Back to CompTIA Linux+ (Linux+)

Security

Applying security best practices, permissions, and firewalls.

Focuses on securing Linux systems through user management, permission control, firewall configuration, and security auditing.
5 minutes 5 Questions

In the context of CompTIA Linux+, security is a critical domain involving the implementation of defense-in-depth strategies to protect system integrity and data. It begins with **User and Group Management**, where administrators enforce the principle of least privilege using standard file permissio…

Concepts covered: User and Group Management, File Permissions and ACLs, SELinux and AppArmor, SSH Configuration and Security, Firewall Configuration (firewalld, ufw, iptables)

Test mode:
Start practice test
Linux+ - Security Example Questions

Test your knowledge of Security

Question 1

A Linux administrator needs to harden the SSH configuration to ensure consistent session initialization. The security policy specifically prohibits users from executing personal commands found in the '~/.ssh/rc' file during login, forcing reliance solely on the global X11 and system authentication scripts. Which directive in the '/etc/ssh/sshd_config' file must be set to 'no' to enforce this restriction?

Correct Answer: PermitUserRC no

The correct directive is 'PermitUserRC no'.

In the OpenSSH daemon configuration file ('/etc/ssh/sshd_config'), the 'PermitUserRC' option controls whether to execute the file '~/.ssh/rc' in the user's home directory upon login. This file allows users to run specific commands when their SSH session usually starts (often used for X11 environment setups). By setting this directive to 'no', the system administrator ensures that user-defined initialization scripts are ignored, enforcing reliance on global system authentication and environment scripts instead.

The other options listed ('AllowUserRC', 'UserRCConfig', and 'LoadUserRCfile') are incorrect because they are not valid directives recognized by the SSH daemon.

Question 2

A Linux administrator identifies that the active AppArmor kernel policy includes loaded profiles for several services that have been uninstalled from the system. To reconcile the security state by scanning for and unloading these obsolete profile definitions, which command utility should be executed?

Correct Answer: aa-remove-unknown

The correct command is aa-remove-unknown.

This utility is specifically designed to inventory every AppArmor profile currently loaded into the kernel and compare that list against the actual profile files present on the filesystem (typically located in /etc/apparmor.d/). If the tool finds profiles loaded in memory that do not have a corresponding configuration file on the disk—which happens when a service is uninstalled but its security context is not automatically cleared—it unloads those "unknown" profiles, effectively identifying and removing the obsolete definitions.

The other options listed (aa-profile-reconcile, aa-prune-orphans, and aa-clean-unused) are incorrect because they are not valid commands within the standard AppArmor utility suite; they are fictitious command names.

Question 3

A Linux system administrator is configuring a server to act as a network gateway. The external network interface, `eth0`, receives a dynamic IP address from the ISP via DHCP. To ensure outgoing traffic is properly translated using the current public IP, which `iptables` rule must be added?

Correct Answer: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The correct command is iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.

This command performs the following actions:
1. -t nat: Selects the Network Address Translation (NAT) table, which is required for modifying packet IP addresses.
2. -A POSTROUTING: Appends the rule to the POSTROUTING chain. This chain is used for altering packets as they are about to leave the firewall, which is the correct place to change the source IP address.
3. -o eth0: Matches traffic going out through the external interface (eth0).
4. -j MASQUERADE: This target is specifically designed for connections with dynamic IP addresses (such as those assigned via DHCP). It automatically sets the source IP of the packet to the current IP address of the outgoing interface. Unlike SNAT, which requires a static IP specified with --to-source, MASQUERADE handles IP changes automatically.

The other options are incorrect for the following reasons:
- The rule using SNAT --dynamic is syntactically incorrect; SNAT generally requires a static definition (--to-source), and there is no standard --dynamic flag.
- The rule targeting the filter table is incorrect because address translation cannot happen in the filter table, and the MASQUERADE target is only valid in the POSTROUTING chain of the nat table.
- The rule using PREROUTING and DNAT creates a Destination NAT rule (port forwarding), which modifies the destination address of incoming packets rather than the source address of outgoing packets.

More Security questions
143 questions (total)
Start 100 question test