LPIC-1 Module 10: Security - Complete Study Guide

Published On: 31 August 2025

Objective

Security in Linux systems has become more critical than ever. As system administrators, we're the guardians of digital infrastructure, and understanding Linux security fundamentals isn't just about passing the LPIC-1 exam it's about protecting real systems that people depend on daily. This module covers the essential security concepts you'll encounter in enterprise Linux environments. From user account management to network security, we'll explore each topic with practical examples and real-world scenarios that you'll face as a Linux administrator.

Topic 110.1: Perform Security Administration Tasks

Understanding User Account Security

User account management forms the backbone of Linux security. Every file, process, and system resource is tied to user permissions, making proper account management crucial for system integrity. The /etc/passwd file stores user account information in a structured format. Each line contains seven fields separated by colons: username, password placeholder, UID, GID, user info, home directory, and shell. While passwords were historically stored here, modern systems use /etc/shadow for enhanced security. The shadow file contains encrypted passwords and password aging information. Only root can read this file, adding an extra layer of protection. Each entry includes the username, encrypted password, last password change date, minimum password age, maximum password age, password warning period, password inactivity period, and account expiration date. When managing user accounts, the passwd command becomes your primary tool. Beyond changing passwords, it controls account locking and unlocking. The chage command handles password aging policies, allowing you to set expiration dates and force password changes. Group management works similarly through /etc/group and /etc/gshadow files. Groups provide a way to assign permissions to multiple users simultaneously, simplifying administration in larger environments.

Practice Question 1:
Which file contains encrypted user passwords in modern Linux systems?
A) /etc/passwd
B) /etc/shadow
C) /etc/group
D) /etc/gshadow

Answer: B) /etc/shadow

Practice Question 2:
What command would you use to set a user's password to expire in 30 days?
A) passwd -e 30 username
B) chage -M 30 username
C) usermod -e 30 username
D) expire -d 30 username

Answer: B) chage -M 30 username

Su and Sudo Mechanisms

The su command allows users to switch to another user account, most commonly root. When used without arguments, su attempts to switch to the root user, prompting for the root password. The su - form provides a complete login environment, loading the target user's profile and environment variables. However, sharing the root password presents security risks. The sudo mechanism addresses this by allowing specific users to execute commands with elevated privileges without knowing the root password. The /etc/sudoers file controls sudo access. This file uses a specific syntax that defines who can run what commands as which users. The visudo command provides the safe way to edit this file, checking syntax before saving changes.

Common sudoers configurations include allowing wheel group members full sudo access, permitting specific users to run particular commands, and setting up passwordless sudo for automated scripts. The principle of least privilege should guide all sudo configurations.

Practice Question 3:
Which command safely edits the sudoers file?
A) vi /etc/sudoers
B) nano /etc/sudoers
C) visudo
D) edit-sudoers

Answer: C) visudo

Practice Question 4:
What does the following sudoers entry allow: %wheel ALL=(ALL) NOPASSWD: ALL?
A) Only wheel users can use sudo
B) Wheel group members can run any command as any user without password
C) Wheel group members must enter password for sudo
D) Only specific commands are allowed for wheel group

Answer: B) Wheel group members can run any command as any user without password

User Limits and System Resources

Resource limits prevent users from consuming excessive system resources, which could lead to denial of service conditions. The ulimit command shows and sets these limits for the current shell session. The /etc/security/limits.conf file provides persistent limit configurations. This file allows setting limits for specific users or groups across various resources including CPU time, file sizes, memory usage, and process counts. Understanding different limit types proves essential. Hard limits represent absolute maximums that cannot be exceeded, while soft limits can be increased up to the hard limit. The distinction becomes important when applications need temporary resource increases. Process limits include maximum number of processes per user, CPU time limits, and memory restrictions. File limits cover maximum file sizes, number of open files, and core dump sizes. Network limits can restrict bandwidth usage in some configurations.

Practice Question 5:
Which file contains persistent user resource limits?
A) /etc/limits
B) /etc/security/limits.conf
C) /etc/ulimit.conf
D) /etc/user-limits

Answer: B) /etc/security/limits.conf

Practice Question 6:
What's the difference between hard and soft limits?
A) Hard limits are permanent, soft limits are temporary
B) Hard limits cannot be exceeded, soft limits can be increased up to hard limit
C) Hard limits apply to root, soft limits apply to regular users
D) There is no difference

Answer: B) Hard limits cannot be exceeded, soft limits can be increased up to hard limit

Topic 110.2: Setup Host Security

Shadow Password Suite

The shadow password suite revolutionized Linux password security by separating password hashes from the world-readable /etc/passwd file. This separation prevents unauthorized users from accessing password hashes for offline cracking attempts. The pwconv command converts existing systems to use shadow passwords, while pwunconv reverses the process. Similarly, grpconv and grpunconv handle group shadow files. These tools ensure smooth transitions between password storage methods. Password policies become enforceable through shadow password features. Administrators can set minimum and maximum password ages, warning periods before expiration, and account lockout periods after password expiration. The shadow suite includes utilities for password quality checking. The pwck and grpck commands verify the integrity of password and group files, identifying inconsistencies that could indicate corruption or security issues.

