRootLogin no prevents root from logging in via SSH.
A user named 'jdoe' needs to run commands as root without being given the root password. The administrator wants to grant jdoe the ability to run any command as root, but only after entering their own password. Which entry in /etc/sudoers accomplishes this?
This allows jdoe to run any command as any user, but requires a password by default.
Why this answer
The format is 'user host=(runas) commands'. The correct entry grants jdoe full root access with password authentication.
A security audit reveals that a service is running with an incorrect SELinux context. Which two commands can be used to relabel the file or directory to the correct context? (Choose TWO.)
Restores default SELinux context.
Why this answer
restorecon restores default context based on policy, and chcon can set a specific context manually.
A Linux administrator needs to prevent the root user from logging in via SSH. Which directive should be set in /etc/ssh/sshd_config to accomplish this?
This setting prevents root from logging in via SSH.
Why this answer
The directive `PermitRootLogin no` in `/etc/ssh/sshd_config` explicitly disallows the root user from authenticating via SSH, regardless of the authentication method used. This is the standard way to block root SSH logins while still allowing other users to connect.
Exam trap
The trap here is that candidates often confuse `PasswordAuthentication no` with blocking root login, not realizing that root could still authenticate via SSH keys or other mechanisms if `PermitRootLogin` is not explicitly set to `no`.
How to eliminate wrong answers
Option A is wrong because `PasswordAuthentication no` disables password-based authentication for all users, but root could still log in using a public key or other methods; it does not specifically prevent root login. Option C is wrong because `MaxAuthTries 1` limits the number of authentication attempts per connection, but it does not prevent root from logging in on the first successful attempt. Option D is wrong because `AllowUsers root` explicitly permits only the root user to log in, which is the opposite of what is needed.
A web server running on port 8080 must be accessible from external networks. The system uses firewalld. Which command opens port 8080/tcp permanently in the default zone?
Correct: --permanent makes it persistent, --add-port opens the port.
A security audit reveals that the /etc/shadow file is readable by all users. What is the most appropriate immediate action?
Sets proper permissions and ownership to root and shadow group.
Why this answer
The /etc/shadow file stores hashed user passwords and must be protected from unauthorized access. The correct command is `chmod 600 /etc/shadow && chown root:shadow /etc/shadow` because it sets the file to be readable and writable only by the owner (root) and changes the group to 'shadow', which is the standard group used by many Linux distributions to allow certain system utilities (like `pwck` or `unix_chkpwd`) to read the file without granting access to all users. This ensures that only root and members of the shadow group can read the file, immediately fixing the security issue.
Exam trap
Cisco often tests the misconception that simply setting restrictive permissions (like 600) is sufficient, without also ensuring the correct group ownership (shadow), which is a common oversight in Linux security hardening.
How to eliminate wrong answers
Option A is wrong because `chmod 000 /etc/shadow` removes all permissions for everyone, including root, which would break system authentication and password management utilities that require root to read the file. Option C is wrong because `chmod 640 /etc/shadow` gives read permission to the group, which is typically not the shadow group by default and could still expose the file to unauthorized users if the group is set incorrectly. Option D is wrong because `chmod 600 /etc/shadow` alone does not change the group ownership to 'shadow', so the file might remain accessible to a group that should not have access, failing to follow the principle of least privilege and standard Linux security practices.
A technician needs to ensure a service can listen on TCP port 8443 using firewalld. Which command permanently adds the port to the default zone?
Correctly adds port 8443/tcp permanently.
An administrator runs 'auditctl -w /etc/passwd -p wa -k passwd_changes' to monitor changes to /etc/passwd. Which command should be used to search the audit log for all events related to this watch?
Correct. ausearch with -k searches for audit events with that key.
Why this answer
The `ausearch -k passwd_changes` command is correct because it searches the audit log for events that were tagged with the key `passwd_changes` when the watch was created via `auditctl -w /etc/passwd -p wa -k passwd_changes`. The `-k` option in `auditctl` assigns a key to the rule, and `ausearch` uses that same key to filter and retrieve matching audit records from `/var/log/audit/audit.log`.
