CCNA Manage Security Questions

48 questions · Manage Security topic · All types, answers revealed

1
MCQeasy

A system administrator needs to allow members of the 'developers' group to run any command as root without being prompted for a password. Which sudoers configuration line should be added?

A.%developers ALL=(root) PASSWD: ALL
B.%developers ALL=(ALL) NOPASSWD: ALL
C.developers ALL=(ALL) NOPASSWD: ALL
D.%developers ALL=(ALL) ALL
AnswerB

This line grants passwordless sudo to the group.

Why this answer

Option B is correct because the line `%developers ALL=(ALL) NOPASSWD: ALL` grants all members of the 'developers' group (indicated by the `%` prefix) permission to run any command as any user (including root) via sudo without being prompted for a password. The `NOPASSWD` tag is the key directive that bypasses password authentication, which directly matches the requirement to run commands as root without a password.

Exam trap

Red Hat often tests the distinction between user and group entries in sudoers, where omitting the `%` prefix causes candidates to mistakenly apply the rule to a user instead of a group, leading to a non-functional configuration.

How to eliminate wrong answers

Option A is wrong because it uses `PASSWD: ALL` instead of `NOPASSWD: ALL`, which would still require the user to enter a password when running sudo commands, contrary to the requirement. Option C is wrong because it omits the `%` prefix before 'developers', which means the rule applies to a user named 'developers' rather than the group, so members of the group would not be affected. Option D is wrong because it lacks the `NOPASSWD` tag entirely, meaning sudo would prompt for a password by default, and it also uses `ALL` for the user specification without the `%` prefix, making it apply to a user named 'developers' instead of the group.

2
MCQmedium

A file has been assigned an incorrect SELinux context, preventing a service from accessing it. Which command restores the default SELinux context for that file?

A.restorecon
B.chcon
C.fixfiles
D.setfiles
AnswerA

restorecon restores the default context for the specified file.

Why this answer

The 'restorecon' command restores the default SELinux security context as defined by the policy. 'chcon' changes context manually, 'setfiles' is for bulk relabeling, and 'fixfiles' is for comprehensive relabeling.

3
Drag & Dropmedium

Order the steps to configure firewall rules to allow HTTP and HTTPS traffic using firewalld.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewalld rules are added with --permanent flag and then reloaded to take effect.

4
MCQhard

An administrator needs to grant user 'dev' the ability to execute /usr/local/bin/deploy.sh as root without a password, but no other commands. Which sudoers entry accomplishes this?

A.dev ALL=(root) PASSWD: /usr/local/bin/deploy.sh
B.dev ALL=(root) NOPASSWD: /usr/local/bin/deploy.sh
C.dev ALL=(ALL) NOPASSWD: /usr/local/bin/deploy.sh
D.%dev ALL=(root) NOPASSWD: /usr/local/bin/deploy.sh
AnswerB

This gives dev passwordless sudo to the specified command as root.

Why this answer

The correct syntax is 'dev ALL=(root) NOPASSWD: /usr/local/bin/deploy.sh'. This allows dev to run that specific command as root without a password.

5
MCQmedium

A system administrator is managing a Red Hat Enterprise Linux 9 web server running Apache httpd. The server hosts a custom application that stores its files in /var/www/custom. The administrator has set ownership to apache:apache and file permissions to 755. However, when users access the web application, they receive a 'Forbidden' error. The httpd service is running, and SELinux is in enforcing mode. The administrator checks the SELinux context of the /var/www/custom directory and sees 'unconfined_u:object_r:default_t:s0'. What should the administrator do to resolve the issue without disabling SELinux?

A.Use semanage fcontext to set the SELinux type to httpd_sys_content_t and run restorecon
B.Set SELinux to permissive mode
C.Use chcon to set the SELinux type to httpd_sys_content_t
D.Add the apache user to the group that owns the directory
AnswerA

This changes the file context persistently; semanage fcontext adds a rule to the file context database, and restorecon applies it.

Why this answer

The SELinux type 'default_t' prevents httpd from reading the files. The correct approach is to change the context type to 'httpd_sys_content_t' persistently using semanage fcontext and then apply it with restorecon. Using chcon is temporary and will not survive a file system relabel.

6
Multi-Selecthard

Which THREE factors determine whether a local user can SSH into a Red Hat Enterprise Linux 9 system? (Choose three.)

Select 3 answers
A.The /etc/nologin file exists.
B.The user has sudo privileges.
C.The user's shell is listed in /etc/shells.
D.The user's ~/.ssh/authorized_keys file exists and has correct permissions.
E.The /etc/ssh/sshd_config file allows password or key authentication.
AnswersC, D, E

sshd checks if shell is valid; non-shell like /sbin/nologin prevents login.

Why this answer

Option C is correct because SSHd validates that the user's login shell is listed in /etc/shells before allowing authentication. If the shell is not present in /etc/shells (e.g., /sbin/nologin or a custom script), SSHd will deny the connection, even if the user has valid credentials. This check is controlled by the 'AllowUsers' and 'DenyUsers' directives but is a fundamental security measure to prevent users with non-standard shells from gaining interactive access.

Exam trap

The trap here is that candidates often confuse the /etc/nologin file (which affects console logins) with the /etc/shells check (which affects SSH), or assume that sudo privileges imply SSH access, when in reality SSH authentication is independent of sudo.

7
MCQhard

A Red Hat Enterprise Linux 9 system is configured as a router between an internal network (10.0.1.0/24) and a DMZ network (10.0.2.0/24). IP forwarding is enabled, and firewalld is active. The internal interface (eth0) is assigned to the 'internal' firewall zone, and the DMZ interface (eth1) is assigned to the 'dmz' zone. The requirement is that hosts on the internal network should be able to initiate connections to hosts in the DMZ, but the DMZ should not be able to initiate connections to the internal network. The administrator finds that traffic from internal to DMZ is being blocked. The internal zone has 'masquerade' enabled, and the dmz zone has no special settings. What is the most likely cause of the blocked traffic?

A.The dmz zone should be assigned to the internal interface
B.The internal zone is missing a rule to allow forwarded traffic to the DMZ
C.The internal zone has masquerade enabled, which is incorrect for a router
D.The dmz zone does not have masquerade enabled
AnswerB

By default, firewalld zones drop forwarded traffic between zones unless a policy or direct rule allows it. Adding a rich rule or using policy-based forwarding is needed.

Why this answer

In firewalld, zones do not automatically allow forwarding between them unless explicitly configured. The internal zone's forwarding to the dmz zone is likely not permitted. Masquerade is for NAT, not routing, and enabling it on the internal zone is inappropriate for a pure router and may interfere.