Practice Question 7:
Which command converts a system to use shadow passwords?
A) shadowconv
B) pwconv
C) passwd-shadow
D) enable-shadow

Answer: B) pwconv

Practice Question 8:
What command checks the integrity of the shadow password file?
A) pwck
B) shadowck
C) passwd-check
D) verify-shadow

Answer: A) pwck

Disable Network Services

Every running network service represents a potential attack vector. The principle of minimizing attack surface requires disabling unnecessary services and properly securing those that remain active. Modern Linux systems use systemd for service management. The systemctl command controls service states, allowing administrators to start, stop, enable, and disable services. Understanding the difference between stopping a service (immediate effect) and disabling it (prevents automatic startup) is crucial. Network services listening on ports can be identified using netstat, ss, or lsof commands. Each listening port should have a legitimate business justification. Services like telnet, rsh, and ftp should be disabled in favor of secure alternatives like SSH and SFTP.

The xinetd super-daemon manages multiple network services through a single process. Services controlled by xinetd can be disabled by editing their configuration files in /etc/xinetd.d/ or by removing the service packages entirely.

Practice Question 9:
Which command shows currently listening network ports?
A) netstat -tuln
B) ps -aux
C) service --status-all
D) systemctl list-units

Answer: A) netstat -tuln

Practice Question 10:
How do you permanently disable a systemd service?
A) systemctl stop servicename
B) systemctl disable servicename
C) systemctl mask servicename
D) Both B and C are correct

Answer: D) Both B and C are correct

TCP Wrappers

TCP Wrappers provide an additional layer of access control for network services. This host-based security mechanism allows or denies connections based on client IP addresses, hostnames, or other criteria. The /etc/hosts.allow and /etc/hosts.deny files control TCP Wrapper behavior. The system checks hosts.allow first, and if a match is found, the connection is permitted. If no match exists in hosts.allow, the system checks hosts.deny. Connections matching entries in hosts.deny are rejected.  TCP Wrapper syntax uses the format daemon: client: option. The daemon field specifies the service name, the client field identifies the connecting host, and the optional field can specify additional actions like logging or executing commands.

Not all services support TCP Wrappers natively. Services must be compiled with libwrap support or run through xinetd to utilize TCP Wrapper protection. The ldd command can verify if a binary includes libwrap support.

Practice Question 11:
Which file is checked first by TCP Wrappers?
A) /etc/hosts.deny
B) /etc/hosts.allow
C) /etc/tcp.allow
D) /etc/wrappers.conf

Answer: B) /etc/hosts.allow

Practice Question 12:
What TCP Wrapper entry would allow SSH access only from the 192.168.1.0/24 network?
A) sshd: 192.168.1.0/24: ALLOW
B) sshd: 192.168.1.: ALLOW
C) ssh: 192.168.1.0/255.255.255.0
D) sshd: 192.168.1.0/255.255.255.0

Answer: B) sshd: 192.168.1.: ALLOW

Topic 110.3: Securing Data with Encryption

SSH Fundamentals

Secure Shell (SSH) replaced insecure protocols like telnet and rsh, providing encrypted communications for remote system administration. SSH uses public-key cryptography for authentication and symmetric encryption for data transmission. SSH key pairs consist of a private key (kept secret) and a public key (shared freely). The ssh-keygen command generates these key pairs, with RSA, DSA, ECDSA, and Ed25519 algorithms available. Key strength varies by algorithm, with Ed25519 providing excellent security with smaller key sizes. The SSH client configuration file /etc/ssh/ssh_config sets system-wide defaults, while ~/.ssh/config provides user-specific settings. These files can specify default usernames, preferred authentication methods, and connection parameters for different hosts.

SSH agent functionality allows users to load private keys once per session, eliminating repeated password prompts. The ssh-agent command starts the agent, while ssh-add loads keys into memory. This approach balances security with usability.

