Linux Hardening Questions

Question 1

Because Linux is more securely designed than Windows, we never have to worry about Linux
security.
a. True
b. False

Answer 1

b. False.

Question 2

Which of the following is true about Linux on IoT devices?
a. There are too many of them.
b. They’re taking over the world.
c. Too many of them are configured insecurely.
d. They’re so securely configured that they’ll put security practitioners out of their jobs.

Answer 2

c. Too many of them are configured insecurely.

Question 3

Which of the following is true about automatic operating system updates in an enterprise?
a. You should always leave them enabled.
b. They violate the basic precept of testing updates on a test network before installing
them on a production network.
c. Unlike with manual updates, you never have to reboot a system after automatic updates.
d. For IoT devices, it isn’t useful to enable automatic updates.

Answer 3

b. They violate the basic precept of testing updates on a test network before installing

Question 4

What is the best way to grant administrative privileges to users?
a. Give every administrative user the root user password.
b. Add each administrative user to either the sudo group or the wheel group.
c. Create sudo rules that only allow administrative users to do tasks that are directly
related to their jobs.
d. Add each administrative user to the sudoers file and grant them full administrative
privileges.

Answer 4

c. Create sudo rules that only allow administrative users to do tasks that are directly

Question 5

Which of the following is true?
a. When users log in as the root user, all the actions that they perform will be recorded
in the auth.log or the secure log file.
b. When users use sudo, all the actions that they perform will be recorded in the messages
or the syslog file.
c. When users log in as the root user, all the actions that they perform will be recorded
in the messages or the syslog file.
d. When users use sudo, all the actions that they perform will be recorded in the auth.
log or the secure log file.

Answer 5

d. When users use sudo, all the actions that they perform will be recorded in the auth.
log or the secure log file.

Question 6

Which of the following methods would you use to create sudo rules for other users?
a. Open the /etc/sudoers file in your favorite text editor.
b. Open the /etc/sudoers file with visudo.
c. Add a sudoers file to each user’s home directory.
d. Open the /var/spool/sudoers file with visudo.

Answer 6

b. Open the /etc/sudoers file with visudo.

Question 7

You need to see a list of network services that are listening for incoming connections. Which
of the following commands would you use?
a. sudo systemctl -t service –state=active
b. netstat -i
c. netstat -lp -A inet
d. sudo systemctl -t service –state=listening

Answer 7

c. netstat -lp -A inet

Question 8

Which one of the following represents best security practice?
a. Always give the root user password to all users who need to perform administrative tasks.
b. Always give full sudo privileges to all users who need to perform administrative tasks.
c. Always just give specific, limited sudo privileges to all users who need to perform
administrative tasks.
d. Always edit the sudoers file in a normal text editor, such as nano, vim, or emacs.

Answer 8

c. Always just give specific, limited sudo privileges to all users who need to perform
administrative tasks.

Question 9

Which of the following statements is true?
a. sudo can only be used on Linux.
b. sudo can be used on Linux, Unix, and BSD operating systems.
c. When a user performs a task using sudo, the task does not get recorded in a security log.
d. When using sudo, users must enter the root user password.

Answer 9

b. sudo can be used on Linux, Unix, and BSD operating systems.

Question 10

You want specific users to edit a specific system configuration file, but you don’t want them to
use a shell escape that would allow them to perform other administrative tasks. Which two of
the following could you do?

a. In the sudoers file, specify that the users can only use vim to open a specific configu-
ration file.

b. In the sudoers file, specify that the users can use sudoedit to edit a specific configu-
ration file.

c. In the sudoers file, specify the no shell escape option for these users.
d. In the sudoers file, place these users into a group that does not have shell escape
privileges.

Answer 10

b. In the sudoers file, specify that the users can use sudoedit to edit a specific configu-
ration file.

Question 11

Which of the following commands would you use to see only a list of established TCP con-
nections?

a. netstat -p -A inet
b. netstat -lp -A inet
c. sudo systemctl -t service –state=connected
d. sudo systemctl -t service –state=active

Answer 11

a. netstat -p -A inet

Question 12

When Nmap tells you that a port is in an open state, what does that mean?
a. That the port is open on the firewall.
b. That the port is open on the firewall and that the service that’s associated with that
port is running.
c. That the port is accessible via the Internet.
d. That the port’s Access Control List is set to open.

Answer 12

b. That the port is open on the firewall and that the service that’s associated with that
port is running.