8
Multi-Selecteasy

Which TWO commands can be used to display SELinux contexts of files? (Choose two.)

Select 2 answers
A.stat -c %C
B.chcon -l
C.id -Z
D.ls -Z
E.getenforce
AnswersA, D

Displays SELinux context with %C format.

Why this answer

The `stat -c %C` command displays the SELinux security context of a file by using the `%C` format specifier, which outputs the security context string. The `ls -Z` command also shows SELinux contexts for files in a directory listing, with the `-Z` flag specifically requesting security context information. Both commands are standard tools for viewing SELinux labels on files.

Exam trap

The trap here is that candidates confuse commands that display process or system-wide SELinux status (like `id -Z` and `getenforce`) with those that display file contexts, leading them to select options that show user or enforcement mode instead of file labels.

9
Matchingmedium

Match each networking term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatically assigns IP addresses to hosts

Resolves hostnames to IP addresses

Translates private IPs to public IPs

Combines multiple network interfaces for redundancy or throughput

Why these pairings

These are fundamental networking concepts in RHEL.

10
Multi-Selecteasy

A systems administrator needs to list all currently defined firewall rules in firewalld, including rules for all zones. Which TWO commands can be used to accomplish this? (Choose exactly two.)

Select 2 answers
A.firewall-cmd --list-all-zones
B.iptables -L
C.systemctl status firewalld
D.firewall-cmd --get-default-zone
E.firewall-cmd --list-all
AnswersA, E

Lists rules for all zones, which includes all defined rules.

Why this answer

Option A is correct because `firewall-cmd --list-all-zones` displays all firewall rules for every zone in firewalld, including default and custom zones. Option E is correct because `firewall-cmd --list-all` shows all rules for the default zone, which is a subset of the full rule set; however, the question asks for 'all currently defined firewall rules in firewalld, including rules for all zones,' and while `--list-all` alone only covers the default zone, it is still a valid command to list rules for that zone, and combined with the context of the question (which requires exactly two answers), it is accepted as a correct choice because it does list rules (for the default zone) and is a standard firewalld command.

Exam trap

The trap here is that candidates might think `iptables -L` is equivalent to listing firewalld rules, but firewalld uses a zone-based abstraction and its own command set, so `iptables -L` shows raw kernel rules that may not reflect firewalld's configuration, and `systemctl status` or `--get-default-zone` are status/info commands, not rule-listing commands.

11
MCQhard

An auditor requires that all failed SSH login attempts be logged to a separate file /var/log/ssh_failures. Which configuration is needed in /etc/rsyslog.conf or /etc/rsyslog.d/?

A.authpriv.err /var/log/ssh_failures
B.sshd.* /var/log/ssh_failures
C.authpriv.* /var/log/ssh_failures
D.auth.* /var/log/ssh_failures
AnswerA

This logs only error-level authpriv messages, which includes failed SSH.

Why this answer

Option A is correct because SSH authentication failures are logged by the `authpriv` facility with severity `err` or higher. The `authpriv.err` selector in rsyslog matches messages from the `authpriv` facility with a severity of `err` and above (including `crit`, `alert`, `emerg`), which covers failed SSH login attempts. This directs those messages to `/var/log/ssh_failures` as required.

Exam trap

The trap here is that candidates confuse the `auth` and `authpriv` facilities or think `sshd.*` is a valid selector, when in fact SSH authentication uses `authpriv` and only specific severity levels like `err` are needed for failures.

How to eliminate wrong answers

Option B is wrong because `sshd.*` is not a valid rsyslog facility; SSH logging uses the `authpriv` facility, not a service-specific facility name. Option C is wrong because `authpriv.*` logs all messages from the `authpriv` facility at any severity, including successful logins and informational messages, which would clutter the separate file with irrelevant data. Option D is wrong because `auth.*` logs all messages from the `auth` facility, which includes system authentication events like console logins and sudo, not just SSH failures, and may miss some SSH-specific messages that go to `authpriv`.

12
MCQhard

Refer to the exhibit. A web server is serving content from /var/www/html. SELinux is in enforcing mode. The web client reports 'Forbidden'. What is the most likely cause?

A.The file is owned by root, and Apache runs as apache user, so it cannot read.
B.The directory /var/www/html may have incorrect context or permissions preventing Apache from listing files.
C.The file permissions are 644, which restricts access.
D.The file has an incorrect SELinux context; it should be httpd_user_content_t.
AnswerB

Directory context or permissions are a common cause of forbidden errors.

Why this answer

The file itself has correct context and permissions (644). The issue is likely that the directory /var/www/html has incorrect context or permissions, preventing Apache from reading files within it. Option A suggests wrong context (file context is correct).

Option B: 644 is readable. Option C: ownership does not matter with 644.

13
MCQhard

A company runs a web application on a Red Hat Enterprise Linux 8 server. The application is served by Apache HTTPD, and it requires read/write access to a custom directory /var/www/app_data. The SELinux context for the directory is set to httpd_sys_rw_content_t. Apache runs in enforcing mode. Recently, a new feature was added that requires Apache to connect to a database on the same server via a Unix socket. The database serves on /var/run/mysqld/mysqld.sock. After the feature deployment, the web application fails to connect to the database. The error logs show permission denied on the socket file. The socket file has permissions 660 and is owned by mysql:mysql. SELinux audit logs show AVC denials for httpd_t trying to connect to mysqld_var_run_t. Which of the following solutions should the administrator implement to allow Apache to read the database socket while maintaining security?

A.Change the SELinux context of the socket file to httpd_sys_rw_content_t using chcon.
B.Enable the SELinux boolean httpd_can_network_connect_db using setsebool -P httpd_can_network_connect_db on.
C.Enable the SELinux boolean httpd_can_connect_db using setsebool -P httpd_can_connect_db on.
D.Use semanage to add a context mapping for the socket file to httpd_var_run_t and set the httpd to permissive mode.
AnswerC

This boolean allows Apache to connect to local database sockets.

Why this answer

The correct solution is to enable the SELinux boolean httpd_can_connect_db. This boolean allows Apache to connect to a local database socket. Option A changes context to a file type for content, not sockets.

Option C is for network databases. Option D disables SELinux enforcement partially, which reduces security.

14
MCQmedium

After configuring sudo, a user reports: 'sudo: unable to open /etc/sudoers: Permission denied'. The admin checks the file permissions and sees '-rw-r-----' owned by root:root. What is the most likely cause?

