Free GSEC Linux Security Practice Test 2026 — GIAC Security Essentials Questions

This free GSEC Linux Security practice test covers Linux file permissions, SUID/SGID, SELinux/AppArmor, auditd, SSH hardening, and shell security. Each question includes a detailed explanation written from a hands-on security practitioner's perspective — perfect for building your open-book index for the real GIAC Security Essentials exam.

Key Topics in GSEC Linux Security

6 Free GSEC Linux Security Practice Questions with Answers

Sample Question 1 — Linux Security

Which command would you use to check for open ports and active services on a Linux server to ensure there are no unauthorized services running?

  1. A. netstat -tuln (Correct answer)
  2. B. ps aux
  3. C. ls -l /etc/services
  4. D. df -h

Correct answer: A

Explanation: The 'netstat -tuln' command lists all open ports and active network services, which is crucial for detecting unauthorized services. 'ps aux' lists running processes but doesn't show port usage. 'ls -l /etc/services' displays the services file but not active services. 'df -h' shows disk usage, unrelated to network services.

Sample Question 2 — Linux Security

What is the primary purpose of using AppArmor on a Linux system?

  1. A. To encrypt filesystems
  2. B. To enforce mandatory access control policies (Correct answer)
  3. C. To monitor network traffic
  4. D. To perform vulnerability scans

Correct answer: B

Explanation: AppArmor is used to enforce mandatory access control policies, restricting programs' capabilities. It does not encrypt filesystems (A), monitor network traffic (C), or perform vulnerability scans (D).

Sample Question 3 — Linux Security

A Linux server is suspected to have been compromised. Which log file should be examined first to check for unauthorized login attempts?

  1. A. /var/log/secure (Correct answer)
  2. B. /var/log/messages
  3. C. /var/log/dmesg
  4. D. /var/log/cron

Correct answer: A

Explanation: The '/var/log/secure' file logs authentication events, including login attempts, making it crucial for checking unauthorized access. '/var/log/messages' contains general system messages, '/var/log/dmesg' holds kernel ring buffer messages, and '/var/log/cron' logs cron jobs, none of which focus on login attempts.

Sample Question 4 — Linux Security

To restrict a user's ability to execute certain commands on a Linux system, which file should be edited?

  1. A. /etc/shadow
  2. B. /etc/passwd
  3. C. /etc/sudoers (Correct answer)
  4. D. /etc/hosts

Correct answer: C

Explanation: The '/etc/sudoers' file controls user permissions for executing commands with elevated privileges. '/etc/shadow' manages password hashes, '/etc/passwd' contains user account information, and '/etc/hosts' maps hostnames to IP addresses, none of which manage command execution permissions.

Sample Question 5 — Linux Security

Which command is used to apply the latest security patches on a Debian-based Linux system?

  1. A. yum update
  2. B. apt-get upgrade (Correct answer)
  3. C. dnf update
  4. D. zypper patch

Correct answer: B

Explanation: The 'apt-get upgrade' command is used on Debian-based systems to apply available package updates, including security patches. 'yum update' and 'dnf update' are for Red Hat-based systems, while 'zypper patch' is used in SUSE-based systems.

Sample Question 6 — Linux Security

You are a system administrator responsible for managing a Linux server that hosts sensitive customer data. To enhance security, you decide to implement a logging system to monitor unauthorized access attempts. Which of the following log files would you primarily monitor to detect failed login attempts on the server?

  1. A. /var/log/messages
  2. B. /var/log/secure (Correct answer)
  3. C. /var/log/dmesg
  4. D. /var/log/cron

Correct answer: B

Explanation: The correct answer is B. /var/log/secure is the log file that records authentication-related events, including both successful and failed login attempts. Option A is incorrect because /var/log/messages contains general system messages and not specifically authentication logs. Option C is incorrect because /var/log/dmesg contains kernel ring buffer messages, which are not related to login attempts. Option D is incorrect because /var/log/cron contains logs of cron jobs, not authentication events.

How to Study GSEC Linux Security

Drill these GSEC Linux Security practice questions repeatedly and update your study index after each session. Focus on building a fast lookup path from the GIAC term to your book page — this is what separates passing and failing GSEC scores. Pair this practice test with hands-on labs whenever possible; GSEC validates real-world skills, not just memorization.

About the GSEC Exam

Other GSEC Topic Areas

Start the free GSEC Linux Security practice test now | 10-question quick start | All GSEC topic areas | GSEC Cheat Sheet