Question 13

Which of these Nmap scan options would you most likely use to scan for open TCP ports?
a. -sn
b. -sU
c. -sS
d. -sA

Answer 13

c. -sS

Question 14

How does discovery mode work in Nmap?
a. It discovers network devices by sending ping packets to the network’s broadcast address.
b. It discovers network devices by sending SYN packets to the network’s broadcast address.
c. It sends out ARP packets for a local network and ping packets for a remote network.
d. It sends out ping packets for a local network and ARP packets for a remote network.

Answer 14

c. It sends out ARP packets for a local network and ping packets for a remote network.

Question 15

What do you want to do when resetting the root user password on a Red Hat/CentOS/AlmaLi-
nux machine?

a. Ensure that AppArmor is in enforcing mode.
b. Ensure that SELinux is in enforcing mode.
c. Ensure that AppArmor is in complain mode.
d. Ensure that SELinux is in permissive mode.

Answer 15

d. Ensure that SELinux is in permissive mode.

Question 16

You want to use Nmap to perform a UDP port scan of an entire subnet. Which of the following
commands would you use?
a. sudo nmap -sU 192.168.0.0
b. sudo nmap -U 192.168.0.0
c. sudo nmap -U 192.168.0.0/24
d. sudo nmap -sU 192.168.0.0/24

Answer 16

d. sudo nmap -sU 192.168.0.0/24

Question 17

How would you begin the process of hardening a new computer system?
a. Apply an OpenSCAP profile when installing the operating system.
b. Begin the initial setup by following a checklist.
c. Install the operating system, then apply an OpenSCAP profile.
d. Install the operating system, then follow a hardening checklist.

Answer 17

b. Begin the initial setup by following a checklist.

Question 18

On a Red Hat/CentOS/AlmaLinux server, what would you most likely do to force users to enter
a password before editing kernel parameters during bootup?
a. Enter the sudo grub2-password command.
b. Hand-edit the grub configuration file.
c. Enter the sudo grub2-setpassword command.
d. Enter the sudo grub-setpassword command.
e. Enter the sudo grub-password command.

Answer 18

c. Enter the sudo grub2-setpassword command.

Question 19

In which file would you configure complex password criteria?

Answer 19

/etc/security/pwquality.conf

Question 20

When using the useradd utility on a RHEL 7-type machine, what should the UMASK setting be
in the /etc/login.defs file?

Answer 20

077

Question 21

When using the adduser utility on an Ubuntu 20.04 machine, how would you configure the
/etc/adduser.conf file so that new users’ home directories will prevent other users from
accessing them?

Answer 21

Change the DIR_MODE= value to DIR_MODE=750

Question 22

What change did the National Institute for Standards and Technology recently make to its
recommended password policy?

Answer 22

They abandoned their old philosophy about password complexity and password expirations.

Question 23

Which three of the following utilities can you use to set user account expiry data?
a. Useradd
b. Adduser
c. Usermod
d. chage

Answer 23

a, c, and d

Question 24

Why might you want to lock out the user account of a former employee, rather than delete it?
a. It’s easier to lock an account than it is to delete it.
b. It takes too long to delete an account.
c. It’s not possible to delete a user account.
d. Deleting a user account, along with the users’ files and mail spool, might get you into
trouble with the law.

Answer 24

d. Deleting a user account, along with the users’ files and mail spool, might get you into

Question 25

You’ve just created a user account for Samson, and you now want to force him to change his
password the first time he logs in. Which two of the following commands will do that?
a. sudo chage -d 0 samson
b. sudo passwd -d 0 samson
c. sudo chage -e samson
d. sudo passwd -e samson

Answer 25

a and d

Question 26

Which one of the following is an advantage that the adduser utility has over the traditional
useradd utility?
a. adduser can be used in shell scripts.
b. adduser is available for all Linux distributions.
c. adduser has an option that allows you to encrypt a user’s home directory as you create
the user account.
d. adduser is also available for Unix and BSD.

Answer 26

c. adduser has an option that allows you to encrypt a user’s home directory as you create
the user account.

Question 27

In the newest Linux distributions, what is the name of the PAM module that you can use to
enforce strong passwords?
a. cracklib
b. passwords
c. Secure
d. pwquality

Answer 27

d. pwquality

Question 28

Which of the following best describes IPFire?
a. A host-based firewall appliance with a built-in NIDS
b. An edge firewall appliance with a built-in NIDS

Answer 28

b. An edge firewall appliance with a built-in NIDS

Question 29

Which of the following utilities is best for scanning Sarbanes-Oxley compliance issues?
a. Lynis
b. Lynis Enterprise
c. Greenbone Security Assistant
d. OpenSCAP

Answer 29

b. Lynis Enterprise

Question 30

Which of the following best represents what Snort is?
a. HIDS
b. GIDS
c. NIDS
d. FIDS