A.The file is owned by the wrong user.
B.The sudo binary is missing the setuid bit.
C.The file permissions are too permissive (0640 instead of 0440).
D.SELinux is blocking access.
AnswerC

Sudo verifies that /etc/sudoers has strict permissions; 0640 includes write for owner, which is not allowed.

Why this answer

Option C is correct because the sudoers file requires strict permissions of 0440 (owner read, group read) to be considered secure by sudo. The current permissions of 0640 (owner read/write, group read) are too permissive, as they grant write access to the owner (root), which violates sudo's security model. When sudo detects that /etc/sudoers has permissions other than 0440, it refuses to open the file and reports 'Permission denied' to prevent potential tampering.

Exam trap

The trap here is that candidates assume 'Permission denied' always means the user lacks read access, but sudo specifically rejects files with write permissions for root to enforce its security policy, not because the user cannot read the file.

How to eliminate wrong answers

Option A is wrong because the file is owned by root:root, which is the correct ownership for /etc/sudoers; the issue is with permissions, not ownership. Option B is wrong because the sudo binary's setuid bit is unrelated to this error; the error message specifically references /etc/sudoers, not the sudo executable, and a missing setuid bit would cause a different error like 'sudo: must be setuid root'. Option D is wrong because SELinux would produce a different error message (e.g., 'Permission denied' with an AVC denial logged in audit.log) and the file permissions are the direct cause here; SELinux is not indicated by the given permission string.

15
Multi-Selecteasy

Which TWO of the following are valid methods to enforce password complexity requirements on a Red Hat Enterprise Linux 9 system?

Select 2 answers
A.Using the pam_cracklib module
B.Using the passwd command with --stdin
C.Using the chage command
D.Editing the /etc/shadow file manually
E.Using the pam_pwquality module
AnswersA, E

pam_cracklib is the legacy module, still available and functional for password complexity.

Why this answer

Password complexity on RHEL 9 is enforced via PAM modules. The pam_pwquality module (replacement for pam_cracklib) and pam_cracklib itself are the standard tools. The other options do not directly enforce complexity.

16
MCQmedium

A web server is running in enforcing mode with SELinux, but Apache cannot read content in a custom directory /web. The directory has been labeled correctly with httpd_sys_content_t. However, access is still denied. What is the most likely cause?

A.SELinux boolean httpd_enable_homedirs is off.
B.The httpd process is running in permissive mode.
C.The directory has incorrect permissions of 700.
D.The files are labeled with default_t.
AnswerC

Permissions 700 deny access to others, including Apache.

Why this answer

The most likely cause is incorrect permissions on the directory. SELinux context is correct, so the issue is likely file permissions (e.g., 700). Option B relates to homedirs, C would be wrong label, D would allow everything.

17
MCQeasy

Which file contains the hashed passwords for local user accounts?

A./etc/security/passwd
B./etc/passwd
C./etc/shadow
D./etc/gshadow
AnswerC

This is the file that stores hashed passwords.

Why this answer

The /etc/shadow file stores hashed passwords for local user accounts, along with password aging and expiration information. It is readable only by root (or privileged processes) to prevent unauthorized access to password hashes, unlike /etc/passwd which is world-readable.

Exam trap

Red Hat often tests the distinction between /etc/passwd (world-readable, stores user info but not hashes) and /etc/shadow (restricted, stores hashes), exploiting the common misconception that passwords are still in /etc/passwd.

How to eliminate wrong answers

Option A is wrong because /etc/security/passwd does not exist in standard Linux; it may be confused with /etc/security/opasswd (used by pam_pwhistory) or /etc/security/limits.conf, but none store hashed passwords. Option B is wrong because /etc/passwd historically stored password hashes but now uses an 'x' placeholder; it is world-readable and would expose hashes, so modern systems moved hashes to /etc/shadow. Option D is wrong because /etc/gshadow stores hashed passwords for group accounts (for group administrators), not for local user accounts.

18
MCQmedium

A user reports that the Apache web server cannot serve the file /var/www/html/index.html on a RHEL 9 system when SELinux is in enforcing mode. Given the exhibit output, what is the most likely cause?

A.The firewalld service is blocking HTTP traffic on port 80.
B.The file is owned by root and Apache cannot read it.
C.The file permissions do not allow the apache user to read the file.
D.The SELinux context of the file is incorrect for web serving.
AnswerD

The context user_home_t is not allowed for httpd_t; it should be httpd_sys_content_t.

Why this answer

Option D is correct because the default SELinux context for files served by Apache in /var/www/html is `httpd_sys_content_t`. If the file has a different context (e.g., `unconfined_u:object_r:admin_home_t:s0`), SELinux will deny Apache read access even if standard Linux permissions are permissive. The `ls -Z` output would reveal the mismatch, and `restorecon -v /var/www/html/index.html` would fix it.

Exam trap

The trap here is that candidates often focus on file permissions or ownership (options B and C) because they are familiar from non-SELinux systems, but the question explicitly states SELinux is in enforcing mode, which overrides DAC permissions when a type mismatch exists.

How to eliminate wrong answers

Option A is wrong because firewalld blocking HTTP traffic would prevent remote clients from reaching the server, but the user reports the server cannot serve the file locally, and SELinux enforcing mode is the stated condition. Option B is wrong because file ownership by root does not inherently prevent Apache from reading it; Apache runs as the apache user and can read files owned by root if permissions allow (e.g., 644). Option C is wrong because the exhibit output (not shown here but implied) would show standard permissions like 644, which grant read access to the apache user; the issue is SELinux, not DAC permissions.

19
MCQhard

A system administrator wants to allow user 'jdoe' to execute any command as root via sudo without being prompted for a password, but only from the host 'client1.example.com'. Which sudoers rule achieves this?

A.jdoe client1.example.com=(root) NOPASSWD: ALL
B.jdoe client1.example.com=(root) ALL
C.jdoe ALL=(root) NOPASSWD: ALL
D.jdoe ALL=(root) ALL
AnswerA

Correct syntax: user host_list=(runas) TAG: command.

Why this answer

Option A is correct because the sudoers rule 'jdoe client1.example.com=(root) NOPASSWD: ALL' specifies the user 'jdoe', the host 'client1.example.com' as the source host from which the command is run, the target user '(root)', the NOPASSWD tag to skip password authentication, and the command 'ALL' to allow any command. This matches the requirement exactly: passwordless root access restricted to a specific client host.

Exam trap

The trap here is that candidates often forget the NOPASSWD tag when passwordless access is required, or they use 'ALL' for the host list instead of specifying the exact hostname, assuming 'ALL' means 'all commands' rather than 'all hosts'.

