Back to the course
Test yourself

Advanced Linux security

Final exam · 51 questions · answers explained as you pick
The attacker on the host
8 questions
01This course’s core mindset shift is…
Incorrect — hardening does that; this course adds seeing and responding.
Correct — prevention is never perfect.
Incorrect — defense in depth keeps the walls too.
Incorrect — a compromised host’s tools may lie.
02An attacker who lands on a host usually arrives as…
Correct — then escalates from that foothold.
Incorrect — rarely — escalation is a separate step.
Incorrect — not how initial access works.
Incorrect — usually remote and unprivileged.
03The attacker’s three broad objectives on a host are…
Incorrect — those are admin tasks, not attacker goals.
Incorrect — those are defender activities.
Correct — each maps to a detection you build.
Incorrect — that is CI/CD.
04The intrusion chain on Linux is roughly…
Incorrect — that reverses it.
Correct — detection at any stage interrupts it.
Incorrect — access comes first.
Incorrect — not the order.
05Reconnaissance (id, sudo -l, find SUID) is valuable to detect because…
Correct — a burst of enumeration is a strong early signal.
Incorrect — it is quite detectable.
Incorrect — it happens early, right after landing.
Incorrect — it is done as the foothold user.
06MITRE ATT&CK is…
Incorrect — no.
Incorrect — no — it is a knowledge base.
Correct — maps detections to real behaviour.
Incorrect — no.
07Why study privesc and persistence before detection engineering?
Incorrect — the aim is offense-informed defense.
Correct — understanding the attack shapes the detection.
Incorrect — they are the basis of the detections.
Incorrect — hardening still matters.
08Detecting the intrusion at any single stage…
Correct — you need not catch initial access to win.
Incorrect — catching escalation/persistence/exfil all help.
Incorrect — it is a lead, not automatic remediation.
Incorrect — it materially stops attacks.
8 questions · explanations appear as you answer
Privilege escalation
9 questions
01The most common Linux privilege-escalation paths are…
Incorrect — those are rarer than misconfig.
Correct — audit these on your own hosts first.
Incorrect — that is initial access, not on-host escalation.
Incorrect — not a local privesc path.
02A SUID-root copy of find (find . -exec /bin/sh) gives an attacker…
Correct — GTFOBins catalogs such binaries; baseline yours.
Incorrect — it is a direct escalation.
Incorrect — it yields a root shell.
Incorrect — the risk is local root.
03sudo -l showing NOPASSWD on vim is dangerous because vim…
Incorrect — not the issue.
Incorrect — it can also spawn a shell.
Correct — shell-capable sudo targets are escalations.
Incorrect — irrelevant.
04File capabilities matter to an attacker because a binary with cap_setuid…
Correct — enumerate with getcap -r.
Incorrect — it can.
Incorrect — it is an escalation path.
Incorrect — setuid is about identity, not network.
05You cannot configure your way out of a kernel local-root exploit, so the defense is…
Incorrect — that weakens defense.
Correct — patch latency = privesc exposure.
Incorrect — that adds surface.
Incorrect — you must track them.
06A cron job that runs a world-writable script as root is…
Incorrect — it is a direct escalation.
Incorrect — it is a security hole.
Correct — audit writable root-executed files.
Incorrect — it is a classic path.
07Attackers harvest credentials on a host to…
Correct — every credential is a potential onward move.
Incorrect — irrelevant.
Incorrect — irrelevant.
Incorrect — stolen creds expand the breach.
08The right way to handle privesc knowledge as a defender is to…
Incorrect — proactive auditing closes the paths first.
Correct — find and fix before the attacker does.
Incorrect — the opposite.
Incorrect — that removes your visibility.
09On a stable production host, a newly-appeared SUID binary or sudo rule is…
Incorrect — rarely — these change almost never.
Incorrect — no.
Correct — treat it as an incident lead.
Incorrect — nothing removes it for you.
9 questions · explanations appear as you answer
Persistence & rootkits
9 questions
01Persistence means the attacker ensures they…
Correct — durable by design — which leaves artifacts.
Incorrect — not the goal.
Incorrect — unrelated.
Incorrect — many persistence methods are login hooks.
02Common Linux persistence locations include…
Incorrect — not a persistence location.
Correct — baseline each and alert on additions.
Incorrect — not the primary spots.
Incorrect — not on-host persistence.
03A public key appended to ~/.ssh/authorized_keys is…
Incorrect — it is a backdoor.
Incorrect — not one you did not add.
Correct — high-value persistence to detect.
Incorrect — keys do not expire on their own.
04Persistence is your best late-detection chance because it…
Correct — baseline + diff catches it even if you missed entry.
Incorrect — not inherently.
Incorrect — most persistence does touch disk.
Incorrect — it is detectable by design constraints.
05LD_PRELOAD lets an attacker…
Incorrect — that is kernel-level, not LD_PRELOAD.
Correct — a userland rootkit.
Incorrect — unrelated.
Incorrect — it is about stealth, not escalation.
06/etc/ld.so.preload on a normal host should be…
Incorrect — that would be a huge red flag.
Incorrect — no.
Correct — baseline and alert on it.
Incorrect — it is a prime persistence/stealth spot to watch.
07On a host with a userland rootkit, ls/ps/netstat…
Correct — cross-check against /proc and off-host telemetry.
Incorrect — that is the danger — they are not.
Incorrect — LD_PRELOAD affects dynamically-linked tools.
Incorrect — irrelevant.
08A kernel rootkit is the hardest to detect because it…
Incorrect — a good one hides itself from lsmod.
Correct — detect via discrepancies + off-host/memory forensics.
Incorrect — it affects the whole system view.
Incorrect — hiding processes is exactly what it does.
09Suspected kernel rootkit → the correct response is…
Incorrect — you cannot trust in-place removal.