Answer 30

c. NIDS

Question 31

Which of the following would you use as a general-purpose, external vulnerability scanner?
a. Greenbone Security Assistant
b. Nikto
c. OpenSCAP
d. Lynis

Answer 31

a. Greenbone Security Assistant

Question 32

Which of these problems would you be most likely to find with a Nikto scan?
a. That the Samba service is running, although it shouldn’t be
b. That the root user account is exposed to the Internet via SSH
c. That potentially malicious scripts reside in a CGI directory
d. That the root user account is configured with a weak password

Answer 32

c. That potentially malicious scripts reside in a CGI directory

Question 33

What is a unique characteristic about Lynis?
a. It’s a proprietary, closed-source vulnerability scanner.
b. It’s a shell script that can be used to scan any Linux, Unix, or Unix-like operating system
for vulnerabilities.
c. It’s an external vulnerability scanner.
d. It can only be installed on a specialty security distro, such as Kali Linux.

Answer 33

b. It’s a shell script that can be used to scan any Linux, Unix, or Unix-like operating system

Question 34

Which of these problems would you most likely find with Snort?
a. A root user account with a weak password
b. Servers without active firewalls
c. Cryptocoin mining malware active on the network
d. Root user accounts exposed to the Internet via SSH

Answer 34

c. Cryptocoin mining malware active on the network

Question 35

Which two of the following are log files that record authentication-related events?
a. syslog
b. authentication.log
c. auth.log
d. secure.log
e. secure

Answer 35

c. auth.log, e. secure

Question 36

Which of the following is the main logging system that runs on pretty much every modern
Linux distro?
a. syslog
b. rsyslog
c. journald
d. syslog-ng

Answer 36

b. rsyslog

Question 37

Which of the following is true about rootkits?
a. They only infect Windows operating systems.
b. The purpose of planting a rootkit is to gain root privileges to a system.
c. An intruder must have already gained root privileges in order to plant a rootkit.
d. A rootkit isn’t very harmful.

Answer 37

c. An intruder must have already gained root privileges in order to plant a rootkit.

Question 38

Which file does the auditd service use to log auditing events?
a. /var/log/messages
b. /var/log/syslog
c. /var/log/auditd/audit
d. /var/log/audit/audit.log

Answer 38

d. /var/log/audit/audit.log

Question 39

What is a syscall?
a. It tells the Linux kernel to perform a privileged action on behalf of a user.
b. It calls new system information into the kernel.

Answer 39

a. It tells the Linux kernel to perform a privileged action on behalf of a user.

Question 40

Which of the following is true?
a. /proc is just like any other directory in the Linux filesystem.
b. /proc is the only pseudo-filesystem in Linux.
c. /proc is one of several pseudo-filesystems in Linux.
d. You can set values for /proc parameters with the systemctl command.

Answer 40

c. /proc is one of several pseudo-filesystems in Linux.

Question 41

Which of the following statements is true?
1. iptables is the easiest firewall system to work with.
2. With iptables, any rule that you create applies to both IPv4 and IPv6.
3. With iptables, you have to create IPv6 rules separately from IPv4 rules.
4. With nftables, you have to create IPv6 rules separately from IPv4 rules.

Answer 41

With iptables, you have to create IPv6 rules separately from IPv4 rules.

Question 42

What is the official name of the Linux firewall?
a. iptables
b. ufw
c. Nftables
d. netfilter

Answer 42

netfilter

Question 43

Which of the following statements about nftables is false?
a. With nftables, rules are added atomically.
b. With nftables, a table refers to a particular protocol family.
c. With nftables, ports and their associated rules are bundled into zones.
d. With nftables, you can write scripts in either normal Bash shell scripting, or with the
scripting engine that’s built into nftables.

Answer 43

c. With nftables, ports and their associated rules are bundled into zones.

Question 44

Which iptables command would show you how many packets have been dropped by a par-
ticular rule?

Answer 44

sudo iptables -L -v

Question 45

Which nftables command would you use to see how many packets have been dropped by a
particular rule?

Answer 45

sudo nft list ruleset

Question 46

In iptables, which of the following targets would cause packets to be blocked without sending
a notification back to the source?
a. STOP
b. DROP
c. REJECT
d. BLOCK

Answer 46

b. DROP

Question 47

Which of the following six choices are tables in iptables?
a. Netfilter
b. Filter
c. Mangle
d. Security
e. ip6table
f. NAT

Answer 47

b, c, d, and f

Question 48

Which firewall system loads its rules atomically?

