




















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This practice exam evaluates deep knowledge of Linux kernel security mechanisms, threat models, and hardening strategies. Topics include kernel vulnerabilities, memory protections, LSMs (SELinux, AppArmor), capabilities, secure coding practices, syscall filtering, KPTI, seccomp, and kernel patching techniques. Scenario questions push learners to reason about real-world kernel exploit cases, apply mitigations, and demonstrate an understanding of how Linux kernel architecture influences overall system security posture.
Typology: Exams
1 / 92
This page cannot be seen from the preview
Don't miss anything!





















































































Question 1. Which CPU privilege level is typically used for user‑space code execution in Linux? A) Ring 0 B) Ring 1 C) Ring 2 D) Ring 3 Answer: D Explanation: Linux runs user‑space processes in Ring 3 (the least‑privileged CPU mode), while the kernel runs in Ring 0. Question 2. What mechanism does the Linux kernel use to transition from user‑space to kernel‑space when a system call is invoked? A) Interrupt Descriptor Table (IDT) entry for a software interrupt B) Direct Memory Access (DMA) C) CPU cache flush D) Page table swap Answer: A Explanation: System calls are implemented via software interrupts (e.g., int 0x80 or the syscall/sysenter instructions) whose handlers are defined in the IDT. Question 3. Which kernel configuration option enables Kernel Address Space Layout Randomization (KASLR) at boot time? A) CONFIG_RANDOMIZE_BASE B) CONFIG_KASAN C) CONFIG_KPROBES D) CONFIG_DEBUG_INFO
Answer: A Explanation: CONFIG_RANDOMIZE_BASE activates KASLR, randomizing the kernel’s virtual base address on each boot. Question 4. Which of the following is a primary security benefit of structure randomization in the kernel? A) Reduces memory consumption B) Prevents buffer‑overflow exploits from reliably locating target structures C) Speeds up context switches D) Enables hot‑plug of devices without reboot Answer: B Explanation: Randomizing the layout of kernel data structures makes it harder for attackers to predict offsets needed for exploitation. Question 5. Which function is considered unsafe in kernel code and should be replaced with a size‑checked alternative? A) memcpy B) strcpy C) kmalloc D) snprintf Answer: B Explanation: strcpy does not verify destination size and can cause buffer overflows; safer alternatives like strlcpy or memcpy with explicit length checks should be used. Question 6. In kernel code, what is the effect of invoking BUG_ON(condition)? A) Logs a warning and continues execution
Question 9. Which Mandatory Access Control (MAC) framework in Linux uses a label‑based policy stored in /etc/selinux/? A) AppArmor B) SELinux C) SMACK D) TOMOYO Answer: B Explanation: SELinux implements MAC using security contexts (labels) defined in policy files under /etc/selinux/. Question 10. Which namespace isolates the set of process IDs visible to a process? A) User namespace B) PID namespace C) Network namespace D) Mount namespace Answer: B Explanation: A PID namespace provides a separate numbering space for process IDs, making processes see only IDs within that namespace. Question 11. In the LSM framework, which hook is typically called to check file open permissions? A) inode_permission() B) security_inode_permission() C) file_permission() D) security_file_open()
Answer: D Explanation: security_file_open() is the LSM hook invoked when a process attempts to open a file, allowing LSMs to enforce policy. Question 12. Which LSM is the default on most enterprise‑oriented Linux distributions and provides a policy that can be set to enforcing, permissive, or disabled? A) AppArmor B) SELinux C) SMACK D) TOMOYO Answer: B Explanation: SELinux is widely used in enterprise distributions (e.g., RHEL, Fedora) and supports the three operational modes. Question 13. What does the LoadPin LSM primarily protect against? A) Unauthorized network traffic B) Loading unsigned kernel modules or firmware C) Privilege escalation via setuid binaries D) Memory corruption in user space Answer: B Explanation: LoadPin ensures that only kernel modules and firmware signed with a trusted key are loaded, preventing rogue code injection. **Question 14. The Linux Kernel Lockdown mode is designed to: ** A) Disable all interrupts B) Prevent any modification of kernel code or data from user space after boot
