100+ Free LPIC-3 Security Practice Questions

Pass your LPIC-3 Security (Exam 303-300) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not publicly disclosed Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which OpenSSL command generates an RSA private key of 4096 bits?

openssl genrsa -out server.key 4096

openssl rsa -size 4096

openssl pkey -bits 4096

openssl req -newkey 4096

to track

2026 Statistics

Key Facts: LPIC-3 Security Exam

Exam Questions

LPI

500/800

Passing Score

LPI scaled scoring

90 min

Exam Duration

LPI

$200

Exam Fee (Tier 1)

LPI

5 years

Validity

Recertification required

LPIC-2

Required to claim

LPI

LPIC-3 303-300 is a 60-question, 90-minute senior security exam scored on a 200-800 scale with 500 to pass. Five weighted topic areas total 55 points: Cryptography (X.509/PKI with openssl, GPG, encrypted file systems, DNSSEC), Host Security (hardening, AIDE/Lynis/OpenSCAP, cgroups), Access Control (DAC and MAC with SELinux semanage/setsebool/audit2allow and AppArmor), Network Security (network hardening, NIDS, packet filtering with nftables, VPNs OpenVPN/IPsec/WireGuard), and Threats and Vulnerability Assessment (CVE, Wireshark, nmap). Requires LPIC-2 to claim the LPIC-3 credential.

Sample LPIC-3 Security Practice Questions

Try these sample questions to test your LPIC-3 Security exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which OpenSSL command generates an RSA private key of 4096 bits?

A.openssl genrsa -out server.key 4096

B.openssl rsa -size 4096

C.openssl pkey -bits 4096

D.openssl req -newkey 4096

Explanation: openssl genrsa is the legacy command to create an RSA private key of a given bit length. Modern OpenSSL favors `openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key`. The -size flag is not valid for `openssl rsa`. Always protect the resulting .key file with 0600 permissions.

2Which OpenSSL command generates a self-signed X.509 certificate valid for 365 days from an existing key?

A.openssl req -new -x509 -key server.key -days 365 -out server.crt

B.openssl x509 -gen -days 365

C.openssl crt -create -valid 365

D.openssl ca -selfsign 365

Explanation: `openssl req -new -x509 -key <key> -days <n> -out <crt>` produces a self-signed certificate in one step using the key. Add -subj for non-interactive subject input. The other forms are not valid OpenSSL command syntax.

3Which file format combines a private key, certificate, and chain into one binary file commonly used by Windows and Java?

A.PKCS#12 (.p12 / .pfx)

B.PEM (.pem)

C.DER (.cer)

D.JKS

Explanation: PKCS#12 bundles key + cert + intermediate chain in a single password-protected binary file (.p12 or .pfx). Build with `openssl pkcs12 -export -inkey k.key -in c.crt -certfile chain.pem -out bundle.p12`. PEM is base64-armored text; DER is binary single-object; JKS is Java's old keystore format (now succeeded by PKCS#12).

4Which OpenSSL command verifies a server's certificate chain by connecting to it on port 443?

A.openssl s_client -connect example.com:443 -servername example.com -showcerts

B.openssl verify --connect example.com:443

C.openssl ssl -test example.com

D.curl -k https://example.com

Explanation: openssl s_client opens a TLS session and prints the chain when -showcerts is given. -servername sets the SNI extension (essential for vhosts). The output includes negotiated cipher, protocol version, and certificate validation result.

5Which GPG command generates a new keypair interactively?

A.gpg --full-generate-key

B.gpg --create-key

C.gpg --new-key

D.gpg-agent --generate

Explanation: gpg --full-generate-key (or the older --gen-key) walks through algorithm, key size, validity, and identity selection. Modern GPG defaults are good (Ed25519/Curve25519). Keys land in ~/.gnupg/ — back up that directory.

6Which GPG command encrypts file.txt for recipient bob@example.com using bob's public key?

A.gpg --encrypt --recipient bob@example.com file.txt

B.gpg --encrypt --user bob file.txt

C.gpg --send file.txt --to bob

D.gpg --crypt -r bob

Explanation: gpg --encrypt --recipient (or -r) <key-id> encrypts to that public key, producing file.txt.gpg. Add --armor for ASCII output. Multiple -r options layer additional recipients. Verify with gpg --decrypt.

7Which command initializes a LUKS-encrypted volume on /dev/sdb1?

A.cryptsetup luksFormat /dev/sdb1

B.mkfs.luks /dev/sdb1

C.cryptsetup -create /dev/sdb1

D.dm-crypt format /dev/sdb1

Explanation: `cryptsetup luksFormat /dev/sdb1` writes the LUKS header (LUKS1 by default in older versions, LUKS2 today) and prompts for the master passphrase. Open with `cryptsetup luksOpen /dev/sdb1 secret`, then format the resulting /dev/mapper/secret. Header backup with `cryptsetup luksHeaderBackup` is critical.

8Which file lists encrypted block devices to be opened automatically at boot?

A./etc/crypttab

B./etc/fstab

C./etc/luks.conf

D./etc/dm-crypt

Explanation: /etc/crypttab has lines like `secret UUID=xxxx /etc/keyfile luks` describing each volume. systemd-cryptsetup-generator turns these into target units at boot. /etc/fstab references the resulting /dev/mapper/<name>, not the underlying device.

9Which command lists keyslots used by a LUKS device?

A.cryptsetup luksDump /dev/sdb1

B.cryptsetup status /dev/sdb1

C.cryptsetup info /dev/sdb1

D.blkid /dev/sdb1

Explanation: cryptsetup luksDump shows the LUKS header: version, cipher, hash, key slots, digests. cryptsetup status reports the running mapping. blkid shows UUID/type. Add slots with luksAddKey; remove with luksRemoveKey.