Answer 48

nftables

Question 49

Which of the following setfacl options would you use to remove just one specific permission
from an ACL?
a. -xB. -r
b. -w
c. m: :
d. -m
e. x: :

Answer 49

d. -m

Question 50

Which of the following commands would set the proper permissions for the marketing shared
group directory, with the SGID and sticky bit set?
a. sudo chmod 6770 marketing
b. sudo chmod 3770 marketing
c. sudo chmod 2770 marketing
d. sudo chmod 1770 marketing

Answer 50

b. sudo chmod 3770 marketing

Question 51

Which of the following partition mount options would prevent setting the SUID and SGID
permissions on files?
a. nosgid
b. noexec
c. nosuid
d. nouser

Answer 51

c. nosuid

Question 52

What is the major difference between firewalld on RHEL 7-type distros and firewalld on
RHEL 8/9-type distros?

Answer 52

RHEL 7 distros use iptables as the firewalld backend, and RHEL 8/9 distros use nftables
as the firewalld backend.

Question 53

In which of the following formats does firewalld store its rules?
a. .txt
b. .config
c. .html
d. .xml

Answer 53

d. .xml

Question 54

Which of the following commands would you use to list all of the firewalld zones on your
system?
a. sudo firewalld –get-zones
b. sudo firewall-cmd –list-zones
c. sudo firewall-cmd –get-zones
d. sudo firewalld –list-zones

Answer 54

c. sudo firewall-cmd –get-zones

Question 55

With ufw, everything you’ll ever need to do can be done with the ufw utility.
a. True
b. False

Answer 55

b. False

Question 56

Your system is set up with firewalld and you need to open port 10000/tcp. Which of the
following commands would you use?
a. sudo firewall-cmd –add-port=10000/tcp
b. sudo firewall-cmd –add-port=10000
c. sudo firewalld –add-port=10000
d. sudo firewalld –add-port=10000/tcp

Answer 56

a. sudo firewall-cmd –add-port=10000/tcp

Question 57

Which of the following ufw commands would you use to open the default Secure Shell port?
a. sudo ufw allow 22
b. sudo ufw permit 22
c. sudo ufw allow 22/tcp
d. sudo ufw permit 22/tcp

Answer 57

c. sudo ufw allow 22/tcp

Question 58

Which of the following is not an advantage of GPG?
a. It uses strong, hard-to-crack algorithms.
b. It works well for sharing secrets with people you don’t know.
c. Its public/private key scheme eliminates the need to share passwords.
d. You can use it to encrypt files that you don’t intend to share, for your own personal use.

Answer 58

b. It works well for sharing secrets with people you don’t know.

Question 59

You need to send an encrypted message to Frank. What must you do before you can encrypt
his message with GPG so that you don’t have to share a password?
a. Nothing. Just encrypt the message with your own private key.
b. Import Frank’s private key into your keyring and send Frank your private key.
c. Import Frank’s public key into your keyring and send Frank your public key.
d. Just import Frank’s public key into your keyring.
e. Just import Frank’s private key into your keyring.

Answer 59

c. Import Frank’s public key into your keyring and send Frank your public key.

Question 60

Which of the following would be the proper choice for whole-disk encryption on a Linux system?
a. BitLocker
b. VeraCrypt
c. eCryptfs
d. LUKS

Answer 60

d. LUKS

Question 61

If you use eCryptfs to encrypt users’ home directories and you’re not using whole-disk encryp-
tion, what other action must you take in order to prevent leakage of sensitive data?

a. None.
b. Ensure that users use strong private keys.
c. Encrypt the swap partition.
d. You must use eCryptfs in whole-disk mode.

Answer 61

c. Encrypt the swap partition.

Question 62

In which of the following scenarios would you use VeraCrypt?
a. Whenever you want to implement whole-disk encryption.
b. Whenever you just want to encrypt users’ home directories.
c. Whenever you’d prefer to use a proprietary, closed-source encryption system.
d. Whenever you need to create encrypted containers that you can share with Windows,
macOS, and BSD users.

Answer 62

d. Whenever you need to create encrypted containers that you can share with Windows,
macOS, and BSD users.

Question 63

You need to ensure that your web browser trusts certificates from the Dogtag CA. How do you
do it?
a. You use pki-server to export the CA certificate and key, and then use openssl pkcs12
to extract just the certificate. Then, import the certificate into your browser.
b. You import the ca_admin.cert certificate into your browser.
c. You import the ca_admin_cert.p12 certificate into your browser.
d. You import the snakeoil.pem certificate into your browser.

