CompTIA Linux+ (XK0-006) · Domain 4 · 18% of exam

Security

Drill 20 practice questions focused entirely on Security for the CompTIA XK0-006 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

An application confined by AppArmor on an Ubuntu server is being denied access to a legitimate log directory, and users report failures. You need to temporarily allow the application to run while logging what it attempts to access, without fully disabling AppArmor protection for other profiles. Which command accomplishes this for the profile named /usr/sbin/myapp?

Reviewed for accuracy · Report an issue
Question 2 of 20

After a suspected brute-force attempt, a security analyst must produce a summary report of all failed authentication events recorded by the Linux audit daemon on a RHEL 9 server. The analyst wants a high-level tally rather than raw event records. Which command produces this summary?

Reviewed for accuracy · Report an issue
Question 3 of 20

A security analyst configured an audit rule with the key 'passwd-changes' to monitor modifications to /etc/passwd. After a suspected unauthorized change, they need to review only the audit events associated with that rule from the audit logs. Which command should they run?

Reviewed for accuracy · Report an issue
Question 4 of 20

During a CIS-style security baseline review, you must produce a list of all files on the root filesystem that have the setuid bit set, so the security team can verify each one against an approved allowlist. The scan must not descend into other mounted filesystems. Which command accomplishes this?

Reviewed for accuracy · Report an issue
Question 5 of 20

You have added a new disk, /dev/sdc, to a database server and created a single partition, /dev/sdc1. Company policy requires that all data-at-rest on this partition be encrypted before a filesystem is created. Which sequence of commands correctly initializes the encryption and prepares the encrypted device for formatting?

Reviewed for accuracy · Report an issue
Question 6 of 20

A server is experiencing repeated SSH brute-force attempts. You want fail2ban to monitor the SSH daemon, ban an offending IP after 5 failed attempts within 10 minutes, and keep the ban in effect for 1 hour. Which configuration should you place in /etc/fail2ban/jail.local to accomplish this without editing the shipped jail.conf?

Reviewed for accuracy · Report an issue
Question 7 of 20

A colleague sends you a file named report.txt.gpg that was encrypted using your public key. You have already imported your own key pair into your GnuPG keyring. Which command decrypts the file and writes the plaintext to report.txt?

Reviewed for accuracy · Report an issue
Question 8 of 20

You need to send a sensitive backup archive (backup.tar.gz) to a colleague. You have already imported their public GPG key (identified by the email dev@example.com) into your keyring. The colleague must be the only one able to decrypt the file, and you should not need to share any secret. Which command produces the correct encrypted output?

Reviewed for accuracy · Report an issue
Question 9 of 20

A developer has generated a new GPG key pair and needs to share her public key with a colleague so that the colleague can encrypt files for her. She wants to produce an ASCII-armored text file of only the public key that she can email safely. Which command should she run?

Reviewed for accuracy · Report an issue
Question 10 of 20

A software vendor distributes a tarball named app-2.4.tar.gz to customers. You need to publish a signature file so customers can verify the tarball's integrity and authenticity separately, without altering or bundling the original archive. Which command produces the correct artifact?

Reviewed for accuracy · Report an issue
Question 11 of 20

A security team encrypts a laptop's data partition with LUKS using a single passphrase. Before deploying the laptop to a user, you must add a second recovery passphrase to the volume without destroying the existing data or the current passphrase. The device is /dev/sda3. Which command accomplishes this?

Reviewed for accuracy · Report an issue
Question 12 of 20

A web administrator needs to renew the TLS certificate for an internal application. Company policy requires reusing the existing 2048-bit private key stored at /etc/pki/tls/private/app.key rather than generating a new one. Which command produces a certificate signing request (CSR) to submit to the internal CA using that existing key?

Reviewed for accuracy · Report an issue
Question 13 of 20

A security baseline requires that local user accounts be temporarily locked after 5 consecutive failed login attempts, with the lockout lasting 15 minutes before automatic reset. On a RHEL 9 system, which approach correctly implements this policy using the modern PAM module?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security engineer must configure a firewall on a RHEL 9 server so that inbound SSH is permitted only from the management subnet 10.20.0.0/24, while all other inbound SSH attempts are dropped. The change must survive reboots. Which firewalld approach correctly accomplishes this?

Reviewed for accuracy · Report an issue
Question 15 of 20

A web administrator moved static content into /srv/webdata for Apache to serve, but requests return 403 Forbidden errors even though standard file permissions (755/644) are correct. SELinux is in enforcing mode, and 'ls -Z' shows the files are labeled with the type default_t. Which command will persistently assign the correct SELinux context so Apache can read the content?

Reviewed for accuracy · Report an issue
Question 16 of 20

A security auditor asks you to confirm whether SELinux is actively enforcing policy on a production RHEL server right now, without changing any configuration or rebooting. Which command reports the current runtime enforcement mode in a single word?

Reviewed for accuracy · Report an issue
Question 17 of 20

A developer must connect a local database client to a PostgreSQL server (port 5432) running on an internal host (db-internal) that is only reachable from a bastion host (bastion.example.com). The database port must not be exposed publicly. Which SSH command creates a secure tunnel so that connecting to localhost:5432 on the developer's workstation reaches the internal database?

Reviewed for accuracy · Report an issue
Question 18 of 20

A web administrator deployed a new TLS certificate on an internal Nginx server, but clients report the certificate is 'not trusted' even though the server certificate itself is valid and unexpired. The administrator suspects the intermediate CA certificate was not bundled correctly. Which command should be used to verify that the server certificate chains properly to a trusted CA using the organization's CA bundle?

Reviewed for accuracy · Report an issue
Question 19 of 20

Before rotating the encryption passphrase on an encrypted data volume (/dev/sdb1) that uses LUKS, a security engineer wants to create a backup of the LUKS header so the volume can be recovered if the header becomes corrupted during the operation. Which command safely produces this backup?

Reviewed for accuracy · Report an issue
Question 20 of 20

You are the first person at your company to connect via SSH to a newly provisioned server, prod-db01. Before accepting the connection, security policy requires you to confirm the server's host key fingerprint matches the value the provisioning team recorded from the server's console. Which command should you run ON THE SERVER'S CONSOLE to display the SHA256 fingerprint of its ED25519 host key for comparison?

Reviewed for accuracy · Report an issue

More XK0-006 practice

Keep going with the other CompTIA Linux+ (XK0-006) domains, or take a full timed mock exam.

← Back to XK0-006 overview