Skip to content

Linux Security

← Back to all decks

91 cards — 🟢 25 easy | 🟡 35 medium | 🔴 18 hard

🟢 Easy (25)

1. How to recursively change permissions for all directories except files and for all files except directories?

Show answer To change all the directories e.g. to **755** (`drwxr-xr-x`):

```bash\nfind /opt/data -type d -exec chmod 755 {} \;\n```

To change all the files e.g. to **644** (`-rw-r--r--`):

```bash\nfind /opt/data -type f -exec chmod 644 {} \;\n```

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

2. How to see a list of who logged in to the system?

Show answer Several commands show login history:

Current users:
- who - Currently logged in users
- w - Logged in users with activity
- users - Simple list of usernames

Login history:
- last - Recent logins from /var/log/wtmp
- last username - Specific user history

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

3. Why do we use sudo su - and not just sudo su?

Show answer `sudo` is in most modern Linux distributions where (but not always) the root user is disabled and has no password set. Therefore you cannot switch to the root user with `su` (you can try). You have to call `sudo` with root privileges: `sudo su`.

`su` just switches the user, providing a normal shell with an environment nearly the same as with the old user.

`su -` invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.

4. How does "Sticky Bit" work on a directory?

Show answer The sticky bit restricts file deletion in shared directories to owners only.

How it works:
- When set on a directory (not files), only the file owner, directory owner, or root can delete/rename files within
- Other users with write permission to the directory cannot delete others' files
- Classic use case: /tmp directory



Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

5. What is sudo? How do you set it up?

Show answer sudo is a command-line utility in Unix-like operating systems that allows users to run programs with the privileges of another user, usually the superuser (root). It stands for "superuser do.

The sudo program is installed by default in almost all Linux distributions. If you need to install sudo in Debian/Ubuntu, use the command apt-get install sudo

Remember: sudo config: `/etc/sudoers`. ALWAYS edit with `visudo` — validates syntax.

Gotcha: Broken sudoers = locked out. visudo prevents by checking before saving.

6. Where is my password stored on Linux/Unix?

Show answer The passwords are not stored anywhere on the system at all. What is stored in `/etc/shadow` are so called hashes of the passwords.

A hash of some text is created by performing a so called one way function on the text (password), thus creating a string to check against. By design it is "impossible" (computationally infeasible) to reverse that process.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

7. What is the purpose of sticky bit?

Show answer Its a bit that only allows the owner or the root user to delete or modify the file.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

8. Running the command as root user. It is a good or bad practices?

Show answer Running (everything) as root is bad because:

- **Stupidity**: nothing prevents you from making a careless mistake. If you try to change the system in any potentially harmful way, you need to use sudo, which ensures a pause (while you're entering the password) to ensure that you aren't about to make a mistake.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

9. How do you change file ownership on Linux?

Show answer `chown` (change owner). Syntax: `chown user:group file`. Examples: `chown alice file.txt` (change owner), `chown alice:devs file.txt` (owner and group), `chown :devs file.txt` (group only). Use `-R` for recursive: `chown -R alice:devs /opt/app/`. Requires root or sudo unless you own the file.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

10. Explain what is setgid and setuid

Show answer * setuid is a linux file permission that permits a user to run a file or program with the permissions of the owner of that file. This is possible by elevation of current user privileges.
* setgid is a process when executed will run as the group that owns the file.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

11. How to add a new user to the system without providing a password?

Show answer Several methods:

useradd without password:
- useradd -m username (creates user, no password set)
- Account is locked until password set

Set empty password (not recommended):
- passwd -d username (deletes password)

SSH key authentication (recommended):
- useradd -m username
- mkdir /home/username/.ssh

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

12. How do you change file permissions on Linux?

Show answer `chmod` (change mode). Two forms: symbolic (`chmod u+x script.sh`) and octal (`chmod 755 script.sh`). Octal digits: 4=read, 2=write, 1=execute — e.g. 755 means rwxr-xr-x (owner full, group/others read+execute). Use `-R` for recursive. Common patterns: `chmod 600 secrets.key` (owner-only), `chmod +x deploy.sh` (make executable).

