100+ Free EX415 Practice Questions

Pass your Red Hat Certified Specialist in Security: Linux (EX415) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which command shows the current SELinux mode (Enforcing, Permissive, or Disabled) on a RHEL 9 system?

sestatus --mode

getenforce

selinux --status

semanage status

to track

2026 Statistics

Key Facts: EX415 Exam

210/300

Passing Score

Red Hat

4 hours

Exam Length

Red Hat

Hands-on

Format

Performance-based

RHEL 9

Tested Version

Red Hat

RHCA-eligible

Counts toward

Red Hat Certified Architect

$400-500

Exam Cost

Red Hat

EX415 is a 4-hour performance-based hands-on exam (no multiple choice) on live RHEL 9 systems. The passing score is 210/300 (70%). Candidates must configure SELinux policy, run OpenSCAP scans and apply remediation profiles, build audit rules, deploy NBDE with Tang/Clevis, lock down USB devices with USBGuard, harden kernel parameters, and forward logs centrally with rsyslog. EX415 counts toward Red Hat Certified Architect (RHCA).

Sample EX415 Practice Questions

Try these sample questions to test your EX415 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which command shows the current SELinux mode (Enforcing, Permissive, or Disabled) on a RHEL 9 system?

A.sestatus --mode

B.getenforce

C.selinux --status

D.semanage status

Explanation: getenforce prints a single word (Enforcing, Permissive, or Disabled) showing the current runtime mode of SELinux. For more detail, sestatus shows the configured mode, current mode, policy version, and loaded policy.

2An administrator wants Apache to make outbound network connections to a remote database. Which SELinux boolean must be set persistently?

A.httpd_can_network_connect

B.httpd_enable_network

C.apache_outbound_db

D.selinux_allow_apache

Explanation: httpd_can_network_connect is the standard targeted-policy boolean that allows the httpd_t domain to initiate outbound TCP/UDP connections. Set it persistently with setsebool -P httpd_can_network_connect on so it survives reboot.

3After serving content from a non-default directory /web, Apache returns 403 errors. The administrator confirms the file permissions are correct. What is the most likely SELinux fix?

A.chcon -R -t httpd_sys_content_t /web; nothing else needed

B.semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?' && restorecon -Rv /web

C.setsebool -P allow_httpd_anon_write on

D.semanage permissive -a httpd_t

Explanation: The persistent fix is to add a file-context rule with semanage fcontext, then apply it with restorecon. This survives a relabel (autorelabel, restorecon -R /, or fixfiles relabel). The regex '/web(/.*)?' covers the directory and everything under it.

4Which SELinux command lists all booleans along with their current state and a short description?

A.getsebool -a

B.semanage boolean -l

C.sestatus -b

D.selinuxbool --list

Explanation: semanage boolean -l prints the boolean name, current value, default value, and description in one table. getsebool -a lists name and current value but no description, so semanage is preferred when you need the description.

5An nginx process must listen on TCP port 8443 in addition to 443. Which command persistently allows that under SELinux?

A.semanage port -a -t http_port_t -p tcp 8443

B.setsebool -P httpd_listen_8443 on

C.chcon -t http_port_t /etc/nginx/nginx.conf

D.semanage fcontext -a -p tcp 8443

Explanation: SELinux uses port type labels to control which domains can bind which ports. semanage port -a -t http_port_t -p tcp 8443 adds 8443 to the http_port_t set, letting httpd_t (which nginx uses by default) listen there.

6After collecting AVC denials in /var/log/audit/audit.log, which command generates a custom policy module that allows the denied actions?

A.audit2why -i audit.log

B.ausearch -m AVC -ts today | audit2allow -M mymod

C.semanage module -a mymod.te

D.checkmodule -i audit.log -o mymod.te

Explanation: Pipe AVC events into audit2allow with -M <name> to write mymod.te (type enforcement source) and mymod.pp (compiled policy module). Install it with semodule -i mymod.pp. audit2why explains denials but does not write modules.

7Which command installs a compiled SELinux policy module produced by audit2allow?

