CCNA System Security Questions

5 of 80 questions · Page 2/2 · System Security topic · Answers revealed

76
MCQhard

An administrator wants to create a chroot environment for a potentially compromised service. The service needs to read /etc/resolv.conf and /etc/hosts, and run from a directory /chroot/service. Which of the following steps is essential to ensure the chroot environment is secure and functional?

A.Set the chroot directory to be read-only.
B.Mount /proc within the chroot jail.
C.Copy only the service binaries and configuration files into the chroot.
D.Create /dev/null and /dev/random inside the chroot using mknod.
AnswerD

Device files are required for many system calls; without them, the service may crash or hang.

Why this answer

Option B is correct because the chroot environment must contain the necessary device files for system calls. Option A is wrong because copying binaries into the chroot is not always sufficient; they must be linked against libraries available inside. Option C is wrong because /proc should be mounted for some services but not essential for basic resolution files; however, it is often needed.

Option D is wrong because setting the jail to read-only filesystem is a security measure but not essential for functionality. The most essential step is to create device nodes (like /dev/null, /dev/random) because many services require them.

77
MCQmedium

Refer to the exhibit. What is the effect of this sudoers configuration?

A.Users alice and bob can run any software command on the localhost only.
B.Members of ADMINS can run any command as root on any host.
C.Users alice and bob can run apt-get and dpkg on any host as root, requiring a password.
D.Users alice and bob can run apt-get and dpkg without a password.
AnswerC

The configuration grants exactly that: the specified commands, on any host, with password prompt.

Why this answer

The directive 'ADMINS ALL = SOFTWARE' grants members of the ADMINS group (alice and bob) permission to run the commands in SOFTWARE (apt-get and dpkg) on any host (ALL) as root. No NOPASSWD tag is present, so a password is required.

78
MCQeasy

An administrator wants to drop incoming TCP packets on port 22 from IP 10.0.0.5 using iptables. Which command is correct?

A.iptables -A INPUT -d 10.0.0.5 -p tcp --dport 22 -j DROP
B.iptables -A FORWARD -s 10.0.0.5 -p tcp --dport 22 -j DROP
C.iptables -A OUTPUT -s 10.0.0.5 -p tcp --dport 22 -j DROP
D.iptables -A INPUT -s 10.0.0.5 -p tcp --dport 22 -j DROP
AnswerD

This correctly matches incoming packets from 10.0.0.5 to port 22 and drops them.

Why this answer

The correct command uses the INPUT chain, source IP, protocol TCP, destination port 22, and target DROP. Options A, B, and C use incorrect chains or directions.

79
MCQeasy

A system administrator wants to ensure that all commands executed by root are logged to a remote syslog server. Which rsyslog configuration directive should be used?

A.auth.* @192.168.1.100
B.authpriv.* @192.168.1.100
C.user.* @192.168.1.100
D.kern.* @192.168.1.100
AnswerB

authpriv facility logs security/authorization messages including sudo commands.

Why this answer

Option B is correct because the `authpriv` facility in rsyslog is specifically designated for security and authorization messages, including all commands executed by root via `sudo` or direct login. The directive `authpriv.* @192.168.1.100` sends all messages from this facility to the remote syslog server at UDP port 514. This matches the requirement to log root's commands, as Linux systems typically log such events under the `authpriv` facility.

Exam trap

The trap here is confusing `auth` with `authpriv` — candidates often pick `auth.*` thinking it covers all authentication, but `authpriv` is the correct facility for privileged command logging and is a key distinction tested in LPIC-2.

How to eliminate wrong answers

Option A is wrong because `auth.*` covers general authentication events (e.g., login attempts) but not the detailed command logging from root's sessions, which is specifically assigned to `authpriv`. Option C is wrong because `user.*` is for generic user-level messages, not security-related command logs. Option D is wrong because `kern.*` captures kernel messages, not user command execution logs.

80
Drag & Dropmedium

Order the steps to configure a Linux system as a router using iptables.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enable forwarding, set policies, add NAT and forward rules, then save.

← PreviousPage 2 of 2 · 80 questions total

Ready to test yourself?

Try a timed practice session using only System Security questions.