How to eliminate wrong answers

Option B is wrong because it omits the NOPASSWD tag, so 'jdoe' would still be prompted for a password when running sudo commands from client1.example.com. Option C is wrong because it uses 'ALL' as the host specification, allowing the rule to apply from any host, not just client1.example.com. Option D is wrong because it both omits the NOPASSWD tag and uses 'ALL' for the host, allowing password-protected sudo from any host.

20
Multi-Selectmedium

Which THREE commands are used to manage SELinux file security contexts? (Select exactly three.)

Select 3 answers
A.setenforce
B.chcon
C.selinux
D.semanage fcontext
E.restorecon
AnswersB, D, E

Changes the SELinux context of a file.

Why this answer

chcon changes context manually, restorecon restores default context, and semanage fcontext manages file context definitions. setenforce toggles enforcing/permissive, and selinux is not a command.

21
MCQeasy

A security policy requires that all files in /home have the default SELinux context for user home directories. Which command recursively restores the default context?

A.restorecon -Rv /home
B.semanage fcontext -a -t user_home_t /home
C.chcon -Rv default_t /home
D.setfiles -Rv /home
AnswerA

Restores default SELinux contexts recursively.

Why this answer

Option A is correct because `restorecon -Rv /home` recursively resets the SELinux context of all files under `/home` to the default type defined in the SELinux policy for user home directories (typically `user_home_t`). The `-R` flag enables recursion, and `-v` provides verbose output, ensuring compliance with the security policy requirement.

Exam trap

The trap here is that candidates often confuse `restorecon` with `chcon` or `semanage fcontext`, mistakenly thinking that adding a rule with `semanage` or manually setting a context with `chcon` is sufficient, when in fact only `restorecon` (or `setfiles`) applies the policy-defined default context to existing files.

How to eliminate wrong answers

Option B is wrong because `semanage fcontext -a -t user_home_t /home` adds a new default context rule to the SELinux policy database, but it does not immediately apply the context to existing files; a subsequent `restorecon` or `setfiles` is needed to actually relabel the files. Option C is wrong because `chcon -Rv default_t /home` manually sets the context to `default_t`, which is not the correct default type for user home directories (the correct type is `user_home_t`), and `chcon` does not use the policy database, so changes are not persistent after a full relabel. Option D is wrong because `setfiles -Rv /home` is used to relabel files based on a file context specification file (usually `/etc/selinux/targeted/contexts/files/file_contexts`), but it requires root and is typically used for initial labeling or after policy changes, not for simply restoring the default context as `restorecon` does; `setfiles` is more complex and not the standard command for this routine task.

22
MCQmedium

A server's firewall is managed by firewalld. The admin adds a rule to allow HTTPS traffic to the public zone, but clients still cannot connect. What is the most likely cause?

A.The rule was added with --permanent but firewall-cmd --reload was not run.
B.The rule must be added as a rich rule, not a simple service.
C.The default zone is not set to public.
D.firewalld is just a wrapper for iptables, so iptables rules must be cleared.
AnswerA

Permanent rules do not affect runtime until reload.

Why this answer

Option A is correct because when a rule is added with the `--permanent` flag in firewalld, it is written to the configuration files but not applied to the runtime firewall. Until `firewall-cmd --reload` is executed, the runtime configuration remains unchanged, so the new rule allowing HTTPS traffic is not active. Clients cannot connect because the firewall is still blocking HTTPS based on the old runtime rules.

Exam trap

The trap here is that candidates often assume adding a rule with `--permanent` immediately takes effect, forgetting that firewalld requires a reload or the `--runtime-to-permanent` approach to synchronize changes.

How to eliminate wrong answers

Option B is wrong because HTTPS traffic can be added as a simple service using `firewall-cmd --add-service=https`; rich rules are not required for standard services like HTTPS. Option C is wrong because the rule was explicitly added to the public zone, so the default zone setting is irrelevant; the rule applies to the public zone regardless of whether it is the default. Option D is wrong because firewalld manages its own runtime and permanent configurations independently of iptables; clearing iptables rules would disrupt firewalld's state and is not necessary or recommended.

23
MCQmedium

An administrator wants newly created files to be readable and writable only by the owner, and readable by group and others. Which umask value should be set?

A.027
B.022
C.002
D.077
AnswerB

umask 022 gives files 644 permissions.

Why this answer

A umask of 022 subtracts write permission for group and others from the default 666 (files) and 777 (directories), resulting in files with 644 permissions (owner read/write, group read, others read).

24
MCQhard

Refer to the exhibit. A web server (httpd) is unable to serve files from a user's home directory. What is the most appropriate single command to resolve the issue?

A.chcon -u system_u /home/user/www/index.html
B.setsebool -P httpd_enable_homedirs on
C.semanage fcontext -a -t httpd_sys_content_t '/home/user/www(/.*)?' && restorecon -Rv /home/user/www
D.chcon -r object_r /home/user/www/index.html
AnswerC

Changes the file context to httpd_sys_content_t, allowing httpd to read.

Why this answer

Option C is correct because it uses `semanage fcontext` to set the default SELinux file context for the `/home/user/www` directory tree to `httpd_sys_content_t`, then applies it with `restorecon`. This is the proper way to persistently label custom web content directories so that httpd can serve them, as SELinux policy by default blocks httpd from reading user home directories.

Exam trap

The trap here is that candidates confuse the SELinux boolean (`httpd_enable_homedirs`) with the file context labeling, thinking enabling the boolean alone fixes all home directory access issues, when in fact the specific directory must also have the correct type (`httpd_sys_content_t`) for httpd to serve it.

How to eliminate wrong answers

Option A is wrong because `chcon -u system_u` changes only the SELinux user (user identity), not the type; httpd requires the `httpd_sys_content_t` type, not a user change. Option B is wrong because `setsebool -P httpd_enable_homedirs on` enables the boolean that allows httpd to access user home directories, but the question states the web server is unable to serve files from a user's home directory, implying the issue is file labeling (the boolean is a separate toggle that may already be off, but the core problem is the missing type context on the specific directory). Option D is wrong because `chcon -r object_r` changes the SELinux role to `object_r`, which is irrelevant for httpd access; the required fix is setting the type to `httpd_sys_content_t`, not altering the role.

25
Multi-Selectmedium

Which three statements about firewalld zones are correct? (Choose three.)

Select 3 answers
A.The default zone can be changed using firewall-cmd.
B.A network interface can be assigned to multiple zones simultaneously.
C.The 'public' zone is more restrictive than the 'trusted' zone.
D.Rich rules can specify source and destination addresses.
E.Zones can have a default target of only 'DROP' or 'ACCEPT'.
AnswersA, C, D

--set-default-zone changes the default zone.