A.semodule -i mymod.pp

B.semanage policy --install mymod.pp

C.selinux load mymod.pp

D.policyload mymod.pp

Explanation: semodule -i installs a compiled .pp policy package and rebuilds the active policy. semodule -l lists installed modules; semodule -r removes one. The .pp file is the compiled output of audit2allow -M or checkmodule + semodule_package.

8An admin wants only the httpd_t domain to run in permissive mode for debugging while keeping the rest of the system enforcing. Which command does this?

A.setenforce 0 --domain httpd_t

B.semanage permissive -a httpd_t

C.semodule --permissive httpd_t

D.audit2allow --permissive httpd_t

Explanation: semanage permissive -a <type> creates a permissive domain entry — denials for that type are still logged but not blocked, while everything else stays enforcing. Remove it with semanage permissive -d httpd_t when finished.

9Which file controls the default SELinux mode applied at boot?

A./etc/selinux/config

B./etc/sysconfig/selinux-mode

C./etc/default/selinux

D./etc/security/selinux.conf

Explanation: The boot-time mode is set in /etc/selinux/config via the SELINUX= directive (enforcing, permissive, or disabled). /etc/sysconfig/selinux is a symlink to it. Changes take effect at reboot — relabel may also be required when toggling enforcing/disabled.

10After moving /home to a new filesystem, users cannot log in via SSH and SELinux denials reference home_root_t. What is the cleanest fix?

A.Run restorecon -Rv /home to relabel using existing fcontext rules

B.Disable SELinux with setenforce 0

C.chcon -R -t default_t /home

D.Delete /etc/selinux/targeted/contexts/files/file_contexts.local

Explanation: After file moves the labels carry over but may not match the destination's fcontext rules. restorecon -Rv /home reapplies the canonical contexts (e.g., user_home_dir_t and user_home_t) defined in policy. fixfiles -R or fixfiles relabel are equivalents.

About the EX415 Exam

EX415 is the Red Hat Certified Specialist in Security: Linux exam. It validates hands-on skills hardening RHEL 9 with SELinux (booleans, fcontext, custom policy modules), OpenSCAP compliance scanning and remediation against PCI-DSS/CIS/ANSSI/STIG profiles, the audit framework (auditd/auditctl/ausearch), USBGuard, system-wide cryptographic policies, AIDE file integrity, kernel hardening via sysctl, PAM-based authentication controls, network-bound disk encryption (Tang/Clevis with LUKS2), and centralized log collection with rsyslog.

Questions

100 scored questions

Time Limit

4 hours

Passing Score

210/300 (70%)

Exam Fee

$400-500 USD (Red Hat)

EX415 Exam Content Outline

18%

Configure SELinux

Booleans (setsebool -P), file contexts (semanage fcontext, restorecon), audit2allow, custom policy modules, targeted policy

16%

Compliance scanning with OpenSCAP

oscap xccdf eval, profiles (PCI-DSS, CIS, ANSSI, STIG), --remediate, Bash and Ansible remediation

12%

Configure system auditing

auditd, auditctl, ausearch -k, aureport, audispd plugins, immutable audit rules, audit log retention

10%

Network-Bound Disk Encryption (NBDE)

LUKS2, Tang server, Clevis pins (tang, tpm2, sss), automatic boot unlock, key rotation

USBGuard

usbguard generate-policy, list-devices, allow-device, IPC ACLs, device authorization at boot

System-wide crypto policies

update-crypto-policies (DEFAULT, FUTURE, LEGACY, FIPS), subpolicies, /etc/crypto-policies

AIDE file integrity

aide --init, aide --check, /etc/aide.conf rules, baseline updates, scheduled scans

10%

Kernel hardening (sysctl) and PAM/AAA

sysctl keys (kernel.kptr_restrict, fs.suid_dumpable), pam_faillock, pam_pwquality, /etc/security/limits

Centralized log collection (rsyslog)

rsyslog forwarding (@@host:port), TLS for log transport (RELP), omfwd, retention policies

