Linux+ Security: Study Guide

Q: What are the key differences between DAC and MAC in Linux security?

DAC (Discretionary Access Control) relies on file ownership and traditional permissions (rwx bits). File owners decide who can access their resources. This is the default Linux model. MAC (Mandatory Access Control) enforces system-wide policies that restrict access based on security labels, regardless of file ownership. SELinux and AppArmor implement MAC. Even root cannot bypass MAC policies. DAC is flexible but potentially less secure, while MAC is stricter and better for high-security environments. Understanding when to implement both is crucial for Linux+ Security. DAC is easier to manage for typical systems, but MAC is essential for servers handling sensitive data.

Q: How do I troubleshoot SELinux denials on a Linux system?

First, check SELinux status with getenforce or sestatus. Enable auditd if not running, then review denial logs in /var/log/audit/audit.log using ausearch -m avc to filter denial messages. Identify the denied operation, source context, and target context. Temporary solutions include setting SELinux to permissive mode for testing. For permanent fixes, use semanage to adjust boolean settings or file contexts. The audit2allow tool generates policy modules from denial logs. Apply generated policies carefully using semodule. Document policy changes for compliance and future reference. When denials involve legitimate operations, adjust policies rather than disabling SELinux entirely. This approach maintains security while accommodating necessary functionality.

Q: Why is SSH key-based authentication more secure than password authentication?

SSH keys use asymmetric cryptography where only the private key (kept secret) can authenticate, while the public key is shared. Passwords are vulnerable to brute force attacks, dictionary attacks, and interception. Keys are computationally impractical to crack. Key-based authentication requires possessing the private key file, adding a physical security layer. Passphrases protect private keys from compromise if the key file is stolen. Keys eliminate password reuse risks and can be rotated by generating new pairs. SSH agents manage keys securely without exposing passphrases in shell history. For server security, disable password authentication entirely in /etc/ssh/sshd_config by setting "PasswordAuthentication no". This prevents unauthorized access attempts by default.

Q: What is the purpose of umask and how do I set appropriate values?

Umask is a file creation mask that subtracts from default permissions (666 for files, 777 for directories), determining permissions for newly created files. Default umask is often 0022, resulting in 644 for files (rw-r--r--) and 755 for directories (rwxr-xr-x). Calculate permissions by subtracting umask from the base value: Umask 0077 creates 600 files and 700 directories, restricting access to owner only Umask 0007 creates 660 files and 770 directories, restricting access to owner and group Set umask in ~/.bashrc or /etc/profile for users or system-wide defaults. Verify effective umask with the umask command. Proper umask configuration reduces reliance on post-creation permission changes, ensuring files are created with appropriate security from the start.

By FluentFlash Research Team·Updated 2026-04-30

Linux+ Security covers essential concepts for protecting Linux systems in professional environments. You'll learn authentication mechanisms, access control, encryption, network security, and threat mitigation strategies.

Mastering this domain requires understanding both theory and practical implementation. Flashcards break down complex security concepts into bite-sized questions, helping you memorize critical commands, protocols, and best practices efficiently.

Whether you're preparing for the CompTIA Linux+ exam or building real-world security skills, flashcards accelerate retention and boost your confidence when facing security scenarios.

Key Takeaways

•Master the three permission sets (owner, group, others) and special bits (setuid, setgid, sticky bit) to manage file access effectively
•SELinux mandatory access control provides security beyond traditional discretionary access control through context labels and policy enforcement
•SSH key-based authentication using asymmetric cryptography is significantly more secure than password-based authentication for remote access
•Understand cryptographic concepts including symmetric encryption (AES), asymmetric encryption (RSA), and hashing (SHA-256) as fundamental security tools
•Configure firewalls using iptables, firewalld, or ufw to filter network traffic based on defined rules and protect systems
•Implement comprehensive auditing and logging through auditd, syslog, and AIDE to enable security monitoring and incident investigation

Understanding Linux Authentication and Access Control

Authentication is the foundation of Linux security. It determines who can access a system and what they can do.

Authentication Methods and User Files

Linux uses several authentication methods: passwords, SSH keys, and multi-factor authentication. The /etc/passwd file contains user account information. The /etc/shadow file stores encrypted password hashes, accessible only to root.

User IDs (UID) and Group IDs (GID) form the basis of Linux's permission model. Every file and directory has three permission sets:

Owner (read=4, write=2, execute=1)
Group (read=4, write=2, execute=1)
Others (read=4, write=2, execute=1)

Permission Notation and Special Bits

Umask values determine default permissions for newly created files and directories. Understanding the difference between standard users, system users, and root is crucial.