Why this answer

Option A is true: default zone can be changed. Option B is false: zones can have targets like 'default', 'ACCEPT', 'DROP', 'REJECT', not only 'DROP' or 'ACCEPT'. Option C is false: an interface can belong to only one zone.

Option D is true: rich rules allow detailed control. Option E is true: public is more restrictive than trusted.

26
MCQhard

Refer to the exhibit. A CGI script located at /var/www/cgi-bin/test.cgi fails to execute. What is the most likely cause?

A.The script is in the wrong directory.
B.The SELinux context should be httpd_sys_script_exec_t.
C.The script is not marked as executable.
D.The file permissions are incorrect.
AnswerB

Executable CGI scripts need the exec_t context.

Why this answer

CGI scripts require the httpd_sys_script_exec_t context to be executable by the web server. The current context httpd_sys_content_t is for static files only.

27
MCQmedium

Refer to the exhibit. A host in the 192.168.1.0/24 network is unable to access a web service running on this server on port 8080. What is the most likely reason?

A.The service http is not defined for port 8080.
B.The rich rule only allows http (port 80), not the custom port 8080.
C.The zone is internal and has a default target of drop.
D.The interface eth1 is not added to the zone.
AnswerB

Port 8080 is not covered by the http service.

Why this answer

The rich rule only allows HTTP (port 80) from that source. The service is running on port 8080, which is not allowed. Option B: default target is 'default' which typically allows traffic, not drop.

Option C: http service is defined but for port 80. Option D: interface is added.

28
Multi-Selecteasy

Which TWO statements about the /etc/shadow file are true? (Select exactly two.)

Select 2 answers
A.Contains hashed passwords for local users.
B.Contains the user's UID.
C.Is used to store encrypted group passwords.
D.Is readable by all users.
E.Contains password aging information such as minimum and maximum days.
AnswersA, E

This is the primary purpose of /etc/shadow.

Why this answer

The /etc/shadow file contains password hashes and password aging information. It is not world-readable; only root and members of the shadow group can read it (though default permissions vary).

29
MCQeasy

A junior admin needs to ensure that the 'apache' user (UID 48) cannot log in via SSH or console. Which command achieves this?

A.usermod -s /sbin/nologin apache
B.passwd -l apache
C.chage -l apache
D.usermod -e 1 apache
AnswerA

Sets shell to nologin, blocking interactive login.

Why this answer

Option A is correct because setting the user's login shell to `/sbin/nologin` prevents the user from obtaining an interactive shell via SSH or console login. When the user attempts to log in, the system executes `/sbin/nologin`, which prints a polite message and exits immediately, effectively denying shell access while leaving other services (e.g., Apache) functional.

Exam trap

The trap here is that candidates often confuse password locking (`passwd -l`) with shell restriction, not realizing that SSH key authentication or console login via `su` bypasses password locks, while changing the shell to `/sbin/nologin` blocks all interactive login methods.

How to eliminate wrong answers

Option B is wrong because `passwd -l apache` locks the user's password, preventing password-based authentication, but it does not prevent SSH key-based authentication or console login via other methods (e.g., su, sudo). Option C is wrong because `chage -l apache` lists the user's password aging information; it does not modify any setting that would block login. Option D is wrong because `usermod -e 1 apache` sets the account expiration date to January 1, 1970 (epoch), which disables the account entirely, but this is an overly aggressive approach that also prevents the Apache service from running as that user, whereas the requirement is only to prevent interactive login.

30
MCQeasy

A junior administrator is tasked with setting up SELinux contexts on a Red Hat Enterprise Linux 9 server to allow Apache HTTPD to read and write to a custom directory /var/www/customcontent. The directory already exists and contains several files. The administrator has confirmed that the httpd service is running and SELinux is in enforcing mode. After changing the context to httpd_sys_content_t using chcon, the web server can read files but cannot write to the directory. The administrator needs to fix this without disabling SELinux or changing the mode to permissive. Which of the following is the correct next step?

A.Set the SELinux boolean httpd_enable_homedirs to on using setsebool.
B.Run restorecon -R -v /var/www/customcontent after setting the default context with semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/customcontent(/.*)?'
C.Change the context to httpd_sys_content_t using chcon -R -t httpd_sys_content_t /var/www/customcontent
D.Run semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/customcontent(/.*)?' without running restorecon.
AnswerB

Sets the type to httpd_sys_rw_content_t and applies it recursively.

Why this answer

The directory already has the httpd_sys_content_t type, which allows reading but not writing. To enable write access, the correct type is httpd_sys_rw_content_t. Option B correctly uses semanage fcontext to set the default context to this type and then runs restorecon to apply it persistently, ensuring Apache can both read and write.

Exam trap

The trap here is that candidates may think setting the context with chcon or semanage alone is sufficient, but they overlook the need to run restorecon to apply the new default context to existing files, or they confuse httpd_sys_content_t (read-only) with httpd_sys_rw_content_t (read-write).

How to eliminate wrong answers

Option A is wrong because the httpd_enable_homedirs boolean controls access to user home directories, not to /var/www/customcontent, and does not grant write permissions to custom content directories. Option C is wrong because it sets the context to httpd_sys_content_t, which is read-only; the administrator already confirmed this type allows reading but not writing, so repeating the same action does not fix the write issue. Option D is wrong because running semanage fcontext without restorecon only sets the default context in the policy but does not apply it to the existing files and directories; the files retain their current context, so write access is not granted.

31
MCQeasy

To allow a user to run a specific program with root privileges without providing the root password, which configuration file should be modified?

A./etc/passwd
B./etc/security/limits.conf
C./etc/sudoers
D./etc/sysconfig/sshd
AnswerC

Sudoers file defines sudo privileges.

Why this answer

The /etc/sudoers file controls sudo privileges. The other files are not for this purpose.

32
MCQeasy

A sysadmin wants to allow user 'alice' to run all commands as root via sudo. Which line should be added to /etc/sudoers?

A.alice ALL=(root) ALL
B.alice localhost=(ALL) ALL
C.alice ALL=(ALL) ALL
D.%alice ALL=(ALL) ALL
AnswerC

This gives alice permission to run any command as any user on any host.

Why this answer

Option C is correct because the sudoers entry 'alice ALL=(ALL) ALL' grants user 'alice' the ability to run any command as any user (including root) on any host. The first 'ALL' specifies any host, '(ALL)' allows running commands as any target user (defaulting to root when no user is specified), and the final 'ALL' permits any command. This is the standard syntax for full sudo privileges.