Answer 63

a. You use pki-server to export the CA certificate and key, and then use openssl pkcs12

Question 64

Which of the following represents a file with read and write permissions for the user and the
group, and read-only permissions for others?
a. 775
b. 554
c. 660
d. 664

Answer 64

d. 664

Question 65

You want to change the ownership and group association of the somefile.txt file to Maggie.
Which of the following commands would do that?
a. sudo chown maggie somefile.txt
b. sudo chown :maggie somefile.txt
c. sudo chown maggie: somefile.txt
d. sudo chown :maggie: somefile.txt

Answer 65

c. sudo chown maggie: somefile.txt

Question 66

Which of the following is the numerical value for the SGID permission?
a. 6000
b. 2000
c. 4000
d. 1000

Answer 66

b. 2000

Question 67

Which command would you use to view the extended attributes of a file?
a. lsattr
b. ls -a
c. ls -l
d. chattr

Answer 67

a. lsattr

Question 68

Which of the following commands would search through the entire filesystem for regular files
that have either the SUID or SGID permission set?
a. sudo find / -type f -perm \6000
b. sudo find / ( -perm -4000 -o -perm -2000 )
c. sudo find / -type f -perm -6000
d. sudo find / -type r -perm \6000

Answer 68

a. sudo find / -type f -perm \6000

Question 69

Which of the following commands would set the SUID permission on a file that has read/write/
execute permissions for the user and group, and read/execute permissions for others?
a. sudo chmod 2775 somefile
b. sudo chown 2775 somefile
c. sudo chmod 1775 somefile
d. sudo chmod 4775 somefile

Answer 69

d. sudo chmod 4775 somefile

Question 70

Which of the following find command options allows you to automatically perform a command
on each file that find finds, without being prompted?
a. -exec
b. -ok
c. -xargs
d. -do

Answer 70

a. -exec

Question 71

Which of the following statements is true?
a. Secure Shell is completely secure in its default configuration.
b. It’s safe to allow the root user to use Secure Shell to log in across the Internet.
c. Secure Shell is insecure in its default configuration.
d. The most secure way to use Secure Shell is to log in with a username and password.

Answer 71

c. Secure Shell is insecure in its default configuration.

Question 72

Which three of the following things would you do to conform with the best security practices
for Secure Shell?
a. Make sure that all users are using strong passwords to log in via Secure Shell.
b. Have all users create a public/private key pair, and transfer their public keys to the
server to which they want to log in.
c. Disable the ability to log in via username/password.
d. Ensure that the root user is using a strong password.
e. Disable the root user’s ability to log in.

Answer 72

b. Have all users create a public/private key pair, and transfer their public keys to the
server to which they want to log in.
c. Disable the ability to log in via username/password.
e. Disable the root user’s ability to log in.

Question 73

Which one of the following lines in the sshd_config file will cause botnets to not scan your
system for login vulnerabilities?
a. PasswordAuthentication no
b. PasswordAuthentication yes
c. PermitRootLogin yes
d. PermitRootLogin no

Answer 73

a. PasswordAuthentication no

Question 74

How would you confine a user of SFTP to his or her own specified directory?
a. Ensure that proper ownership and permissions are set on that user’s directory.
b. In the sshd_config file, disable that user’s ability to log in via normal SSH and define
a chroot directory for that user.
c. Define the user’s limitations with TCP Wrappers.
d. Use whole-disk encryption on the server so that SFTP users will only be able to access
their own directories.

Answer 74

b. In the sshd_config file, disable that user’s ability to log in via normal SSH and define

Question 75

Which two of the following commands would you use to add your private SSH key to your
session keyring?
a. ssh-copy-id
b. exec /usr/bin/ssh-agent
c. exec /usr/bin/ssh-agent $SHELL
d. ssh-agent
e. ssh-agent $SHELL
f. ssh-add

Answer 75

c. exec /usr/bin/ssh-agent $SHELL
f. ssh-add

Question 76

Which of the following is not on NIST’s list of recommended algorithms?
a. RSA
b. ECDSA
c. Ed25519

Answer 76

c. Ed25519

Question 77

Which of the following is the correct directive for creating a custom configuration for Katelyn?
a. User Match katelyn
b. Match katelyn
c. Match Account katelyn
d. Match User katelyn

Answer 77

d. Match User katelyn

Question 78

Which of the following crypto policies provides the strongest encryption on RHEL 8/9-type
distros?
a. LEGACY
b. FIPS
c. DEFAULT
d. FUTURE

Answer 78

d. FUTURE

Question 79

Which of the following standards defines NIST’s current recommendations for encryption
algorithms?
a. FIPS 140-2
b. FIPS 140-3
c. CNSA
d. Suite B

Answer 79

c. CNSA