Special bits control additional access:

Setuid: Run with file owner's permissions
Setgid: Run with group's permissions
Sticky bit: Only owner can delete files in a directory

Delegated Administration and ACLs

Sudo (superuser do) allows delegated administrative tasks without sharing the root password. Configure it through /etc/sudoers.

Access Control Lists (ACLs) provide fine-grained permission management beyond basic permissions. Use getfacl and setfacl commands to manage ACLs. Flashcards help you memorize permission notation (755, 644) and command syntax for managing users and groups like useradd, usermod, groupadd, and passwd.

SELinux and Mandatory Access Control

SELinux (Security Enhanced Linux) implements mandatory access control (MAC) beyond traditional discretionary access control (DAC). DAC depends on file ownership and user permissions. SELinux enforces policies that restrict even privileged processes.

SELinux Modes and Context Labels

SELinux operates in three modes:

Enforcing (policies are applied and violations blocked)
Permissive (policies checked but violations logged only)
Disabled (SELinux is off)

Context labels follow a user:role:type:level format. The type is the most important component for determining access rules.

Managing SELinux Policies

SELinux booleans enable or disable specific policy rules without editing complex configuration files. Use semanage to manage SELinux policies and getenforce to check the current mode.

The audit daemon (auditd) logs SELinux violations in /var/log/audit/audit.log. Use chcon to temporarily change labels and semanage fcontext for permanent changes.

AppArmor and Troubleshooting

AppArmor provides similar mandatory access control on some Linux distributions as an alternative to SELinux. For Linux+ exam preparation, knowing when to use SELinux booleans versus custom policies is essential for practical security implementation.

Cryptography, Encryption, and Secure Communication

Encryption protects data confidentiality by converting readable plaintext into unreadable ciphertext using cryptographic algorithms and keys.

Symmetric and Asymmetric Encryption

Symmetric encryption uses a single shared key for encryption and decryption. Common algorithms include AES, DES, and 3DES.

Asymmetric encryption uses public and private key pairs. Data encrypted with the public key can only be decrypted with the private key. RSA and ECC are common algorithms.

SSH (Secure Shell) provides encrypted remote access using public key cryptography. SSH keys stored in ~/.ssh/authorized_keys enable password-less authentication.

Cryptographic Tools and Standards

GPG (GNU Privacy Guard) implements OpenPGP standards for encrypting files, emails, and creating digital signatures.

SSL/TLS protocols encrypt web traffic using certificates verified by certificate authorities. The /etc/ssl/certs directory stores trusted certificate authorities.

Hash functions create fixed-size digests from variable-length data. Use them for integrity verification and password storage:

MD5 and SHA-1 (deprecated)
SHA-256 and SHA-512 (current standards)

HMAC combines hashing with a secret key for authentication. Generate keys with openssl genrsa, create requests with openssl req, and sign certificates accordingly.

Firewall Configuration and Network Security

Firewalls control network traffic by filtering packets based on predefined rules. Linux firewalls operate at the kernel level using netfilter, with user-space tools providing configuration interfaces.

Firewall Tools and Concepts

iptables is the traditional command-line firewall tool using tables (filter, nat, mangle) and chains (INPUT, OUTPUT, FORWARD). Each rule specifies source/destination addresses, ports, protocols, and actions (ACCEPT, DROP, REJECT).

firewalld provides dynamic firewall management with zones and services, automatically handling rule complexities. ufw (Uncomplicated Firewall) simplifies configuration with intuitive commands like "ufw allow 22/tcp".

Stateful packet inspection tracks connection states, intelligently allowing return traffic for established connections. Network Address Translation (NAT) enables private IP addresses to communicate through public IPs.

Security Scenarios and Monitoring

Common firewall scenarios include:

Blocking specific ports
Allowing services based on allowlists
Protecting against port scans
Rate limiting traffic
SSH hardening through non-standard ports

netstat and ss display open ports and connections. tcpdump and wireshark capture and analyze network traffic for security monitoring. Regular firewall audits ensure rules align with security policies.

Auditing, Logging, and Security Monitoring

Security auditing tracks system activities and changes, creating evidence trails for compliance and incident investigation. The auditd daemon captures detailed kernel-level events configured through /etc/audit/audit.rules.

Audit Configuration and Tools

Audit rules monitor file access, system calls, authentication attempts, and permission changes. Use ausearch and aureport tools to query audit logs stored in /var/log/audit/audit.log.

Syslog centralizes log collection from various services, configured in /etc/rsyslog.conf. Logs use facilities (auth, authpriv, kern) and severity levels (debug, info, notice, warning, err, crit, alert, emerg).