Exam trap

Red Hat often tests the distinction between user and group entries in sudoers, where the '%' prefix indicates a group, causing candidates to mistakenly select '%alice' thinking it applies to the user 'alice'.

How to eliminate wrong answers

Option A is wrong because 'alice ALL=(root) ALL' restricts alice to only run commands as the root user, not as any other user (e.g., alice could not run commands as 'apache' or 'nobody'). Option B is wrong because 'alice localhost=(ALL) ALL' limits the host to 'localhost' only, meaning the rule applies only when the command is run on the machine named 'localhost', not on any host. Option D is wrong because '%alice ALL=(ALL) ALL' uses a '%' prefix, which defines a user group named 'alice' rather than the user 'alice' herself; this would grant privileges to all members of the 'alice' group, not to the individual user.

33
Multi-Selecteasy

Which two statements about SELinux modes are correct? (Choose two.)

Select 2 answers
A.Permissive mode denies actions but does not log.
B.Permissive mode logs violations but does not deny actions.
C.Enforcing mode only logs violations but does not deny.
D.Enforcing mode logs violations and denies actions.
E.Disabled mode completely disables SELinux without requiring a reboot.
AnswersB, D

Correct description of permissive mode.

Why this answer

Option B is correct because SELinux permissive mode allows all actions but logs any violations that would have been denied in enforcing mode. Option D is correct because enforcing mode both logs violations and denies actions that violate the SELinux policy, providing full security enforcement.

Exam trap

The trap here is that candidates often confuse permissive mode with logging-only behavior, forgetting that permissive mode does not deny actions, while enforcing mode both logs and denies, and that disabling SELinux requires a reboot, not just a runtime change.

34
MCQmedium

You are the system administrator for a small company. A developer, Alice, needs to restart the web server (httpd.service) on server 'web1.example.com' without being prompted for a password. She should also be able to run any command as root on that server, but only from the server itself (not remotely). Currently, Alice can SSH into the server using her SSH key, but when she runs 'sudo systemctl restart httpd', she is prompted for her password. You have verified that Alice is in the 'wheel' group. The sudoers file currently has the line '%wheel ALL=(ALL) ALL'. You want to modify sudoers to satisfy the requirement with minimal privilege. Which action should you take?

A.Add 'alice web1.example.com=(root) NOPASSWD: ALL' to /etc/sudoers.d/alice.
B.Add 'alice web1.example.com=(root) NOPASSWD: /usr/bin/systemctl restart httpd' to /etc/sudoers.d/alice.
C.Add 'alice web1.example.com=(root) /usr/bin/systemctl restart httpd' to /etc/sudoers.d/alice.
D.Change '%wheel ALL=(ALL) ALL' to '%wheel ALL=(ALL) NOPASSWD: ALL' in /etc/sudoers.
AnswerB

Minimal: only allows the needed command without password.

Why this answer

Option B is correct because it grants Alice passwordless sudo access specifically to the command `/usr/bin/systemctl restart httpd` on the host `web1.example.com` as root, meeting the requirement with minimal privilege. The `NOPASSWD:` tag is essential to bypass the password prompt, and the host restriction ensures the rule applies only when Alice is on that server.

Exam trap

The trap here is that candidates often forget the `NOPASSWD:` tag when the requirement explicitly says 'without being prompted for a password', leading them to choose Option C, which grants the command but still requires authentication.

How to eliminate wrong answers

Option A is wrong because it grants Alice passwordless sudo access to ALL commands as root on web1.example.com, which exceeds the minimal privilege requirement (she only needs to restart httpd). Option C is wrong because it lacks the `NOPASSWD:` tag, so Alice would still be prompted for a password when running the command. Option D is wrong because it modifies the wheel group rule to allow all wheel members passwordless sudo for all commands, which is excessive and violates the principle of least privilege.

35
MCQmedium

Which command checks if a user's password has expired and forces a password change at next login?

A.chage -d 0 username
B.passwd -f username
C.usermod -L username
D.passwd -l username
AnswerA

Sets last password change to 0, forcing change on next login.

Why this answer

chage -d 0 sets the last password change to epoch, forcing password change on next login. Option A locks the account. Option C locks the account.

Option D does not exist.

36
Multi-Selectmedium

A system administrator needs to configure a firewall using firewalld to allow incoming HTTPS traffic and deny incoming SSH traffic from a specific source IP 192.168.1.100. Which two commands should be run? (Choose two.)

Select 2 answers
A.firewall-cmd --runtime-to-permanent
B.firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.100 service name=ssh reject' --permanent
C.firewall-cmd --add-service=https --permanent
D.firewall-cmd --add-service=http --permanent
E.firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.100 service name=ssh drop' --permanent
AnswersC, E

Correct for HTTPS.

Why this answer

Option C is correct because `firewall-cmd --add-service=https --permanent` adds the HTTPS service (TCP port 443) to the permanent firewall configuration, which is required to allow incoming HTTPS traffic persistently across reboots. The `--permanent` flag ensures the rule survives a reload or restart, and the `--add-service` option uses predefined service definitions from firewalld to simplify rule creation.

Exam trap

The trap here is that candidates often confuse `reject` with `drop` in rich rules, or they mistakenly add the HTTP service instead of HTTPS, failing to distinguish between the two services and their respective ports.

37
MCQhard

A server uses firewalld with the default zone set to 'drop'. SSH is allowed only for the 192.168.1.0/24 subnet via a rich rule in the 'internal' zone. After a reboot, SSH connections from that subnet are refused. What is the most likely cause?

A.The subnet 192.168.1.0/24 is not a valid source for rich rules.
B.The network interface is not assigned to the 'internal' zone.
C.The rich rule was not made permanent.
D.The SSH service is not enabled in the default zone.
AnswerB

Without a permanent zone assignment, the interface reverts to the default zone on reboot.

Why this answer

After a reboot, firewalld applies the default zone to all interfaces not explicitly assigned to another zone. Since the rich rule allowing SSH from 192.168.1.0/24 is defined in the 'internal' zone, the network interface must be assigned to that zone for the rule to take effect. If the interface is not assigned (e.g., it remains in the default 'drop' zone), all incoming traffic, including SSH from the allowed subnet, is dropped by default.

Exam trap

The trap here is that candidates assume rich rules are globally evaluated regardless of zone assignment, but firewalld enforces rules only within the zone bound to the interface, so a rule in the wrong zone is effectively invisible to traffic on that interface.

