Security for CompTIA Linux+

This page covers the Security domain of the CompTIA Linux+ certification. Master Cybersecurity offers 135 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

  1. Question 1

    A Linux administrator is configuring a log collector agent to monitor logs in /var/log/collector. The agent is reporting that it cannot write to the directory.. Which of the following is the best way to resolve the issue?
    1. A. setfacl -Rm u:logger/var/log/collector
    2. B. usermod -aG root logger
    3. C. chmod 644 /var/log/collector
    4. D. chown -R logger/var/log
    Explanation

    The correct answer is: A. setfacl -Rm u:logger/var/log/collector.

    The correct answer is A (setfacl -Rm u:logger/var/log/collector) because setfacl sets Access Control Lists, and -Rm applies the ACL recursively (-R) and modifies existing ACLs (-m). The syntax 'u:logger' grants permissions to the user 'logger', and this allows the log collector agent to write to the directory without giving it root access or changing ownership of system directories. Option B (add to root group) gives excessive privileges and is a security risk.

  2. Question 2

    Which command is used to set file permissions using symbolic mode in Linux?
    1. A. chmod
    2. B. chown
    3. C. chgrp
    4. D. umask
    Explanation

    The correct answer is: A. chmod.

    **chmod** is the command that sets file permissions using **symbolic mode** (e.g., u+x, g-w, o=r) or octal (e.g., 755). chown changes owner; chgrp changes group; umask sets default creation permissions. Symbolic mode uses u/g/o/a and r/w/x with +/=/-, e.g., chmod g+w file.

  3. Question 3

    In a containerized environment, which security practice is essential to minimize the attack surface?
    1. A. Running containers as root
    2. B. Using minimal base images
    3. C. Allowing unrestricted network access
    4. D. Disabling SELinux
    Explanation

    The correct answer is: B. Using minimal base images.

    **Using minimal base images** (Alpine, distroless, scratch) reduces the attack surface: fewer packages and less code to exploit. Running as root (A) and unrestricted network (C) increase risk; disabling SELinux (D) weakens mandatory access control. Minimal images, non-root users, and image scanning are key for container security.

  4. Question 4

    You need to configure a firewall on a RHEL server to allow incoming HTTP traffic. Which command should you use?
    1. A. iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    2. B. firewall-cmd --add-service=http --permanent
    3. C. ufw allow 80/tcp
    4. D. nft add rule ip filter input tcp dport 80 accept
    Explanation

    The correct answer is: B. firewall-cmd --add-service=http --permanent.

    On a **RHEL** server using **firewalld**, use **firewall-cmd --add-service=http --permanent** (then firewall-cmd --reload) to allow HTTP. iptables (A), ufw (C), and nft (D) are valid on other setups but RHEL--s default is firewalld, so B is the recommended answer. Using --permanent makes the rule persist across reboots; reload applies it immediately.

  5. Question 5

    Which file would you edit to configure the SSH daemon to use a non-standard port?
    1. A. /etc/ssh/ssh_config
    2. B. /etc/ssh/sshd_config
    3. C. /etc/ssh/ssh_known_hosts
    4. D. /etc/ssh/ssh_host_rsa_key
    Explanation

    The correct answer is: B. /etc/ssh/sshd_config.

    The **SSH daemon** is configured in **/etc/ssh/sshd_config**. To use a non-standard port, set **Port** (e.g., Port 2222) there and restart sshd. ssh_config is the client config; ssh_known_hosts lists host keys; ssh_host_rsa_key is a host key file. After changing Port, update firewall rules and client connections to use the new port.

Other CompTIA Linux+ domains

Practice all 135 Security questions · Browse CompTIA Linux+