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

13. True or False? In order to install packages on the system you must have root privileges.

Show answer Generally TRUE, but with exceptions:

TRUE because:
- System packages install to protected paths (/usr, /etc)
- Package managers (apt, yum, dnf) require root

Exceptions:
- User-level: pip install --user, npm install, cargo install
- Containerized: Docker/Podman, Flatpak, Snap with user scope
- Rootless: Nix with user profiles, Homebrew

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

14. What is the UID the root user? What about a regular user?

Show answer Re-install the OS IS NOT the right answer :)

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

15. What is Kerberos and how does it handle authentication?

Show answer Kerberos is a network authentication protocol using tickets.

Components:
- KDC (Key Distribution Center): Auth server
- TGT (Ticket Granting Ticket): Initial auth token
- Service tickets: Access specific services
- Principal: User or service identity

How it works:
1. User authenticates to KDC, gets TGT
2. TGT used to request service tickets
3.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

16. What is the difference between a User and a Superuser?

Show answer A User has limited access; a Superuser (root) has unlimited permissions.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

17. What does the sudo command do?

Show answer It allows a permitted user to execute a command as the superuser (root) or another user, elevating privileges for that command.

Remember: sudo config: `/etc/sudoers`. ALWAYS edit with `visudo` — validates syntax.

Gotcha: Broken sudoers = locked out. visudo prevents by checking before saving.

18. What is a superuser or root user? How is it different from regular users?

Show answer Root (UID 0) is the superuser with unrestricted access.

Root capabilities:
- Access all files regardless of permissions
- Modify any system configuration
- Bind to privileged ports (<1024)
- Load kernel modules
- Mount filesystems

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

19. How do you change the owner of a file in Linux?

Show answer Using the chown command (e.g., chown user:group filename).

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

20. What is SELinux and how does it enforce mandatory access control?

Show answer SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system.

Features:
- Fine-grained access control beyond standard permissions
- Labels on files, processes, ports
- Policy defines allowed actions
- Developed by NSA, in mainline kernel

Modes:
- Enforcing: Blocks and logs violations

Remember: SELinux: Enforcing, Permissive, Disabled. Check: `getenforce`. "EPD."

Gotcha: `setenforce 0` is temporary. Permanent: `/etc/selinux/config`. Disabling breaks compliance.

21. What does umask control?

Show answer The default permission mask for newly created files and directories. umask is subtracted from the maximum permissions (666 for files, 777 for directories) to determine the actual permissions.

Remember: umask subtracts from 666(files)/777(dirs). 022→644/755. "What to remove."

22. What are the three SELinux modes, and how do you check the current mode?

Show answer Enforcing (policies enforced, violations blocked and logged), Permissive (policies not enforced, violations logged only), Disabled (SELinux completely off). Check with getenforce (quick) or sestatus (detailed). Use setenforce 0/1 to toggle temporarily; edit /etc/selinux/config for persistence.

Remember: SELinux: Enforcing, Permissive, Disabled. Check: `getenforce`. "EPD."

Gotcha: `setenforce 0` is temporary. Permanent: `/etc/selinux/config`. Disabling breaks compliance.

23. Name five SSH hardening settings you should configure in /etc/ssh/sshd_config.

Show answer PermitRootLogin no, PasswordAuthentication no (use keys only), MaxAuthTries 3, X11Forwarding no, and AllowUsers . Additional settings: ClientAliveInterval 300, ClientAliveCountMax 2, LogLevel VERBOSE. Always restrict ciphers and MACs to strong algorithms.

Remember: SSH hardening: disable root, disable passwords, use keys, fail2ban. `/etc/ssh/sshd_config`.

Example: `ssh-keygen -t ed25519` — modern, fast, secure. Ed25519 > RSA.

24. How do you find SUID and SGID binaries on a system, and why should you audit them?

Show answer find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null. SUID binaries run with the file owner's privileges (often root), making them privilege escalation vectors. SGID binaries run with the group's privileges. Audit them regularly and remove unnecessary SUID bits with chmod u-s.