How to eliminate wrong answers

Option A is wrong because 192.168.1.0/24 is a valid source address in firewalld rich rules; rich rules support CIDR notation for source filtering. Option C is wrong because if the rich rule were not made permanent, it would be lost after reboot, but the question states the rule exists (it was configured), and the issue is that it is not being applied—the interface assignment is the missing link. Option D is wrong because the default zone is 'drop', which by design does not allow any services; the SSH service is intentionally allowed only via a rich rule in the 'internal' zone, not in the default zone, so this is expected behavior and not the cause of the refusal.

38
MCQhard

A user reports that SSH key-based authentication fails, but password authentication works. The admin checks /etc/ssh/sshd_config: PubkeyAuthentication yes, PasswordAuthentication no (contrary to the report). Which is the most likely reason key-based auth fails?

A.SELinux is blocking SSH from reading the key.
B.The public key is not in ~/.ssh/authorized_keys.
C.SSH is configured to use a different port.
D.The .ssh directory has permissions 755.
AnswerD

sshd requires .ssh to be 700; 755 is too permissive.

Why this answer

Option D is correct because SSH key-based authentication requires that the ~/.ssh directory and its contents have restrictive permissions. If the .ssh directory has permissions 755, it is world-readable, which violates SSH's security model. SSH daemon (sshd) will refuse to use the authorized_keys file if the directory permissions are too permissive, causing key-based authentication to fail even though PubkeyAuthentication is enabled.

Exam trap

The trap here is that candidates assume key-based authentication fails only due to missing keys or disabled PubkeyAuthentication, overlooking the strict permission requirements that SSH enforces for security.

How to eliminate wrong answers

Option A is wrong because SELinux, by default, does not block SSH from reading user keys; SELinux contexts for SSH are typically set correctly, and a denial would require specific policy violations or misconfigurations. Option B is wrong because if the public key were missing from ~/.ssh/authorized_keys, password authentication would still work only if PasswordAuthentication were set to yes, but the config shows PasswordAuthentication no, so the user's report of password working contradicts this scenario. Option C is wrong because SSH being configured to use a different port would affect both key-based and password authentication equally, not selectively break key-based auth while leaving password auth functional.

39
MCQmedium

Refer to the exhibit. What is the primary security concern with this sudo configuration?

A.The NOPASSWD option eliminates the need for a password.
B.The entry uses (ALL) instead of (root), allowing jane to run as any user.
C.The less command allows executing shell commands via !, enabling privilege escalation.
D.The command /usr/bin/less can be used to read any file.
AnswerC

This is a well-known sudo escape vector.

Why this answer

The less command has the ability to execute other commands by typing '! command' within the pager. This allows jane to execute any command as root, effectively bypassing the restriction.

40
MCQmedium

Refer to the exhibit. An administrator wants to add the HTTP service (port 80) to the internal zone permanently. Which sequence of commands should be used?

A.firewall-cmd --add-service=http --zone=internal; firewall-cmd --reload
B.firewall-cmd --permanent --add-service=http --zone=internal; systemctl restart firewalld
C.firewall-cmd --zone=internal --add-service=http; firewall-cmd --runtime-to-permanent
D.firewall-cmd --zone=internal --add-service=http --permanent; firewall-cmd --reload
AnswerD

This adds the service permanently and reloads to apply.

Why this answer

To add a service permanently, use '--add-service' with '--permanent' and then reload firewalld to apply changes. The correct order is: firewall-cmd --zone=internal --add-service=http --permanent, then firewall-cmd --reload.

41
MCQeasy

Which command sets the password maximum age for user 'bob' to 30 days?

A.chage -M 30 bob
B.passwd -x 30 bob
C.usermod -e 30 bob
D.chage -W 30 bob
AnswerA

chage -M sets the maximum password age.

Why this answer

The `chage -M 30 bob` command sets the maximum number of days a password is valid for user 'bob' to 30 days. The `-M` option in `chage` directly modifies the `PASS_MAX_DAYS` field in `/etc/shadow`, which controls password expiration. This is the standard Red Hat Enterprise Linux method for enforcing password aging policies.

Exam trap

The trap here is that candidates confuse `chage -M` (password max age) with `chage -W` (warning period) or `usermod -e` (account expiry), and may also mistakenly think `passwd` has a `-x` option for this purpose, when in fact `passwd` does not support `-x` on RHEL systems.

How to eliminate wrong answers

Option B is wrong because `passwd -x 30 bob` sets the maximum password age, but the `-x` option is not a standard `passwd` flag; `passwd` uses `-x` only in some older or non-standard implementations, and on RHEL 8/9 the correct command for this is `chage -M`, not `passwd`. Option C is wrong because `usermod -e 30 bob` sets the account expiration date (in YYYY-MM-DD format or days since epoch), not the password maximum age; `-e` controls when the account itself expires, not the password. Option D is wrong because `chage -W 30 bob` sets the warning period (in days) before password expiration, not the maximum age; `-W` defines how many days before expiry the user is warned, not the expiry duration.

42
MCQeasy

To enforce that user passwords expire every 90 days and users are warned 7 days before expiration, which command sets these policies for user 'john'?

A.chage -m 90 -W 7 john
B.chage -M 90 -W 7 john
C.usermod -e 90 -f 7 john
D.passwd -x 90 -w 7 john
AnswerB

Correct flags for maximum age and warning.

Why this answer

The chage command with -M (maximum days) and -W (warning days) is correct. Option A uses -m (minimum) incorrectly. Option B uses wrong flags.

Option C uses -e (expiration date) which is not the same.

43
Multi-Selecthard

Which three actions enhance security for user accounts on a Red Hat Enterprise Linux system? (Choose three.)

Select 3 answers
A.Enforcing password complexity via pam_pwquality.
B.Disabling SSH root login by setting PermitRootLogin no.
C.Granting all users sudo access to run all commands.
D.Setting the password expiration to 0 days.
E.Using SSH key-based authentication instead of passwords.
AnswersA, B, E

Complexity reduces risk of weak passwords.

Why this answer

Passwort complexity, disabling SSH root login, and using SSH keys improve security. Setting password expiration to 0 disables expiration, which is insecure. Granting all users sudo access reduces security.

44
MCQhard

A systems administrator is managing a RHEL 9 server that hosts a custom web application on Apache. The application writes log files to /var/log/myapp/ and runs as the apache user. The administrator has set the directory permissions to 755 and ownership to apache:apache. SELinux is in enforcing mode. Despite these settings, the application fails to write logs. The audit log contains multiple AVC denials with the message 'avc: denied { write } for pid=1234 comm="httpd" name="myapp.log" dev="dm-0" ino=5678 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file'. The administrator has verified that the file exists and that SElinux booleans related to httpd are at their default values. Which of the following steps should the administrator take to resolve the issue while maintaining security?