Question 17. To enforce that only signed kernel modules can be loaded, which kernel configuration flag must be enabled? A) CONFIG_MODULE_SIG B) CONFIG_MODULE_UNLOAD C) CONFIG_MODULE_COMPRESS D) CONFIG_MODULE_DEBUG Answer: A Explanation: CONFIG_MODULE_SIG enables module signature verification; unsigned modules are rejected when module.sig_enforce is set. Question 18. In IMA’s “Collect” mode, what is recorded for each file accessed by the kernel? A) File size only B) File hash (e.g., SHA‑256) C) Owner UID/GID D) Modification timestamps Answer: B Explanation: “Collect” mode stores a cryptographic hash of the file, building a database for later appraisal. Question 19. When IMA is operating in “Appraise” mode, what happens if a file’s measured hash does not match the stored signature? A) The kernel silently updates the stored hash B) The file is allowed to execute but a warning is logged C) Access is denied and the operation fails D) The kernel reboots automatically
Answer: C Explanation: In “Appraise” mode, mismatched hashes cause the kernel to refuse the operation, protecting against tampered files. Question 20. Which feature of dm‑verity provides integrity for a read‑only block device? A) On‑the‑fly compression B) Per‑block Merkle tree verification C) Dynamic resizing of partitions D) Automatic snapshot creation Answer: B Explanation: dm‑verity stores a Merkle tree of hashes for each block; at read time it verifies the block against the tree, ensuring integrity. Question 21. In cgroups v2, which controller is used to limit the amount of CPU time a group may consume? A) memory B) io C) cpu.max D) pids.max Answer: C Explanation: cpu.max sets a quota and period, controlling the CPU bandwidth allocated to the cgroup. Question 22. Which system call can be used by a process to install a seccomp filter? A) prctl(PR_SET_SECCOMP, …) B) setrlimit()
Question 25. Which kernel build option disables the ability to load unsigned modules at runtime? A) CONFIG_MODULE_SIG_FORCE B) CONFIG_MODULE_SIG_ALL C) CONFIG_MODULE_SIG_ENFORCE D) CONFIG_MODULE_FORCE_LOAD Answer: C Explanation: CONFIG_MODULE_SIG_ENFORCE forces signature verification for all modules; unsigned modules are rejected. Question 26. Which of the following is NOT a typical component of the Linux kernel’s privilege separation? A) User‑space vs. kernel‑space memory mapping B) Separate page tables for each process C) Execution of kernel code in Ring 3 D) System call gate mechanisms Answer: C Explanation: Kernel code runs in Ring 0; executing it in Ring 3 would break the privilege model. Question 27. Which system call is the primary entry point for creating a new process in Linux? A) fork() B) execve() C) clone() D) vfork() Answer: C
Explanation: clone() creates a new task with fine‑grained control over what is shared; it underlies fork() and pthread_create(). Question 28. Which kernel configuration option enables the hardened usercopy implementation that adds bounds checking for copy_to_user()/copy_from_user()? A) CONFIG_HARDENED_USERCOPY B) CONFIG_USER_NS C) CONFIG_DEBUG_USER_COPY D) CONFIG_STRICT_DEVMEM Answer: A Explanation: CONFIG_HARDENED_USERCOPY adds runtime checks to prevent out‑of‑bounds memory copies between kernel and user space. Question 29. What is the purpose of the CONFIG_DEBUG_RODATA kernel option? A) Enables read‑only data sections to be writable for debugging B) Marks .rodata as writable to simplify module loading C) Detects writes to read‑only data and triggers warnings or oops D) Disables kernel address randomization Answer: C Explanation: CONFIG_DEBUG_RODATA makes the kernel detect accidental writes to read‑only sections, aiding in finding bugs. Question 30. Which of the following is a recommended practice when handling switch‑case fall‑through in kernel code? A) Use the comment /* fall through */ to silence warnings B) Omit the break statement without comment
A) Enforcing B) Permissive C) Disabled D) Targeted Answer: B Explanation: In Permissive mode SELinux records AVC denials but allows the operation to proceed, useful for policy development. Question 34. Which kernel command‑line parameter disables KASLR at boot time? A) nokaslr B) kaslr=off C) no_randomize_va_space D) randomize_kaslr= Answer: A Explanation: The nokaslr parameter tells the kernel not to randomize its base address. Question 35. What is the primary security advantage of using a stackable LSM architecture? A) It eliminates the need for any MAC policy B) Multiple LSMs can enforce complementary policies simultaneously C) It reduces kernel memory usage D) It automatically upgrades to the newest LSM version Answer: B Explanation: Stackable LSMs allow several security modules (e.g., SELinux + AppArmor) to be loaded together, each contributing its own checks.