Remember: auditd = kernel audit. Rules: `/etc/audit/rules.d/`. Required for compliance.

25. What is a CLI? Tell me about your favorite CLI tools, tips, and hacks.

Show answer **CLI** (Command Line Interface) is a text-based interface for interacting with the OS by typing commands.

Key concepts:
- Shell (bash, zsh) interprets and executes commands
- Commands follow the pattern: `command [options] [arguments]`
- Supports piping (`|`), redirection (`>`, `<`), and scripting
- More powerful than GUI for automation, remote access (SSH), and batch operations

Essential for DevOps: nearly all server administration, CI/CD, and infrastructure management happens via CLI.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

🟡 Medium (35)

1. What does the following permissions mean?:

Show answer
777 - You give the owner, group and other: Execute (1), Write (2) and Read (4); 4+2+1 = 7.
644 - Owner has Read (4), Write (2), 4+2 = 6; Group and Other have Read (4).
750 - Owner has x+r+w, Group has Read (4) and Execute (1); 4+1 = 5. Other have no permissions.


Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

2. Explain what are ACLs. For what use cases would you recommend to use them?

Show answer ACL stands for Access Control Lists. We can use ACL to have more granular control over accesses to certain files for certain users specifically. For instance, we can return the ACL of a particular file with the command `getfacl /absolute/file/path` and modify ACLs for a specific file with `setfacl -m`.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

3. Which file stores users passwords? Is it visible for everyone?

Show answer `/etc/shadow` file holds the passwords of the users in encrypted format. NO, it is only visible to the `root` user

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

4. SELinux enforcing vs permissive?

Show answer Enforcing blocks violations.

Permissive logs AVC denials but allows execution—used for debugging and policy development.

Remember: SELinux: Enforcing, Permissive, Disabled. Check: `getenforce`. "EPD."

Gotcha: `setenforce 0` is temporary. Permanent: `/etc/selinux/config`. Disabling breaks compliance.

5. How to change the permissions of a file?

Show answer Using the `chmod` command.

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

6. What is chroot? In what scenarios would you consider using it?

Show answer chroot changes the apparent root directory for a process.

How it works:
- chroot /newroot /bin/bash
- Process sees /newroot as /
- Can't access files outside

Use cases:
1. System recovery - Boot from live CD, chroot to repair
2. Build environments - Isolated compilation
3. Legacy applications - Run with old libraries
4. Basic isolation - Simple sandboxing
5.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

7. How do you create a private key for a CA (certificate authority)?

Show answer One way is using openssl this way:

`openssl genrsa -aes256 -out ca-private-key.pem 4096`

Remember: TLS port 443. Chain: Root CA→Intermediate→Server. Let's Encrypt=free, 90-day.

8. How to switch to another user? How to switch to the root user?

Show answer su command.
Use su - to switch to root

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

9. What does chmod 755 filename do?

Show answer Sets file permissions to rwxr-xr-x (owner can read/write/execute, group and others can read/execute).

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

10. What is firewalld daemon responsible for?

Show answer firewalld is a dynamic firewall manager for Linux.

Responsibilities:
- Managing firewall rules
- Zone-based configuration
- Runtime and permanent rules
- D-Bus interface for applications

Features:
- Zones: Different trust levels (public, home, trusted)

Remember: Ubuntu=UFW, RHEL=firewalld. Both=iptables/nftables frontends.

11. Explain the differences among the following umask values: 000, 002, 022, 027, 077, and 277.

Show answer Each umask subtracts permissions from defaults (666 files, 777 dirs).

- 000: files=666 (rw-rw-rw-), dirs=777 (rwxrwxrwx) -- no restrictions
- 002: files=664 (rw-rw-r--), dirs=775 -- others can't write
- 022: files=644 (rw-r--r--), dirs=755 -- only owner writes (common default)
- 027: files=640, dirs=750 -- others get nothing
- 077: files=600, dirs=700 -- only owner has access
- 277: files=400, dirs=500 -- owner can only read

Remember: umask subtracts from 666(files)/777(dirs). 022→644/755. "What to remove."

