Security for CompTIA Linux+ (XK0-006)

Sample Practice Questions

1. Question 1

   A systems administrator wants to prevent the current contents of a file from being overwritten and wants to allow new additions at the end of the file. Which of the following commands should the administrator use?
   1. A. setenforce file
   2. B. setfacl -m m::t file
   3. C. chattr +a file
   4. D. chmod +t file
   Explanation

   The correct answer is: C. chattr +a file.

   chattr +a sets the append-only attribute on a file, which permits writes only at the end of the file and forbids any other modification or truncation; even root cannot rewrite the existing contents while the attribute is in place. This is a common technique for log files and audit trails. setenforce changes the running SELinux mode (Enforcing or Permissive) and is unrelated to file attributes — it does not even take a filename. setfacl manipulates POSIX ACLs and the syntax shown is malformed; the m::t mask is not a valid ACL entry. chmod +t sets the sticky bit, but the sticky bit applies to directories, where it prevents users from deleting other users' files; it does not protect the contents of a regular file from being overwritten. The chattr +a attribute is the canonical answer for an append-only file.

2. Question 2

   A systems administrator is configuring new Linux systems and needs to enable passwordless authentication between two of the servers. Which of the following commands should the administrator use?
   1. A. ssh-keygen -t rsa $$ ssh-copy-id -i ~/.ssh/id_rsa.pub john@server2
   2. B. ssh-keyscan -t rsa $$ ssh-copy-id john@server2 -i ~/.ssh/key
   3. C. ssh-agent -i rsa $$ ssh-copy-id ~/.ssh/key john@server2
   4. D. ssh-add -t rsa $$ scp -rp ~/.ssh john@server2
   Explanation

   The correct answer is: A. ssh-keygen -t rsa $$ ssh-copy-id -i ~/.ssh/id_rsa.pub john@server2.

   Passwordless SSH between two hosts is set up in two steps: generate a keypair on the source machine with ssh-keygen -t rsa (which produces id_rsa and id_rsa.pub in ~/.ssh), then publish the public half to the target with ssh-copy-id, which appends it to the remote ~/.ssh/authorized_keys with correct permissions. After that the source can authenticate to john@server2 using the private key alone. ssh-keyscan retrieves the SSH host keys of remote servers (used to populate known_hosts) and does not generate a user keypair, so it is the wrong starting point. ssh-agent runs in the background and caches decrypted private keys for the current session so the passphrase need not be re-entered; it is a convenience layer, not a key generator. ssh-add adds an existing key to the agent and would not produce a new keypair either, and pairing it with scp -rp ~/.ssh would clone an entire SSH directory rather than properly install one public key. The keygen-then-copy-id sequence is the canonical setup.

3. Question 3

   A Linux administrator needs to securely erase the contents of a hard disk. Which of the following commands is the best for this task?
   1. A. sudo rm -rf /dev/sda1
   2. B. sudo shred /dev/sda1
   3. C. sudo parted rm /dev/sda1
   4. D. sudo dd if=/dev/null of=/dev/sda1
   Explanation

   The correct answer is: B. sudo shred /dev/sda1.

   shred overwrites the named device or file multiple times with patterns designed to defeat magnetic-media recovery techniques and then optionally truncates and removes the file; running it against /dev/sda1 wipes the partition's data so it cannot be reconstructed by ordinary forensic tools. On modern SSDs a single overwrite plus a vendor secure-erase is generally preferred, but for the question's purpose shred is the answer. rm -rf /dev/sda1 removes the device-node entry from /dev (which udev recreates on next boot) and does not touch any data on the underlying disk. parted rm removes a partition table entry, releasing the space but leaving the data on disk recoverable until it is overwritten. dd if=/dev/null of=/dev/sda1 reads from the empty device, which provides zero bytes of input — dd would write nothing useful and exit immediately; if /dev/zero or /dev/urandom were used instead the wipe would be only a single pass. shred is the canonical secure-erase utility.

4. Question 4

   Which of the following utilities supports the automation of security compliance and vulnerability management?
   1. A. SELinux
   2. B. Nmap
   3. C. AIDE
   4. D. OpenSCAP
   Explanation

   The correct answer is: D. OpenSCAP.

   OpenSCAP is the open-source implementation of the Security Content Automation Protocol (SCAP) and provides automated assessment of system configuration against published baselines such as CIS Benchmarks, DISA STIGs, and PCI-DSS profiles, as well as automated vulnerability scanning via OVAL definitions. Tools like oscap and Red Hat's compliance dashboards build on it. SELinux is a Mandatory Access Control framework that enforces process-level confinement at runtime; it is a control, not a compliance-automation tool. Nmap is a port scanner used for network reconnaissance and inventory; it does not assess host-level configuration against compliance benchmarks. AIDE (Advanced Intrusion Detection Environment) is a file-integrity monitor that detects unexpected changes to files; it has no role in vulnerability assessment or compliance scoring. OpenSCAP is the canonical Linux tool for automating both compliance and vulnerability checks together.

5. Question 5

   A Linux administrator needs to analyze a compromised disk for traces of malware. To complete the analysis, the administrator wants to make an exact, block-level copy of the disk. Which of the following commands accomplishes this task?
   1. A. cp -rp /dev/sdc/* /tmp/image
   2. B. cpio -i /dev/sdc -ov /tmp/image
   3. C. tar cvzf /tmp/image /dev/sdc
   4. D. dd if=/dev/sdc of=/tmp/image bs=8192
   Explanation

   The correct answer is: D. dd if=/dev/sdc of=/tmp/image bs=8192.

   For forensic analysis of a compromised disk, the analyst needs an exact bit-for-bit copy that preserves slack space, deleted-but-not-overwritten regions, partition headers, and any non-filesystem data the malware may have placed. dd if=/dev/sdc of=/tmp/image bs=8192 reads the raw block device sector by sector and writes it to a flat image file, producing exactly that kind of forensic copy. The bs argument tunes throughput but does not change correctness. cp -rp /dev/sdc/* /tmp/image cannot work because /dev/sdc is a block device and does not have a filesystem path you can glob; even on /dev/sdc1, cp would walk the filesystem and miss anything outside the live filesystem. cpio -i extracts archives in copy-in mode and is unrelated to block-level imaging. tar cvzf packs files from a filesystem into a compressed archive, again missing slack space and deleted content. dd is the canonical forensic imaging tool.

Other CompTIA Linux+ (XK0-006) domains

• Scripting, Containers, and Automation (27 questions)
• System Management (43 questions)
• Troubleshooting (34 questions)