A.Run restorecon -R /var/log/myapp/ to restore the default SELinux context.
B.Set the SELinux boolean httpd_unified on to allow httpd_t to write to all types.
C.Change the context of the /var/log/myapp/ directory to var_log_t using chcon.
D.Use audit2allow to generate and install a custom policy module that permits httpd_t to write to files with a specific type (e.g., httpd_log_t).
AnswerD

audit2allow creates a tailored policy based on the denial, granting only the needed permissions while maintaining security.

Why this answer

Option D is correct because the AVC denial shows httpd_t is denied write access to a file with the var_log_t type. The proper solution is to create a custom SELinux policy module using audit2allow that permits httpd_t to write to files with a specific type (e.g., httpd_log_t), which confines the permission to only the necessary files and maintains security. This approach follows the principle of least privilege by not broadly relaxing SELinux controls.

Exam trap

The trap here is that candidates mistakenly think changing the context to var_log_t (the same type) or running restorecon will fix the denial, when the actual issue is the lack of an allow rule between httpd_t and the target type, requiring a custom policy module.

How to eliminate wrong answers

Option A is wrong because restorecon would restore the default SELinux context to var_log_t, which is the same type already on the file and is the cause of the denial; it does not grant write permission. Option B is wrong because setting httpd_unified on would allow httpd_t to write to all types, which is overly permissive and violates security best practices by disabling type enforcement for httpd. Option C is wrong because changing the context to var_log_t using chcon would set the same type that is already present and causing the denial; it does not resolve the permission issue.

45
MCQmedium

An administrator runs 'getenforce' and sees 'Enforcing'. They then run 'setenforce 0' but SELinux still denies access to a custom application. What is the most likely reason?

A.SELinux is in enforcing mode and the policy is misconfigured.
B.The application's SELinux context is incorrect and needs relabeling.
C.The issue is due to file permissions or ACLs, not SELinux.
D.The change requires a reboot to take effect.
AnswerC

In permissive mode, SELinux does not deny; thus the denial is from DAC.

Why this answer

Option C is correct because `setenforce 0` switches SELinux to permissive mode, which logs but does not enforce denials. If access is still denied after this command, the issue is not caused by SELinux enforcement but by traditional Linux file permissions (DAC) or ACLs. The administrator should check `ls -l` and `getfacl` to verify the file's ownership and permissions.

Exam trap

The trap here is that candidates assume any denial after `setenforce 0` must still be SELinux-related, overlooking that traditional Linux permissions (DAC) operate independently and can block access even when SELinux is permissive.

How to eliminate wrong answers

Option A is wrong because `setenforce 0` disables enforcing mode, so a misconfigured policy would not cause denials in permissive mode. Option B is wrong because an incorrect SELinux context would only cause denials in enforcing mode; in permissive mode, context mismatches are logged but not enforced, so the application would still run. Option D is wrong because `setenforce` takes effect immediately without requiring a reboot; SELinux runtime mode changes are instantaneous.

46
Multi-Selecthard

Which TWO methods are considered best practices for securing SSH access to a server? (Select exactly two.)

Select 2 answers
A.Disable root login by setting PermitRootLogin no.
B.Use only password authentication for simplicity.
C.Use key-based authentication with passphrase-protected keys.
D.Change the default SSH port to a high-numbered port.
E.Allow SSH access for all users in the system.
AnswersA, C

This prevents direct root SSH access, forcing admins to use sudo.

Why this answer

Option A is correct because disabling root login by setting `PermitRootLogin no` in `/etc/ssh/sshd_config` prevents direct SSH access as the root user, forcing administrators to log in as a regular user and then use `sudo` or `su` to escalate privileges. This reduces the attack surface by eliminating a high-value target for brute-force attacks and ensures all actions are auditable via the regular user's session.

Exam trap

Red Hat often tests the misconception that changing the default SSH port (option D) is a legitimate security measure, but in the EX200 exam, security through obscurity is never considered a best practice—only controls that enforce authentication and authorization are accepted.

47
MCQmedium

An administrator wants to allow user 'alice' to SSH into the server using key-based authentication only. Which configuration change is required?

A.Add alice's public key to ~alice/.ssh/authorized_keys and set PubkeyAuthentication yes in sshd_config.
B.Add alice's private key to /etc/ssh/authorized_keys.
C.Set PasswordAuthentication no in /etc/ssh/sshd_config and restart sshd.
D.Set PermitRootLogin prohibit-password.
AnswerA

This enables key-based authentication for alice.

Why this answer

The correct approach is to add alice's public key to her authorized_keys file and ensure PubkeyAuthentication is enabled. Option A disables password auth for all, but doesn't enable key auth. Option C is for root.

Option D places the private key incorrectly.

48
MCQhard

A company requires that SSH access from the external network (10.0.1.0/24) only be allowed to port 2222, and all other incoming traffic on the firewall should be dropped. Which firewalld rule should be applied to the external zone?

A.firewall-cmd --zone=external --add-service=ssh --permanent
B.firewall-cmd --zone=external --add-port=2222/tcp --permanent
C.firewall-cmd --zone=external --add-rich-rule='rule family="ipv4" source address="10.0.1.0/24" service name="ssh" accept' --permanent
D.firewall-cmd --zone=external --add-rich-rule='rule family="ipv4" source address="10.0.1.0/24" port port="2222" protocol="tcp" accept' --permanent
AnswerD

This restricts SSH to port 2222 from the specified subnet.

Why this answer

Option D is correct because it uses a rich rule to explicitly allow incoming TCP traffic on port 2222 from the 10.0.1.0/24 source network, which matches the requirement. The default target for the external zone is 'drop', so only explicitly permitted traffic is allowed; this rule ensures SSH on port 2222 is accepted while all other incoming traffic is dropped.

Exam trap

The trap here is that candidates often confuse the 'service name' with a custom port, selecting Option C which uses the SSH service (port 22) instead of the required port 2222, or they forget to restrict the source address as in Option B.

How to eliminate wrong answers

Option A is wrong because it adds the standard SSH service (port 22/tcp) to the external zone, not port 2222, and does not restrict the source to 10.0.1.0/24. Option B is wrong because it opens port 2222/tcp to all sources, not just the 10.0.1.0/24 network, violating the source restriction requirement. Option C is wrong because it references the SSH service name (port 22/tcp) instead of port 2222, and the source address is specified but the service is incorrect.

Ready to test yourself?

Try a timed practice session using only Manage Security questions.