12. What can you do if you lost/forgot the root password?

Show answer Boot into single-user/rescue mode to reset:

GRUB method:
1. Reboot, edit GRUB entry (press 'e')
2. Find linux line, append: init=/bin/bash (or single)
3. Boot (Ctrl+X or F10)
4. Remount root: mount -o remount,rw /
5. Reset password: passwd root
6. Reboot: exec /sbin/init (or reboot -f)

With systemd:
- Append: rd.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

13. How do you create a public key for a CA (certificate authority)?

Show answer `openssl req -new -x509 -days 730 -key [private key file name] -sha256 -out ca.pem`

If using the private key from the previous question then the command would be:

`openssl req -new -x509 -days 730 -key ca-private-key.pem -sha256 -out ca.pem`

Remember: TLS port 443. Chain: Root CA→Intermediate→Server. Let's Encrypt=free, 90-day.

14. How do you create users? Where user information is stored?

Show answer Command to create users is `useradd`

Syntax:
`useradd [options] Username`

There are 2 configuration files, which stores users information

1. `/etc/passwd` - Users information like, username, shell etc is stored in this file

2. `/etc/shadow` - Users password is stored in encrypted format

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

15. What information is stored in /etc/passwd? explain each field

Show answer `/etc/passwd` is a configuration file, which contains users information. Each entry in this file has, 7 fields,

`username:password:UID:GID:Comment:home directory:shell`

`username` - The name of the user.


Remember: /etc/passwd=user info(world-readable). /etc/shadow=hashes(root-only).

16. How does the sticky bit work? The SUID/GUID is the same?

Show answer This is probably one of my most irksome things that people mess up all the time. The **SUID/GUID** bit and the **sticky-bit** are 2 completely different things.

If you do a `man chmod` you can read about the **SUID** and **sticky-bits**.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

17. Capabilities vs setuid?

Show answer setuid grants full root privileges.

Capabilities grant fine-grained privileges (e.g. `CAP_NET_BIND_SERVICE`)—least privilege model.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

18. How do you change/set the password of a user?

Show answer `passwd ` is the command to set/change password of a user.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

