Back to the course
Test yourself

Linux hardening

Final exam · 50 questions · answers explained as you pick
Access hardening
10 questions
01The single highest-value SSH hardening change is…
Incorrect — a speed bump; against keys-only it is nearly pointless.
Correct — removes the entire password-guessing threat.
Incorrect — security by obscurity; bots still find it.
Incorrect — cosmetic, no real protection.
02PermitRootLogin no matters because…
Incorrect — not the reason.
Correct — shared root logins destroy the audit trail.
Incorrect — it forces attribution, not brute-force immunity.
Incorrect — unrelated.
03Before restarting sshd after config changes, you should…
Incorrect — unnecessary and risky if the config is broken.
Incorrect — never.
Correct — so a broken config does not lock you out.
Incorrect — unrelated and dangerous.
04The recommended modern SSH key type is…
Correct — small, fast, strong — the current best default.
Incorrect — too small and outdated.
Incorrect — deprecated and weak.
Incorrect — a password is not a key.
05Private SSH keys should live…
Incorrect — then a server compromise leaks your login everywhere.
Correct — a compromised server cannot log in elsewhere.
Incorrect — never commit a private key.
Incorrect — world-writable and wrong.
06A bastion (jump host) improves security by…
Incorrect — not the point.
Incorrect — it is not a password store.
Correct — internal hosts accept SSH only from it.
Incorrect — SSH already encrypts; the bastion is about surface.
07PAM is where you enforce…
Correct — one place every auth path consults.
Incorrect — that is nftables.
Incorrect — that is sysctl.
Incorrect — that is AIDE.
08faillock provides…
Incorrect — that is crypt/shadow.
Correct — rate-limits guessing even for local logins.
Incorrect — no.
Incorrect — that is ssh-keygen.
09Granting sudo to a program like vi, less, or find is dangerous because…
Incorrect — not the issue.
Incorrect — not the issue.
Correct — the grant becomes total.
Incorrect — irrelevant.
10A safe sudo rule…
Correct — e.g. /bin/systemctl restart nginx, not systemctl *.
Incorrect — that is passwordless root.
Incorrect — wildcards widen the grant beyond intent.
Incorrect — exactly what to avoid.
10 questions · explanations appear as you answer
Network hardening
10 questions
01A hardened host firewall should default to…
Incorrect — that fails open — the opposite of hardening.
Correct — new mistakes fail closed.
Incorrect — leaves everything exposed.
Incorrect — that is backwards and blocks your own access.
02With an nftables default-deny input policy, a forgotten debug port is…
Correct — the backstop for service minimization.
Incorrect — no — default-deny drops it.
Incorrect — firewalls do not encrypt.
Incorrect — unrelated.
03SSH in the firewall should ideally be accepted…
Incorrect — maximizes exposure.
Incorrect — then you cannot manage the host.
Correct — scope even the ports you must keep open.
Incorrect — SSH is TCP.
04Applying a default-drop policy over a live SSH session risks…
Incorrect — it can cut you off instantly.
Correct — include it first; use nft -c; schedule a rollback.
Incorrect — unrelated.
Incorrect — unrelated.
05net.ipv4.ip_forward=0 on a non-router prevents…
Incorrect — not a performance setting.
Incorrect — that is a different concern.
Correct — forwarding turns a popped host into a gateway.
Incorrect — it does not stop scanning.
06accept_redirects = 0 protects against…
Correct — ignore redirects on a hardened host.
Incorrect — that is tcp_syncookies.
Incorrect — unrelated.
Incorrect — not a redirect concern.
07rp_filter = 1 (reverse-path filtering) drops…
Incorrect — no.
Correct — anti-spoofing.
Incorrect — unrelated.
Incorrect — unrelated.
08The most reliable way to secure a service is to…
Incorrect — helps, but the service still runs.
Incorrect — does not remove the surface.
Correct — every listener removed is risk removed.
Incorrect — the opposite of hardening.
09A local-only service (database, metrics) should bind to…
Correct — reachable only from the host itself.
Incorrect — exposes it on all interfaces.
Incorrect — maximizes exposure.
Incorrect — still public.
10Removing compilers and legacy clients (telnet, rsh) from a server…
Incorrect — it reduces real attack surface and post-exploitation tooling.
Correct — the bare-metal echo of distroless.
Incorrect — it does not.
Incorrect — it applies to hosts too.
10 questions · explanations appear as you answer
Kernel & filesystem
10 questions
01kernel.yama.ptrace_scope = 1 stops a compromised process from…
Correct — a process may only ptrace its own children.
Incorrect — unrelated to ptrace.
Incorrect — that is a firewall/sysctl-net concern.
Incorrect — unrelated.
02kptr_restrict and dmesg_restrict deny an exploit…
Incorrect — those are network settings.
Correct — they make exploitation harder.
Incorrect — they do not block execution.
Incorrect — unrelated.
03Disabling unprivileged BPF (unprivileged_bpf_disabled=1) removes…
Incorrect — no.
Incorrect — no.
Correct — unprivileged BPF has been an escalation vector.
Incorrect — not generally.
04kernel.randomize_va_space = 2 provides…
Correct — confirm it is at max.
Incorrect — no.
Incorrect — unrelated.
Incorrect — unrelated.
05Blacklisting obscure filesystem/protocol modules reduces risk because…
Incorrect — not the reason.