Auditing changes and reporting

ausearch -k, aureport --summary, audit-viewer, integration with SIEM/log forwarding

How to Pass the EX415 Exam

What You Need to Know

Passing score: 210/300 (70%)
Exam length: 100 questions
Time limit: 4 hours
Exam fee: $400-500 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

EX415 Study Tips from Top Performers

1Build a real RHEL 9 lab with at least one target host, one client, and one Tang server — and practice every objective until the commands are reflex

2Memorize the SELinux verbs: getenforce, setenforce, getsebool, setsebool -P, semanage fcontext -a -t, restorecon -Rv, semanage port -a, audit2allow -M

3Drill OpenSCAP: oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml, then oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --report report.html --results results.xml ssg-rhel9-ds.xml

4Practice OpenSCAP remediation both ways: oscap xccdf eval --remediate (apply now) and --fix-type ansible (generate playbook)

5Audit framework: -w for file watches, -a always,exit -F arch=b64 -S syscall for syscall rules, ausearch -k <key> -ts today, aureport --summary

6NBDE workflow: install tang on a server, then on the client run clevis luks bind -d /dev/sdX1 tang '{"url":"http://tang.example.com"}' and confirm dracut regenerates initramfs

7USBGuard: usbguard generate-policy > /etc/usbguard/rules.conf, then systemctl enable --now usbguard and use usbguard list-devices, allow-device, block-device

8Crypto policies: update-crypto-policies --show, --set FUTURE, --set DEFAULT:NO-SHA1; subpolicies live in /etc/crypto-policies/policies/modules/

9AIDE: aide --init creates /var/lib/aide/aide.db.new.gz; rename to aide.db.gz; cron a daily aide --check and ship results to your SIEM

10PAM: faillock replaces pam_tally2 in RHEL 8/9 — use authselect select sssd with-faillock and edit /etc/security/faillock.conf for deny/unlock_time

Frequently Asked Questions

What does EX415 cover?

EX415 is the Red Hat Certified Specialist in Security: Linux exam. It tests hardening RHEL 9 with SELinux (booleans, fcontext, custom modules), OpenSCAP compliance scanning and remediation against PCI-DSS/CIS/ANSSI/STIG, the audit framework (auditd/auditctl/ausearch), USBGuard, system-wide crypto policies, AIDE, kernel hardening via sysctl, PAM controls, NBDE (Tang/Clevis with LUKS2), and centralized rsyslog forwarding.

What is the EX415 exam format?

EX415 is performance-based: there are no multiple-choice questions. You receive a list of security tasks to complete on live RHEL 9 systems within roughly 4 hours. Passing requires 210 out of 300 points (70%). Each task is graded based on whether the resulting system state meets the specification — partial credit is possible only when objectives are scored independently.

How long is the EX415 exam?

EX415 is approximately a 4-hour single-session performance-based exam. Red Hat administers it at training centers, partner sites, and via individual remote exam (proctored). Time management is critical because OpenSCAP scans, AIDE baselines, and SELinux relabel operations can each consume several minutes during the test.

What is the EX415 cost?

Red Hat lists the standard exam fee around $400-500 USD depending on region, with discounts often included in the Red Hat Learning Subscription. Individual exam vouchers are also available. Always confirm the current fee on the official EX415 page before scheduling.

Does EX415 require RHCE?

Red Hat strongly recommends current RHCE certification before attempting EX415, since the exam includes Ansible-based remediation through OpenSCAP and ansible-hardening. RHCE is also required to retain Specialist credentials and is part of the path to Red Hat Certified Architect (RHCA).

How long should I study for EX415?

Plan for 80-120 hours of focused, hands-on study over 8-12 weeks. Set up a lab with at least one RHEL 9 server (target), one client, and one Tang server. Practice every objective in the official content guide repeatedly until you can complete each task in a few minutes from memory.

Is EX415 valid for life?

No. Specialist credentials follow Red Hat's general 3-year recertification cycle and require a current RHCE to remain valid. You can re-pass EX415 or earn a higher Red Hat credential to keep it active.