Question 36. Which eBPF helper function can be used to retrieve the current process’s PID? A) bpf_get_current_pid_tgid() B) bpf_get_current_uid_gid() C) bpf_get_current_comm() D) bpf_get_current_task() Answer: A Explanation: bpf_get_current_pid_tgid() returns a 64‑bit value containing PID and TGID, commonly used in eBPF programs. Question 37. In Netfilter, which chain is traversed for packets generated locally and destined for the network? A) INPUT B) OUTPUT C) FORWARD D) PREROUTING Answer: B Explanation: Locally generated packets go through the OUTPUT chain of the filter table before leaving the host. Question 38. Which of the following is a typical effect of enabling CONFIG_STRICT_DEVMEM? A) Allows any process to map /dev/mem B) Restricts access to physical memory regions to privileged processes only C) Disables all device drivers D) Enables direct I/O for user‑space programs Answer: B
D) net_cls Answer: D Explanation: net_cls exists only in cgroups v1; cgroup v2 consolidates networking classification under the net_prio/net_cls unified controller, but net_cls as a separate controller is absent. Question 42. In seccomp BPF filtering, which return value tells the kernel to allow the system call to proceed? A) SECCOMP_RET_KILL B) SECCOMP_RET_ALLOW C) SECCOMP_RET_ERRNO D) SECCOMP_RET_TRACE Answer: B Explanation: SECCOMP_RET_ALLOW (value 0x7fff0000) indicates that the syscall passes the filter and should be executed. Question 43. Which kernel feature provides a per‑process “capability bounding set” that limits the capabilities a process may gain? A) Secure Computing (seccomp) B) POSIX capabilities C) Capability bounding set (in /proc/self/status) D) SELinux domains Answer: C Explanation: The bounding set defines the maximum capabilities a process and its children can ever acquire, even if they attempt to raise them. Question 44. Which IMA mode can be combined with EVM (Extended Verification Module) to provide integrity for extended attributes?
A) Collect mode only B) Appraise mode only C) Enforce mode only D) Both Appraise and Enforce modes Answer: D Explanation: When IMA is in Appraise or Enforce mode, it can validate both file hashes and EVM-protected extended attributes, ensuring full integrity. Question 45. What does the kernel parameter module.sig_hash specify? A) The hash algorithm used for module signatures (e.g., sha256) B) The size of the module signature field C) Whether module signatures are optional D) The location of the signing key Answer: A Explanation: module.sig_hash selects the cryptographic hash algorithm (e.g., sha256, sha1) applied to the module before signing. Question 46. Which of the following is a benefit of using CONFIG_HARDENED_USERCOPY together with CONFIG_DEBUG_RODATA? A) Faster context switches B) Prevention of accidental writes to read‑only kernel data via copy_to_user() C) Automatic signing of all kernel modules D) Disabling of all kernel debugging output Answer: B Explanation: HARDENED_USERCOPY adds bounds checks, and DEBUG_RODATA detects writes to read‑only sections, together reducing risk of memory corruption.
Explanation: In the filter table, packets are processed through INPUT (local inbound), FORWARD (routed), and OUTPUT (local outbound) chains. Question 50. Which kernel configuration option enables the Kernel Page Table Isolation (KPTI) mitigation for Meltdown? A) CONFIG_X86_PTI B) CONFIG_MELTDOWN_FIX C) CONFIG_PTI D) CONFIG_PAGE_TABLE_ISOLATION Answer: A Explanation: CONFIG_X86_PTI activates KPTI, separating kernel and user page tables to mitigate Meltdown. Question 51. What is the primary purpose of the securityfs filesystem in Linux? A) Store user passwords securely B) Provide a virtual filesystem for LSMs to expose policy information and controls C) Mount encrypted block devices D) Host the root filesystem for containers Answer: B Explanation: securityfs is a pseudo‑filesystem used by security modules (SELinux, AppArmor, etc.) to expose configuration and status files to userspace. Question 52. Which of the following statements about POSIX capabilities is FALSE? A) They can be added to a process’s effective set without granting them permanently B) They replace the need for any discretionary access control C) The set of capabilities is defined in /usr/include/linux/capability.h
D) Capabilities can be inherited across execve() if permitted by the bounding set Answer: B Explanation: Capabilities fine‑tune root‑like privileges but do not eliminate DAC; file permissions still apply. Question 53. In the context of kernel hardening, what does the CONFIG_DEBUG_VM option enable? A) Logging of all virtual memory allocations B) Detection of invalid page table entries and memory leaks during debugging C) Automatic clearing of unused memory pages D) Disabling of swap usage Answer: B Explanation: CONFIG_DEBUG_VM adds extensive checks for VM-related bugs, helping developers catch misuse of memory management APIs. Question 54. Which system call can a process use to change its user namespace to gain a new UID mapping? A) setuid() B) unshare() C) clone() with CLONE_NEWUSER flag D) mount() Answer: C Explanation: clone() with CLONE_NEWUSER creates a new user namespace, after which the process can write UID/GID maps via /proc/.../uid_map. Question 55. Which LSM uses a “profile” concept to define a set of allowed syscalls and file accesses for an application?