Practice Question 13:
Which algorithm is recommended for new SSH keys due to its security and efficiency?
A) RSA
B) DSA
C) ECDSA
D) Ed25519

Answer: D) Ed25519

Practice Question 14:
What is the default location for a user's SSH private key?
A) ~/.ssh/id_rsa
B) ~/.ssh/private_key
C) ~/.ssh/identity
D) It depends on the key type

Answer: D) It depends on the key type

SSH Configuration and Hardening

SSH server configuration through /etc/ssh/sshd_config requires careful attention to security settings. Default configurations often prioritize compatibility over security, necessitating manual hardening. Key security settings include disabling root login directly via SSH, which forces attackers to compromise a regular user account first. Password authentication can be disabled entirely when key-based authentication is properly configured, eliminating brute-force password attacks. Port changing provides security through obscurity, though it shouldn't be the only security measure. Protocol version should be restricted to SSH version 2, as version 1 contains known vulnerabilities. User and group restrictions can limit SSH access to specific accounts.

Connection limits and timeouts prevent resource exhaustion attacks. MaxAuthTries limits authentication attempts per connection, while ClientAliveInterval and ClientAliveCountMax control idle connection timeouts. These settings balance security with user experience.

Practice Question 15:
Which sshd_config directive disables root login via SSH?
A) RootLogin no
B) PermitRootLogin no
C) AllowRoot no
D) DisableRoot yes

Answer: B) PermitRootLogin no

Practice Question 16:
What happens when you set 'PasswordAuthentication no' in sshd_config?
A) All authentication is disabled
B) Only key-based authentication is allowed
C) Users cannot change passwords
D) Password complexity requirements are removed

Answer: B) Only key-based authentication is allowed

Data Encryption with GPG

GNU Privacy Guard (GPG) implements the OpenPGP standard for data encryption and digital signatures. GPG uses hybrid cryptography, combining symmetric encryption for data with public-key encryption for key exchange. Key management forms the foundation of GPG usage. The gpg --gen-key command creates new key pairs, prompting for key type, size, expiration, and user identification. Key size affects security strength, with 2048-bit RSA keys providing adequate security for most purposes. The GPG keyring stores public and private keys locally. Public keys can be exported for sharing, while private keys must remain secure. Key servers facilitate public key distribution, allowing users to search for and download public keys by email address or key ID.

Trust relationships in GPG create webs of trust rather than hierarchical certificate authorities. Users sign each other's keys to indicate trust levels. The trust level affects GPG's willingness to use keys for encryption and signature verification.

Practice Question 17:
What command generates a new GPG key pair?
A) gpg --new-key
B) gpg --gen-key
C) gpg --create-key
D) gpg --make-key

Answer: B) gpg --gen-key

Practice Question 18:
How do you encrypt a file named 'document.txt' for user 'alice@example.com'?
A) gpg --encrypt --recipient alice@example.com document.txt
B) gpg -e -r alice@example.com document.txt
C) gpg --armor --encrypt alice@example.com document.txt
D) Both A and B are correct

Answer: D) Both A and B are correct

File and Directory Encryption

Linux provides multiple approaches to file and directory encryption, from individual file encryption to full filesystem encryption. Each method offers different trade-offs between security, performance, and ease of use. The gpg command can encrypt individual files using symmetric or asymmetric encryption. Symmetric encryption uses the same key for encryption and decryption, requiring secure key sharing. Asymmetric encryption uses public keys for encryption and private keys for decryption. Directory-level encryption solutions like eCryptfs encrypt entire directory trees transparently. Files are encrypted when written to disk and decrypted when accessed by authorized users. This approach provides security without requiring application modifications. Full disk encryption using LUKS (Linux Unified Key Setup) encrypts entire partitions or drives. LUKS provides secure key management and supports multiple authentication methods including passwords, key files, and hardware tokens. The cryptsetup command manages LUKS-encrypted volumes.

Practice Question 19:
Which tool is commonly used for full disk encryption in Linux?
A) GPG
B) eCryptfs
C) LUKS
D) OpenSSL

Answer: C) LUKS

Practice Question 20:
What command opens a LUKS-encrypted partition?
A) cryptsetup open
B) luks-open
C) mount --decrypt
D) decrypt-volume

Answer: A) cryptsetup open

Practical Security Scenarios

Incident Response Planning

Security incidents will occur despite best prevention efforts. Having a well-defined incident response plan minimizes damage and ensures consistent handling of security events. The plan should address detection, containment, eradication, recovery, and lessons learned. Log analysis plays a crucial role in incident detection and investigation. System logs in /var/log/ contain valuable forensic information. The journalctl command on systemd systems provides powerful log querying capabilities, allowing administrators to filter by time, service, or severity. File integrity monitoring helps detect unauthorized changes to critical system files. Tools like AIDE (Advanced Intrusion Detection Environment) create checksums of important files and directories, alerting administrators to unexpected modifications.

