GSEC Practice Exam: Linux Security Domain
Test your GSEC knowledge with 10 practice questions from the Linux Security domain. Includes detailed explanations and answers.
GSEC Practice Questions
Master the Linux Security Domain
Test your knowledge in the Linux Security domain with these 10 practice questions. Each question is designed to help you prepare for the GSEC certification exam with detailed explanations to reinforce your learning.
Question 1
A Linux server in your organization is suspected to have been compromised. To check for unauthorized kernel modules that might have been loaded by an attacker, which command should you use?
Show Answer & Explanation
Correct Answer: A
Explanation: Option A is correct because 'lsmod' lists all currently loaded kernel modules, allowing you to identify any unauthorized modules. Option B, 'df -h', displays disk space usage and is not relevant for kernel modules. Option C, 'iptables -L', lists firewall rules, which is unrelated to kernel modules. Option D, 'top', shows running processes and system resource usage, not kernel modules.
Question 2
During a security audit, you discover that a Linux system has several unnecessary services running, which might be a security risk. Which command would you use to list all active services on the system?
Show Answer & Explanation
Correct Answer: B
Explanation: Option B is correct because 'systemctl list-units --type=service' lists all active services managed by systemd, which is the default service manager on most modern Linux distributions. Option A 'ps aux' lists all running processes but does not specifically show services. Option C 'netstat -tuln' displays network connections, not services. Option D 'top' shows active processes and their resource usage, not a list of services.
Question 3
A Linux server has been compromised, and the incident response team is tasked with preserving evidence. Which command should be used to create a complete disk image for forensic analysis?
Show Answer & Explanation
Correct Answer: C
Explanation: The 'dd' command is used to create a bit-by-bit copy of a disk, which is essential for forensic analysis. 'cp' and 'rsync' are used for file copying, not suitable for creating disk images. 'tar' is for archiving files, not for creating disk images. Thus, 'dd' is the correct choice for creating a forensic disk image.
Question 4
A company uses Linux-based servers to host their web applications. They want to ensure that the applications are protected against unauthorized file modifications. What Linux feature can be used to monitor and alert on file changes?
Show Answer & Explanation
Correct Answer: C
Explanation: Option C is correct because inotify is a Linux kernel subsystem that monitors file system events, allowing you to set up alerts for file changes. Option A, iptables, is used for network packet filtering, not file monitoring. Option B, SELinux, is used for access control policies, not specifically for monitoring file changes. Option D, cron, is used for scheduling tasks, not monitoring files.
Question 5
You are a security engineer tasked with hardening a Linux server used for web hosting. During a routine audit, you notice that the SSH service is configured to allow root login. What is the most secure way to configure SSH to prevent unauthorized access while maintaining necessary administrative functionality?
Show Answer & Explanation
Correct Answer: C
Explanation: Option C is correct because disabling root login over SSH and using sudo for administrative tasks enhances security by enforcing the principle of least privilege and reducing the risk of brute force attacks. Option A is impractical as it limits remote administration capabilities. Option B, while improving password security, still allows direct root access which is a security risk. Option D restricts access but still permits root login, which is not recommended.
Question 6
You are tasked with securing SSH access to a Linux server. Which of the following configurations would best enhance security without significantly impacting usability?
Show Answer & Explanation
Correct Answer: D
Explanation: Restricting SSH access to specific IP addresses enhances security by limiting who can attempt to connect to the server, reducing attack surface without impacting usability for authorized users. Disabling SSH access entirely is impractical. Allowing root login is insecure. Using a strong password policy and disabling password authentication is contradictory; disabling passwords implies using key-based authentication.
Question 7
You are the security administrator for a company that uses Linux servers to host its web applications. You notice unusual activity on one of the servers and suspect a brute force attack on SSH. Which of the following commands would best help you verify if a brute force attack is occurring?
Show Answer & Explanation
Correct Answer: A
Explanation: Option A is correct because 'tail -f /var/log/auth.log | grep 'Failed password'' will continuously monitor the authentication log for failed login attempts, which is indicative of a brute force attack. Option B shows the SSH configuration, which is useful for configuration issues but not for monitoring real-time attacks. Option C lists processes related to SSH, but does not provide information about login attempts. Option D shows active network connections and listening ports, which does not directly indicate a brute force attack.
Question 8
A security analyst is tasked with securing a Linux server by configuring the firewall. Which of the following commands is used to configure the iptables firewall on a Linux system?
Show Answer & Explanation
Correct Answer: C
Explanation: The 'iptables' command is used to configure the Linux kernel firewall, allowing the administrator to set rules for packet filtering. Option A, 'firewalld-cmd', is used with the firewalld service, not iptables. Option B, 'ufw', is a simpler interface for managing iptables, but not the direct command for iptables itself. Option D, 'selinux-config', is related to SELinux configuration, not firewall settings.
Question 9
To restrict a user's ability to execute certain commands on a Linux system, which file should be edited?
Show Answer & Explanation
Correct Answer: C
Explanation: The '/etc/sudoers' file controls user permissions for executing commands with elevated privileges. '/etc/shadow' manages password hashes, '/etc/passwd' contains user account information, and '/etc/hosts' maps hostnames to IP addresses, none of which manage command execution permissions.
Question 10
A system administrator needs to secure SSH access to a Linux server. Which of the following configurations in the sshd_config file would best enhance security?
Show Answer & Explanation
Correct Answer: C
Explanation: The 'AllowUsers admin' directive restricts SSH access to only the specified user, enhancing security by limiting access. 'PermitRootLogin yes' allows root login, which is insecure. 'PasswordAuthentication yes' allows password-based logins, which are less secure than key-based. 'PermitEmptyPasswords yes' allows empty passwords, which is highly insecure.
Ready to Accelerate Your GSEC Preparation?
Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.
- ✅ Unlimited practice questions across all GSEC domains
- ✅ Full-length exam simulations with real-time scoring
- ✅ AI-powered performance tracking and weak area identification
- ✅ Personalized study plans with adaptive learning
- ✅ Mobile-friendly platform for studying anywhere, anytime
- ✅ Expert explanations and study resources
Already have an account? Sign in here
About GSEC Certification
The GSEC certification validates your expertise in linux security and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.
More GSEC Practice Exams & Domain Drills
Sharpen your GIAC Security Essentials skills with domain-focused question sets. Practice, review explanations, and track your weak areas.
Hardening, auditing (Event Viewer), Group Policy, PowerShell basics, and common misconfigurations.
Start Windows Practice →Users & groups, file permissions, SSH, sudoers, log review, and PAM/password policy essentials.
Start Linux Practice →Hashing vs. encryption, HMAC, TLS/PGP, key management, and integrity/authentication scenarios.
Start Crypto Practice →Layered controls, monitoring, segmentation, DLP, and practical risk reduction strategies.
Start DiD Practice →RBAC/least privilege, password policy enforcement, MFA, account lockout, and audit basics.
Start Access Control Practice →Want full exam prep? Try FlashGenius Exam Simulation, Domain Practice, and Smart Review to fix weak areas faster.
Prep with FlashGenius →