19. How to run script as another user without password?

Show answer For example (with `visudo` command):

```bash\nuser1 ALL=(user2) NOPASSWD: /opt/scripts/bin/generate.sh\n```

The command paths must be absolute! Then call `sudo -u user2 /opt/scripts/bin/generate.sh` from a user1 shell.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

20. What this command does? chmod +x some_file

Show answer It adds execute permissions to all sets i.e user, group and others

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

21. True or False? It's not possible to have a root user with ID 0 in child user namespaces

Show answer False. In every child user namespace, it's possible to have a separate root user with uid of 0.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

22. I have forgotten the root password! What do I do in BSD? What is the purpose of booting into single user mode?

Show answer Restart the system, type `boot -s` at the `Boot:` prompt to enter **single-user mode**.

At the question about the shell to use, hit `Enter` which will display a `#` prompt.

Enter `mount -urw /` to remount the root file system read/write, then run `mount -a` to remount all the file systems.

Run `passwd root` to change the root password then run `exit` to continue booting.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

23. You run grep $(whoami) /etc/passwd but the output is empty. What might be a possible reason for that?

Show answer The user you are using isn't defined locally but originates from services like LDAP.
You can verify with: `getent passwd`

Remember: /etc/passwd=user info(world-readable). /etc/shadow=hashes(root-only).

24. Which file stores information about groups?

Show answer `/etc/groups` file stores the group name, group ID, usernames which are in secondary group.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

25. What is umask? How to set it permanently for a user?

Show answer On Linux and other Unix-like operating systems, new files are created with a default set of permissions. Specifically, a new file's permissions may be restricted in a specific way by applying a permissions "mask" called the `umask`. The `umask` command is used to set this mask, or to show you its current value.

Permanently change (set e.g. `umask 02`):

- `~/.profile`
- `~/.bashrc`
- `~/.zshrc`
- `~/.cshrc`

Remember: umask subtracts from 666(files)/777(dirs). 022→644/755. "What to remove."

26. How and why Linux daemons drop privileges? Why some daemons need root permissions to start? Explain.

Show answer The problem with a load of 1.00 is that you have no headroom. In practice, many sysadmins will draw a line at 0.70.

The "Need to Look into it" Rule of Thumb: 0.70 If your load average is staying above > 0.70, it's time to investigate before things get worse.


Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

27. A user accidentally executed the following chmod -x $(which chmod). How to fix it?

Show answer Using `sudo setfacl -m u::rx /usr/bin/chmod` will set the execute permissions on `chmod` for all the users. Post this, the `chmod` binary can be used as usual.

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

28. Do you know how to create a new user without using adduser/useradd command?

Show answer YES, we can create new user by manually adding an entry in the `/etc/passwd` file.

For example, if we need to create a user called `john`.

Step 1: Add an entry to `/etc/passwd` file, so user gets created.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

29. Your friend during configuration of the MySQL server asked you: Should I run sudo mysql_secure_installation after installing mysql? What do you think about it?

Show answer It would be better if you run command as it provides many security options like:

- You can set a password for root accounts
- You can remove root accounts that are accessible from outside the local host
- You can remove anonymous-user accounts
- You can remove the test database, which by default can be accessed by anonymous users

Remember: sudo config: `/etc/sudoers`. ALWAYS edit with `visudo` — validates syntax.

Gotcha: Broken sudoers = locked out. visudo prevents by checking before saving.

30. What does execute permission on a directory mean vs on a file?

Show answer On a file: the file can be run as a program or script.
On a directory: you can traverse (cd into) and access files within it. Without execute on a directory, you cannot list or access its contents even with read permission.

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

31. What are CIS Benchmarks, and what categories do they cover for Linux hardening?

Show answer CIS (Center for Internet Security) Benchmarks are the gold standard for compliance auditing. Categories include: filesystem configuration, software updates, filesystem integrity (AIDE), boot settings, process hardening (ASLR, core dumps), mandatory access control (SELinux), network configuration, firewall, logging/auditing, PAM/password policies, SSH configuration, and user accounts.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

32. How do you configure PAM to enforce password complexity and lock accounts after failed login attempts?

Show answer Password complexity: use pam_pwquality.so with options like minlen=14, dcredit=-1, ucredit=-1, ocredit=-1, lcredit=-1. Account lockout: use pam_faillock.so with deny=5 and unlock_time=900 (lock for 15 minutes after 5 failures). Restrict su to wheel group with pam_wheel.so use_uid in /etc/pam.d/su.