Log Management and Analysis

Log rotation through logrotate prevents logs from consuming excessive disk space while retaining historical records. Important security logs include:

/var/log/auth.log or /var/log/secure (authentication)
/var/log/syslog (system messages)
Application-specific logs

Failed login attempts should trigger alerts and investigations. The last command shows login history, wtmp stores login records, and lastlog displays recent logins per user.

File Integrity and Incident Detection

AIDE (Advanced Intrusion Detection Environment) monitors file integrity, detecting unauthorized modifications. Tripwire provides comprehensive file system monitoring. Regular log reviews identify suspicious patterns like repeated failed logins or unusual process execution. Log aggregation and SIEM (Security Information and Event Management) tools centralize monitoring across multiple systems.

Start Studying Linux+ Security

Master critical Linux security concepts with expertly crafted flashcards covering authentication, access control, encryption, firewalls, and auditing. Practice with spaced repetition to reinforce your knowledge and pass the Linux+ exam with confidence.

Create Free Flashcards

Frequently Asked Questions

What are the key differences between DAC and MAC in Linux security?

DAC (Discretionary Access Control) relies on file ownership and traditional permissions (rwx bits). File owners decide who can access their resources. This is the default Linux model.

MAC (Mandatory Access Control) enforces system-wide policies that restrict access based on security labels, regardless of file ownership. SELinux and AppArmor implement MAC.

Even root cannot bypass MAC policies. DAC is flexible but potentially less secure, while MAC is stricter and better for high-security environments. Understanding when to implement both is crucial for Linux+ Security. DAC is easier to manage for typical systems, but MAC is essential for servers handling sensitive data.

How do I troubleshoot SELinux denials on a Linux system?

First, check SELinux status with getenforce or sestatus. Enable auditd if not running, then review denial logs in /var/log/audit/audit.log using ausearch -m avc to filter denial messages.

Identify the denied operation, source context, and target context. Temporary solutions include setting SELinux to permissive mode for testing. For permanent fixes, use semanage to adjust boolean settings or file contexts.

The audit2allow tool generates policy modules from denial logs. Apply generated policies carefully using semodule. Document policy changes for compliance and future reference. When denials involve legitimate operations, adjust policies rather than disabling SELinux entirely. This approach maintains security while accommodating necessary functionality.

Why is SSH key-based authentication more secure than password authentication?

SSH keys use asymmetric cryptography where only the private key (kept secret) can authenticate, while the public key is shared. Passwords are vulnerable to brute force attacks, dictionary attacks, and interception. Keys are computationally impractical to crack.

Key-based authentication requires possessing the private key file, adding a physical security layer. Passphrases protect private keys from compromise if the key file is stolen. Keys eliminate password reuse risks and can be rotated by generating new pairs.

SSH agents manage keys securely without exposing passphrases in shell history. For server security, disable password authentication entirely in /etc/ssh/sshd_config by setting "PasswordAuthentication no". This prevents unauthorized access attempts by default.

What is the purpose of umask and how do I set appropriate values?

Umask is a file creation mask that subtracts from default permissions (666 for files, 777 for directories), determining permissions for newly created files. Default umask is often 0022, resulting in 644 for files (rw-r--r--) and 755 for directories (rwxr-xr-x).

Calculate permissions by subtracting umask from the base value:

Umask 0077 creates 600 files and 700 directories, restricting access to owner only
Umask 0007 creates 660 files and 770 directories, restricting access to owner and group

Set umask in ~/.bashrc or /etc/profile for users or system-wide defaults. Verify effective umask with the umask command. Proper umask configuration reduces reliance on post-creation permission changes, ensuring files are created with appropriate security from the start.

How do I effectively use flashcards to study for the Linux+ Security exam?

Create flashcards for commands with proper syntax, permission notation, SELinux contexts, cryptographic concepts, and security policies. Use active recall by testing yourself before checking answers.

Spaced repetition algorithms optimize review timing, focusing on difficult cards. Organize cards by topic: authentication, access control, encryption, firewalls, and monitoring. Include practical scenarios on cards, asking how you would secure specific system requirements.

Review cards daily for reinforcement. Create cards for common mistakes and exam traps. Use mnemonics for permission bits (rwx=4,2,1). Practice combining knowledge from multiple cards to solve complex scenarios. Time yourself answering cards to prepare for exam pacing. Supplement flashcards with hands-on practice in Linux virtual machines. This multi-modal approach combines memorization with practical understanding essential for passing Linux+.