Incorrect — it is a serious compromise.
Correct — prevention (signed modules) beats detection.
Incorrect — a boot-persistent rootkit survives.
9 questions · explanations appear as you answer
Detection engineering
8 questions
01The most important cost-and-signal decision in a detection pipeline is…
Incorrect — secondary to where you filter.
Correct — every raw record not shipped is money and noise saved.
Incorrect — irrelevant.
Incorrect — irrelevant.
02Security telemetry must be shipped off-host because…
Correct — the central store is outside the blast radius.
Incorrect — not the reason.
Incorrect — integrity, not speed, is the driver.
Incorrect — it can — but it cannot be trusted to.
03osquery exposes host state as…
Incorrect — no.
Incorrect — no.
Correct — fleet-wide, structured questions.
Incorrect — no.
04osquery scheduled queries in "diff" mode are ideal for…
Correct — the privesc/persistence detection delivered fleet-wide.
Incorrect — unrelated.
Incorrect — no.
Incorrect — no.
05eBPF is powerful for security because it…
Incorrect — it runs in-kernel, in real time.
Correct — sees events where userland tricks cannot hide them.
Incorrect — the opposite — no module needed.
Incorrect — it works on bare hosts too.
06eBPF programs are safe to load because…
Incorrect — privilege is not what makes them safe.
Incorrect — not the mechanism.
Correct — unlike a kernel module, they cannot crash the kernel.
Incorrect — they run in the kernel — safely, via the verifier.
07Falco on a bare host detects…
Correct — the k8s runtime tool, applied to hosts.
Incorrect — it works on hosts too.
Incorrect — that is a scanner.
Incorrect — no.
08You should tune Falco (local rules, exceptions) before wide deployment because…
Incorrect — the issue is alert quality.
Correct — key on unavoidable behaviours; page on a short list.
Incorrect — no.
Incorrect — it does not on a bare host.
8 questions · explanations appear as you answer
Hunting & detections
8 questions
01A detection "survives contact" when it keys on…
Incorrect — trivially rotated — brittle.
Correct — evading it means abandoning the technique.
Incorrect — new infra, new IP — brittle.
Incorrect — renamed in seconds.
02The "Pyramid of Pain" idea is that detecting higher-level signals…
Correct — spend detection effort on behaviour.
Incorrect — often harder to build, but far more durable.
Incorrect — unrelated.
Incorrect — the opposite.
03A detection you have never triggered on purpose is…
Incorrect — you do not know until you test it.
Incorrect — no.
Correct — confirm it fires on bad, not on normal.
Incorrect — testing is essential.
04Threat hunting is…
Correct — complements reactive alerts.
Incorrect — that is reactive detection.
Incorrect — a good hunt is hypothesis-driven.
Incorrect — hunting is human-led.
05A good hunt starts with…
Incorrect — too vague to be productive.
Correct — e.g. "persistence via a new systemd timer → query the fleet".
Incorrect — not a hunt.
Incorrect — no.
06Most host hunting comes down to…
Incorrect — unrelated.
Incorrect — no.
Correct — knowing normal is the defender’s edge.
Incorrect — brittle and unfocused.
07A hunt that finds nothing should still…
Correct — close the loop so the technique is caught by machine next time.
Incorrect — not if it improves coverage.
Incorrect — finding nothing does not warrant that.
Incorrect — automate it instead.
08Effective hunting depends most on…
Incorrect — tooling helps; understanding matters more.
Correct — you cannot hypothesize about what you do not understand.
Incorrect — baselines are what anomalies stand out against.
Incorrect — osquery/central store are how you hunt at scale.
8 questions · explanations appear as you answer
Forensics & incident response
9 questions
01The cardinal rule of live triage is…
Correct — reboot/wipe erases what you need.
Incorrect — that destroys memory and live state.
Incorrect — capture evidence before removing.
Incorrect — evidence degrades and the attacker acts.
02When isolating a compromised host, you should…
Incorrect — that discards memory and running-process evidence.
Correct — contain the spread, preserve volatile state.
Incorrect — the attacker can pivot and destroy evidence.
Incorrect — you lose the case.
03Volatile evidence (capture first) includes…
Incorrect — that is on disk, non-volatile.
Incorrect — non-volatile.
Correct — these vanish on reboot — grab them early.
Incorrect — irrelevant.
04A memory image is especially valuable because it can reveal…
Correct — most perishable, most revealing — capture early.
Incorrect — trivially available elsewhere.
Incorrect — irrelevant.
Incorrect — it is a top-tier artifact.
05The core forensic technique for reconstructing an intrusion is…
Incorrect — destroys evidence.
Correct — anchor on an event, pivot outward.
Incorrect — that is remediation, and premature.
Incorrect — evidence-driven, not guesswork.
06On a compromised host, the MOST trustworthy evidence is…
Incorrect — least trustworthy — tools may be subverted.
Incorrect — possibly tampered by the attacker.
Correct — shipped audit/eBPF events, central logs, network sensors.
Incorrect — often cleared by the attacker.
07A cleared .bash_history or a gap in the logs is…
Correct — missing evidence is evidence; the off-host store has what they deleted.
Incorrect — the opposite — it is a strong indicator.
Incorrect — not on a host under investigation.
Incorrect — it suggests the opposite.
08Before eradicating an attacker, you must…
Incorrect — they may be on others and simply return.
Correct — eradicate everywhere at once, then rotate + rebuild.
Incorrect — rotate all the attacker could have touched.
Incorrect — scoping is essential.
09The IR phases teams most often skip — and most need — are…
Incorrect — those get the attention under fire.
Incorrect — usually not skipped.
Correct — they are where resilience actually comes from.
Incorrect — there is a defined lifecycle.
9 questions · explanations appear as you answer