10Which file is the canonical sshd configuration on Linux?

A./etc/ssh/sshd_config

B./etc/ssh/ssh_config

C./etc/sshd.conf

D./etc/openssh.conf

Explanation: /etc/ssh/sshd_config is the daemon side; /etc/ssh/ssh_config is the client side. Apply changes with `systemctl reload sshd` after `sshd -t` validates syntax. The other paths are not standard.

About the LPIC-3 Security Exam

Senior LPIC-3 specialty exam covering Linux security from cryptography (X.509, GPG, OpenSSL, OpenSSH) through host hardening (SELinux, AppArmor, AIDE) and network security (nftables, OpenVPN, IPsec, WireGuard) to vulnerability assessment. Passing 303-300 with an active LPIC-2 grants the LPIC-3 Security credential.

Questions

60 scored questions

Time Limit

90 minutes

Passing Score

500 / 800

Exam Fee

$200 USD (Linux Professional Institute (Pearson VUE / OnVUE online proctored))

LPIC-3 Security Exam Content Outline

31%

Cryptography

X.509 PKI with openssl req/x509/genrsa, certs for encryption/signing/auth, encrypted file systems with cryptsetup/dm-crypt and eCryptfs, DNSSEC

24%

Host Security

Host hardening (sysctl, kernel parameters), host intrusion detection with AIDE database/rkhunter/Lynis/OpenSCAP, resource control with cgroups and ulimit

31%

Network Security

Network hardening, network IDS (Snort, Suricata), packet filtering with nftables (nft add table/chain/rule) and iptables, VPNs OpenVPN/IPsec strongSwan/WireGuard

15%

Access Control

Discretionary access control (POSIX ACLs, getfacl/setfacl), mandatory access control with SELinux (semanage, setsebool, audit2allow, sealert) and AppArmor profiles

Threats and Vulnerability Assessment

Common security threats and CVE awareness, penetration testing concepts with nmap, Wireshark, OpenVAS, Metasploit basics

How to Pass the LPIC-3 Security Exam

What You Need to Know

Passing score: 500 / 800
Exam length: 60 questions
Time limit: 90 minutes
Exam fee: $200 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

LPIC-3 Security Study Tips from Top Performers

1Generate a CA, server cert, and client cert chain with openssl req, openssl x509 -req -CA, and openssl pkcs12 — verify with openssl verify and openssl s_client

2Encrypt a partition with cryptsetup luksFormat and luksOpen, configure /etc/crypttab, and verify dm-crypt mappings with dmsetup

3Practice SELinux daily: semanage fcontext for file labels, setsebool for booleans, audit2allow to build policy modules from AVC denials

4Write nftables rulesets from scratch: nft add table inet filter; nft add chain inet filter input { type filter hook input priority 0; }; nft add rule inet filter input ct state established,related accept

5Stand up OpenVPN with easy-rsa, IPsec with strongSwan ipsec.conf and swanctl, and WireGuard with wg-quick — compare key exchange and config models

6Run Lynis audit system, AIDE --init then --check, and oscap xccdf eval against an SSG profile to feel the differences in HIDS approaches

7Drill GPG: gpg --gen-key, gpg --import, gpg --encrypt --recipient, gpg --sign --detach-sign — and understand the web of trust

Frequently Asked Questions

What does LPIC-3 303-300 cover?

LPIC-3 303-300 is the LPI Security specialty exam covering five topic areas: Cryptography (X.509 PKI, GPG, encrypted filesystems, DNSSEC), Host Security (hardening, AIDE/Lynis/OpenSCAP, cgroups), Access Control (DAC plus SELinux/AppArmor), Network Security (nftables/iptables, OpenVPN/IPsec/WireGuard), and Threats and Vulnerability Assessment. Total objective weight is 55 points.

Do I need LPIC-2 before taking LPIC-3 303?

You can take and pass 303-300 without LPIC-2, but you cannot claim the LPIC-3 Security credential until you hold an active LPIC-2. The pass result is valid for five years, so passing 303-300 first and finishing LPIC-2 later is allowed.

How hard is the LPIC-3 Security exam?

LPIC-3 303 is a senior-level exam designed for working Linux engineers with hands-on security responsibilities. Expect detailed configuration questions on SELinux booleans, nftables rule syntax, and OpenSSL command flags. Most candidates pass after 80-120 hours of focused study and lab work.

What format is the 303-300 exam?

60 questions in 90 minutes, mixing multiple-choice and fill-in-the-blank. Scaled scoring 200-800 with 500 required to pass. Delivered at Pearson VUE test centers or via OnVUE online proctored. No scheduled breaks.

How does 303-300 differ from older 303-200?

303-300 (v3.0, released 2020) reorganized and modernized the security objectives. It dropped older OpenLDAP-as-security topics, added WireGuard, expanded SELinux/AppArmor coverage, and added DNSSEC. Older 303-200 study materials are partially outdated for 303-300.

How should I prepare for the 303-300 exam?

Plan 80-120 hours over 8-12 weeks. Build a lab where you generate certs with openssl, encrypt a partition with cryptsetup luksFormat, create SELinux policy modules with audit2allow, write nftables rulesets, and stand up an OpenVPN and WireGuard server. Run AIDE, Lynis, and OpenSCAP scans against your hosts.

Does LPIC-3 Security expire?

Yes — LPIC-3 is valid for five years. Recertify by passing any current LPIC-3 specialty (300/303/305/306) again, or by passing a newer LPI exam at the same or higher level before expiration.