Correct — refuse to load what you will not use.
Incorrect — not the concern.
Incorrect — irrelevant.
06install dccp /bin/true in modprobe.d…
Incorrect — the opposite.
Incorrect — no.
Correct — more robust than the blacklist keyword.
Incorrect — it prevents loading, not deletion.
07A malicious loaded kernel module is game over because it…
Correct — a rootkit controls what your tools see.
Incorrect — trivial compared to the real risk.
Incorrect — the danger is that it is not.
Incorrect — it has full kernel control.
08Mounting /tmp with noexec means an attacker…
Incorrect — they can write; noexec stops execution.
Correct — breaks a common post-exploitation step.
Incorrect — noexec is about execution, not reading.
Incorrect — the opposite.
09nosuid as a mount option means…
Incorrect — that is read-only.
Incorrect — that is nodev.
Correct — a dropped SUID binary there is inert.
Incorrect — that is noexec.
10noexec on /tmp can break…
Correct — test workloads; give such apps a dedicated writable path.
Incorrect — unrelated.
Incorrect — unrelated.
Incorrect — unrelated.
10 questions · explanations appear as you answer
Mandatory access control
10 questions
01Mandatory Access Control (SELinux/AppArmor) differs from normal permissions because it…
Incorrect — that is discretionary permissions.
Correct — a compromised service is boxed into its declared behavior.
Incorrect — it applies to all processes.
Incorrect — different layer entirely.
02getenforce returning "Enforcing" means…
Correct — the goal state.
Incorrect — that would say Disabled.
Incorrect — that is Permissive.
Incorrect — unrelated to SELinux mode.
03SELinux confines a compromised web server by…
Incorrect — MAC is not encryption.
Incorrect — the opposite.
Correct — type-based rules box it in.
Incorrect — that is the firewall.
04The correct response to a legitimate SELinux denial is…
Incorrect — that disables a whole defensive layer.
Correct — or toggle the right boolean.
Incorrect — never disable it to fix one denial.
Incorrect — not a fix.
05SELinux logs a blocked access as…
Correct — read it rather than disabling SELinux.
Incorrect — no.
Incorrect — it logs, it does not fail silently.
Incorrect — different subsystem.
06AppArmor confines a program using…
Incorrect — that is SELinux’s model.
Correct — path-based and legible.
Incorrect — no.
Incorrect — that is integrity monitoring.
07The safe way to roll out a new AppArmor (or SELinux) profile is…
Incorrect — an unproven profile breaks the app.
Incorrect — that removes confinement.
Correct — log violations, fix the profile, then block.
Incorrect — unrelated.
08The wrong fix for an AppArmor denial is…
Correct — that drops confinement entirely.
Incorrect — that is the right fix.
Incorrect — that is correct.
Incorrect — that is correct.
09MAC is most important for…
Incorrect — less critical than exposed ones.
Correct — exactly what the profile is designed to box in.
Incorrect — not the MAC target.
Incorrect — those are protected differently.
10SELinux and AppArmor are, respectively, the MAC systems typically on…
Incorrect — neither is those OSes.
Incorrect — AppArmor is Debian-family; SELinux is not.
Correct — SELinux on RHEL, AppArmor on Debian/Ubuntu.
Incorrect — they harden hosts too.
10 questions · explanations appear as you answer
Audit & compliance
10 questions
01auditd captures security events at a level that…
Correct — kernel-level, tamper-resistant record.
Incorrect — the point is it is independent of the app.
Incorrect — different purpose.
Incorrect — it logs syscalls and file access broadly.
02-w /etc/shadow -p wa -k identity watches for…
Incorrect — p wa is write + attribute, not read.
Correct — w=watch, p=perm filter (write, attribute), k=key.
Incorrect — that would be p x.
Incorrect — it covers writes and attribute changes.
03Auditing module loads (init_module/finit_module) matters because…
Incorrect — size is irrelevant.
Incorrect — no.
Correct — high-signal event.
Incorrect — no.
04Making audit rules immutable (-e 2) means…
Correct — protects the audit config.
Incorrect — they load, then lock.
Incorrect — no.
Incorrect — no.
05An over-broad audit ruleset (log everything) causes…
Incorrect — the opposite in practice.
Correct — watch high-signal targets, ship the rest off-box.
Incorrect — it produces too many, not none.
Incorrect — noise slows investigation.
06File integrity monitoring (AIDE) works by…
Incorrect — it detects, it does not block.
Incorrect — no.
Correct — surfaces modified binaries and configs.
Incorrect — that is a port scanner.
07You must build the AIDE baseline…
Correct — baseline a compromised host and you record the implants as normal.
Incorrect — too late — you would baseline the attacker.
Incorrect — no.
Incorrect — update it deliberately after approved changes.
08CIS Benchmarks are…
Incorrect — no — a consensus hardening checklist.
Correct — measured with OpenSCAP.
Incorrect — no.
Incorrect — no.
09The benchmark workflow is…
Incorrect — hosts drift after one scan.
Incorrect — you need the scan to know what to fix.
Correct — hardening as a maintained state.
Incorrect — that hides the problem.
10A 100% CIS score means the host is…
Incorrect — no — benchmarks check config, not app vulns or an attacker inside.
Correct — layer patching, least privilege, detection on top.
Incorrect — overstated.
Incorrect — patching is still essential.
10 questions · explanations appear as you answer