Exam trap
The trap here is that candidates confuse `ausearch` (for searching logs) with `aureport` (for generating summaries) or `auditctl -l` (for listing rules), leading them to pick a command that does not actually retrieve historical audit events.
How to eliminate wrong answers
Option B is wrong because `auditctl -l -k passwd_changes` lists currently loaded audit rules, not search results from the audit log; it would show the rule itself, not events. Option C is wrong because `tail -f /var/log/audit/audit.log | grep passwd_changes` is a raw log tail with grep, which is inefficient and unreliable for structured audit log searching, and it does not use the dedicated `ausearch` tool that properly parses audit records. Option D is wrong because `aureport -k passwd_changes` generates summary reports of audit events, not a detailed event listing; it aggregates data and does not output individual audit records like `ausearch` does.
An administrator needs to configure iptables to allow incoming SSH traffic only from the 10.0.0.0/8 network and drop all other incoming traffic except established connections. Which TWO rules are necessary?
Allows SSH from the 10.0.0.0/8 network.
Why this answer
Option D is correct because it explicitly allows incoming SSH traffic (TCP port 22) from the 10.0.0.0/8 network, which matches the requirement to permit SSH only from that subnet. Option E is correct because it accepts all packets that are part of an established or related connection, ensuring that return traffic for outbound connections is not dropped by the default policy or subsequent rules.
Exam trap
The trap here is that candidates often forget to include the rule for established connections (Option E) and mistakenly think setting a default DROP policy (Option B) or a blanket DROP rule (Option C) alone is sufficient, not realizing that without allowing established traffic, all return packets are dropped, breaking connectivity.
A system administrator is configuring PAM to lock out users after 3 failed login attempts for 15 minutes. Which TWO PAM modules can be used together to achieve this? (Select TWO.)
pam_faillock can enforce lockout after failed attempts.
Why this answer
pam_faillock.so is the modern PAM module designed to track failed login attempts and enforce account lockout policies. It can be configured with parameters like `deny=3` to lock after three failures and `unlock_time=900` to set a 15-minute lockout duration. This module is the recommended replacement for the deprecated pam_tally2.so in current Linux distributions.
Exam trap
The trap here is that candidates often select pam_tally2.so (option B) because it was historically used for this purpose, but the exam expects knowledge of the modern, supported module pam_faillock.so, and they may also mistakenly think pam_unix.so alone handles lockout when it only performs standard Unix authentication.
An administrator wants to harden SSH access by implementing the following: disallow root login, disable password authentication, and limit the number of authentication attempts. Which three configuration directives should be set in /etc/ssh/sshd_config? (Choose THREE.)
Disallows root login via SSH.
Why this answer
PermitRootLogin no, PasswordAuthentication no, and MaxAuthTries limit attempts.
An administrator notices repeated failed login attempts in /var/log/secure. The company policy requires account lockout after 5 failed attempts within 15 minutes. Which PAM module and configuration can enforce this?
This configuration locks after 5 attempts and unlocks after 15 minutes.
Why this answer
Option D is correct because pam_faillock.so is the PAM module specifically designed to track failed login attempts and enforce account lockout policies. The `deny=5` parameter sets the threshold to 5 failures, and `unlock_time=900` sets the lockout duration to 900 seconds (15 minutes), matching the policy requirement exactly.
Exam trap
The trap here is confusing password policy modules (pam_pwquality.so, pam_unix.so) or session limits (pam_limits.so) with the dedicated account lockout module pam_faillock.so, leading candidates to select options that address different security controls.
How to eliminate wrong answers
Option A is wrong because pam_unix.so with `remember=5` controls password history (preventing reuse of the last 5 passwords), not account lockout after failed logins. Option B is wrong because pam_pwquality.so with `minlen=5` enforces password complexity and minimum length, not failed login attempt tracking. Option C is wrong because pam_limits.so with `maxlogins=5` limits the maximum number of concurrent login sessions for a user, not the number of failed attempts before lockout.
Ready to test yourself?
Try a timed practice session using only Lxp Security questions.