Remember: PAM types: auth, account, password, session. Config: `/etc/pam.d/`. "AAPS."

33. Name five important sysctl settings for Linux hardening and explain what they do.

Show answer kernel.randomize_va_space=2 (enable ASLR), net.ipv4.tcp_syncookies=1 (SYN flood protection), net.ipv4.conf.all.accept_redirects=0 (disable ICMP redirects), kernel.dmesg_restrict=1 (restrict dmesg to root), kernel.yama.ptrace_scope=1 (restrict process tracing). Persist in /etc/sysctl.d/99-hardening.conf and apply with sysctl -p.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

34. An application cannot read files in its data directory due to SELinux. How do you diagnose and fix this?

Show answer 1) Check for denials: ausearch -m avc -ts recent. 2) Inspect file contexts: ls -Z on the directory. 3) If wrong context, fix with: semanage fcontext -a -t "/path/to/data(/.*)?" then restorecon -Rv /path/to/data/. 4) Check booleans: getsebool -a | grep . 5) If a boolean fix exists, use setsebool -P on.

Remember: SELinux: Enforcing, Permissive, Disabled. Check: `getenforce`. "EPD."

Gotcha: `setenforce 0` is temporary. Permanent: `/etc/selinux/config`. Disabling breaks compliance.

35. How do you configure auditd to monitor changes to critical system files?

Show answer Add watch rules to /etc/audit/rules.d/hardening.rules. Examples: -w /etc/passwd -p wa -k identity (watch passwd for writes/attribute changes), -w /etc/shadow -p wa -k identity, -w /etc/sudoers -p wa -k actions, -w /etc/ssh/sshd_config -p wa -k sshd. The -k flag sets a key for searching. Make config immutable with -e 2 (requires reboot to change).

Remember: auditd = kernel audit. Rules: `/etc/audit/rules.d/`. Required for compliance.

🔴 Hard (18)

1. What is the main advantage of using chroot? When and why do we use it? What is the purpose of the mount dev, proc, sys in a chroot environment?

Show answer An advantage of having a chroot environment is the file-system is totally isolated from the physical host. `chroot` has a separate file-system inside the file-system, the difference is its uses a newly created root(/) as its root directory.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

2. What is the difference between encryption and hashing?

Show answer **Hashing**: Finally, hashing is a form of cryptographic security which differs from **encryption** whereas **encryption** is a two step process used to first encrypt and then decrypt a message, **hashing** condenses a message into an irreversible fixed-length value, or hash.

Remember: LUKS = disk encryption. `cryptsetup luksFormat /dev/sdb1`.

3. What is the difference between /sbin/nologin, /bin/false, and /bin/true?

Show answer When `/sbin/nologin` is set as the shell, if user with that shell logs in, they'll get a polite message saying 'This account is currently not available'.

`/bin/false` is just a binary that immediately exits, returning false, when it's called, so when someone who has false as shell logs in, they're immediately logged out when false exits.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

4. Should the root certificate go on the server?

Show answer **Self-signed root certificates** need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.


Remember: TLS port 443. Chain: Root CA→Intermediate→Server. Let's Encrypt=free, 90-day.

5. Which algorithms are supported in /etc/shadow file?

Show answer Typical current algorithms are:

- MD5
- SHA-1 (also called SHA)

both should not be used for cryptographic/security purposes any more!!

- SHA-256
- SHA-512
- SHA-3 (KECCAK was announced the winner in the competition for a new federal approved hash algorithm in October 2012)

Remember: /etc/passwd=user info(world-readable). /etc/shadow=hashes(root-only).

6. Which way of additionally feeding random entropy pool would you suggest for producing random passwords? How to improve it?

Show answer You should use `/dev/urandom`, not `/dev/random`. The two differences between `/dev/random` and `/dev/urandom` are:

- `/dev/random` might be theoretically better _in the context of an information-theoretically secure algorithm_. This is the kind of algorithm which is secure against today's technology, and also tomorrow's technology, and technology used by aliens, and God's own iPad as well.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

7. What happens when you run :(){ :|:& };: and why is it dangerous?

Show answer This is a fork bomb - a denial-of-service attack that rapidly exhausts system resources.

Breaking down the syntax:
- `:()` - defines a function named ':'
- `{ :|:& }` - function body: calls itself, pipes to another copy of itself, runs in background
- `;:` - end definition and execute the function

What happens:
1. Function calls itself twice (via pipe)
2.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

8. Other admin trying to debug a server accidentally typed: chmod -x /bin/chmod. How to reset permissions back to default?

Show answer ```bash\n# 1:\ncp /bin/ls chmod.01\ncp /bin/chmod chmod.01\n./chmod.01 700 file\n\n# 2:\n/bin/busybox chmod 0700 /bin/chmod\n\n# 3:\nsetfacl --set u::rwx,g::---,o::--- /bin/chmod\n\n# 4:\n/usr/lib/ld*.so /bin/chmod 0700 /bin/chmod\n```

Remember: 4=read, 2=write, 1=execute. 755=rwxr-xr-x. SUID=4000, SGID=2000, sticky=1000.

Gotcha: SUID runs as owner(root). Find: `find / -perm -4000`. Security audit must-check.

9. Ordinary users are able to read /etc/passwd. Is it a security hole? Do you know other password shadowing scheme?

Show answer Typically, the _hashed passwords_ are stored in `/etc/shadow` on most Linux systems:

```bash\n-rw-r----- 1 root shadow 1349 2016-07-03 03:54 /etc/shadow\n```

They are stored in `/etc/master.passwd` on BSD systems.


Remember: /etc/passwd=user info(world-readable). /etc/shadow=hashes(root-only).

10. Do you have experience with hardening servers? Can you describe the process?

Show answer Server hardening reduces attack surface and vulnerabilities.

Key areas:
1. Updates: Keep system patched
2. Users: Disable root login, use sudo, strong passwords
3. SSH: Key-only auth, change port, fail2ban
4. Firewall: Allow only needed ports
5. Services: Disable unnecessary services
6. File permissions: Proper ownership, no world-writable
7. SELinux/AppArmor: Enable MAC
8.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

11. What is this UID 0 toor account? Have I been compromised?

Show answer **toor** is an alternative superuser account, where toor is root spelled backwards. It is intended to be used with a non-standard shell so the default shell for root does not need to change.

This is important as shells which are not part of the base distribution, but are instead installed from ports or packages, are installed in `/usr/local/bin` which, by default, resides on a different file sy

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

12. What is the difference between DAC and MAC?

Show answer Two fundamentally different access control models:

**DAC (Discretionary Access Control)**:
* Traditional Unix permissions (rwx)
* Owner controls access to their objects
* Users can change permissions on their files
* Root bypasses all checks
* Vulnerable to privilege escalation

**MAC (Mandatory Access Control)**:

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

13. How to check whether the private key and the certificate match?

Show answer ```bash\n(openssl rsa -noout -modulus -in private.key | openssl md5 ; openssl x509 -noout -modulus -in certificate.crt | openssl md5) | uniq\n```

Remember: TLS port 443. Chain: Root CA→Intermediate→Server. Let's Encrypt=free, 90-day.

14. What are salted hashes? Generate the password with salt for the /etc/shadow file.

Show answer **Salt** at its most fundamental level is random data. When a properly protected password system receives a new password, it will create a hashed value for that password, create a new random salt value, and then store that combined value in its database. This helps defend against dictionary attacks and known hash attacks.


Remember: /etc/passwd=user info(world-readable). /etc/shadow=hashes(root-only).

15. You have configured an RSA key login but your server show Server refused our key as expected. Where will you look for the cause of the problem?

Show answer **Server side**

Setting `LogLevel VERBOSE` in file `/etc/ssh/sshd_config` is probably what you need, although there are higher levels:

SSH auth failures are logged in `/var/log/auth.log`, `/var/log/secure` or `/var/log/audit/audit.log`.


Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.

16. Explain the SELinux context format and how type enforcement works in targeted policy.

Show answer Context format: user:role:type:level. In targeted policy, the type field matters most. Processes have types (e.g., httpd_t) and files have types (e.g., httpd_sys_content_t). Policy rules define which process types can access which file types. For example, httpd_t can read httpd_sys_content_t but not other types, confining Apache even if it is compromised.

Remember: SELinux: Enforcing, Permissive, Disabled. Check: `getenforce`. "EPD."

Gotcha: `setenforce 0` is temporary. Permanent: `/etc/selinux/config`. Disabling breaks compliance.

17. How do you create a custom SELinux policy module to allow a specific denied action?

Show answer 1) Find the denial: ausearch -m avc -ts recent. 2) Generate a policy module: ausearch -m avc -ts recent | audit2allow -M mypolicy. 3) Review the generated policy: cat mypolicy.te (verify it is not overly permissive). 4) Install the module: semodule -i mypolicy.pp. Always review before applying -- audit2allow can generate overly broad policies that weaken security.

Remember: SELinux: Enforcing, Permissive, Disabled. Check: `getenforce`. "EPD."

Gotcha: `setenforce 0` is temporary. Permanent: `/etc/selinux/config`. Disabling breaks compliance.

18. What are the most common Linux hardening mistakes that undermine security?

Show answer Disabling SELinux instead of fixing the policy. Not persisting changes (setenforce 1 and sysctl -w do not survive reboot). Leaving default SSH keys. Blindly applying CIS benchmarks without understanding the workload. Auditing every syscall (fills disk, degrades performance). Building hardened AMIs that drift without re-hardening. Not testing changes in staging first.

Remember: Security layers: perms, sudo, firewall, SELinux/AppArmor, auditing.

Gotcha: Defense in depth — no single layer is enough.