Network monitoring identifies suspicious traffic patterns and potential intrusions. While beyond the LPIC-1 scope, understanding basic network security principles helps administrators make informed decisions about system security configurations.

Practice Question 21:
Which command displays systemd journal entries for the SSH service?
A) journalctl sshd
B) journalctl -u sshd
C) journalctl --service=sshd
D) journalctl ssh

Answer: B) journalctl -u sshd

Practice Question 22:
What does AIDE primarily monitor?
A) Network traffic
B) User activities
C) File integrity
D) System performance

Answer: C) File integrity

System Hardening Best Practices

System hardening involves reducing attack surfaces by removing unnecessary software, services, and configurations. This process requires balancing security with functionality, ensuring systems remain usable while minimizing risks. Regular updates form the foundation of system security. Package managers provide mechanisms for applying security updates, and administrators should establish procedures for timely patching. Automated updates can help with routine security patches, though critical systems may require manual update testing. Service minimization removes potential attack vectors. Each running service consumes resources and may contain vulnerabilities. Regular service audits identify unnecessary processes, allowing administrators to disable or remove them safely.

File permissions and ownership verification ensures system integrity. The find command can locate files with unusual permissions, such as world-writable files or setuid binaries. These findings often indicate security concerns requiring investigation.

Practice Question 23:
Which find command locates world-writable files?
A) find / -perm 777
B) find / -perm -002
C) find / -perm +w
D) find / -writable

Answer: B) find / -perm -002

Practice Question 24:
What permission setting is potentially dangerous on executable files?
A) 755
B) 644
C) 4755 (setuid)
D) 700

Answer: C) 4755 (setuid)

Advanced Security Concepts

SELinux and AppArmor Basics

Mandatory Access Control (MAC) systems like SELinux and AppArmor provide additional security layers beyond traditional Unix permissions. These systems enforce security policies that restrict what applications and users can do, even if they gain unauthorized access. SELinux operates through security contexts assigned to files, processes, and users. These contexts determine allowed operations based on security policy rules. SELinux modes include enforcing (policies are enforced), permissive (violations are logged but not blocked), and disabled. AppArmor takes a different approach, using profiles to define allowed operations for specific applications. Profiles can operate in enforcing or complaining modes, similar to SELinux. AppArmor generally requires less complex configuration than SELinux.

While detailed MAC configuration exceeds LPIC-1 requirements, understanding these systems' existence and basic concepts helps administrators make informed security decisions in enterprise environments.

Practice Question 25:
What command shows the current SELinux mode?
A) selinux-status
B) getenforce
C) sestatus
D) selinux-mode

Answer: B) getenforce

Conclusion and Exam Preparation

Security administration requires continuous learning and adaptation as threats evolve. The concepts covered in this module provide the foundation for Linux security management, but real-world security involves ongoing vigilance and improvement. For exam preparation, focus on understanding the practical applications of each security tool and technique. Practice commands in lab environments, and pay attention to configuration file locations and syntax. The LPIC-1 exam emphasizes hands-on knowledge over theoretical concepts. Remember that security is not just about passing an exam it's about protecting systems and data that organizations depend on. The skills you develop while studying for LPIC-1 will serve you throughout your career as a Linux administrator. Key areas to review before the exam include user account management commands, SSH configuration options, basic encryption concepts, and security-related file locations. Practice scenarios that combine multiple security concepts, as real-world situations often require integrating various tools and techniques. The security landscape continues evolving, making ongoing education essential. While LPIC-1 provides the foundation, consider pursuing advanced security certifications and staying current with security best practices through professional development and industry resources.

Try LPIC-1 Module10: Security Quiz 

Quick Reference Commands

User Management

  • passwd - Change user password
  • chage - Modify password aging
  • su - Switch user
  • sudo - Execute commands as another user
  • visudo - Edit sudoers file safely

SSH Operations

  • ssh-keygen - Generate SSH key pairs
  • ssh-copy-id - Copy public key to remote host
  • ssh-agent - Start SSH agent
  • ssh-add - Add keys to SSH agent

Encryption Tools

  • gpg --gen-key - Generate GPG key pair
  • gpg --encrypt - Encrypt files
  • gpg --decrypt - Decrypt files
  • cryptsetup - Manage LUKS encryption

System Security

  • systemctl - Manage systemd services
  • netstat -tuln - Show listening ports
  • find / -perm -002 - Find world-writable files
  • journalctl -u service - View service logs

This comprehensive guide covers the essential security topics for LPIC-1 Module 10. Regular practice with these commands and concepts in lab environments will build the confidence and skills needed for both exam success and real-world Linux administration.