CompTIA Linux+ XK0-005 (XK0-005) — Questions 175

510 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQeasy

A junior administrator reports that users cannot connect to a file server running Samba. The server is reachable via ping. Logs from the Samba service show: 'smbd: error while loading shared libraries: libgnutls.so.30: cannot open shared object file: No such file or directory'. The administrator confirms the package 'libgnutls' is installed. Which of the following is the most likely cause and solution?

A.The library path is not set; run ldconfig.
B.The system libraries are out of sync; run apt-get update.
C.The Samba package is corrupted; reinstall Samba.
D.The Samba service is not running; restart it.
AnswerA

Correct: ldconfig updates the shared library cache, resolving the missing library error.

Why this answer

The error 'cannot open shared object file' indicates that the dynamic linker cannot find the libgnutls.so.30 library at runtime, even though the libgnutls package is installed. Running `ldconfig` updates the linker cache, which rebuilds the mapping of shared library names to their actual file paths, resolving the missing library reference for Samba.

Exam trap

The trap here is that candidates see 'package is installed' and assume the library is available, overlooking the need to update the linker cache with `ldconfig` after installation.

How to eliminate wrong answers

Option B is wrong because `apt-get update` only refreshes the package repository metadata, not the runtime linker cache; it does not fix missing shared library references. Option C is wrong because the error is a missing library dependency, not a corrupted Samba binary; reinstalling Samba would not resolve the underlying library path issue. Option D is wrong because the service is already failing to start due to the library error; restarting it without fixing the library path will produce the same error.

2
MCQmedium

An organization uses Kubernetes to deploy containerized applications. A pod fails to start with an ImagePullBackOff error. What is the most likely cause?

A.The pod exceeded its memory limit
B.The container port is already in use
C.The node is out of disk space
D.The image name is misspelled or does not exist in the registry
AnswerD

This is the most common cause of ImagePullBackOff.

Why this answer

The ImagePullBackOff error in Kubernetes indicates that the kubelet is unable to pull the container image from the specified registry. The most common cause is a misspelled image name or a non-existent image in the registry, which prevents the container runtime from fetching the image. This triggers a back-off mechanism where the kubelet retries the pull with increasing delays.

Exam trap

CompTIA often tests the distinction between ImagePullBackOff and CrashLoopBackOff, where candidates mistakenly attribute a pull failure to resource limits or port conflicts instead of recognizing it as a registry/image name issue.

How to eliminate wrong answers

Option A is wrong because exceeding the pod's memory limit causes an OOMKill (Out of Memory Kill) error, not ImagePullBackOff; the pod would be terminated with a CrashLoopBackOff or OOM status. Option B is wrong because a container port already in use results in a port conflict error during pod startup, typically manifesting as a 'port already allocated' or 'bind: address already in use' error, not an image pull failure. Option C is wrong because a node running out of disk space leads to an EvictionThreshold or ImageGCFailure, which may prevent pod scheduling or cause pod eviction, but the specific error for image pull failures due to disk space is usually 'ImagePullBackOff' only if the image cannot be downloaded, though the primary symptom of disk pressure is node-level eviction, not a registry-related pull error.

3
Multi-Selectmedium

A system administrator is troubleshooting a custom systemd service that fails to start. Which of the following commands should be used to diagnose the issue? (Choose two.)

Select 2 answers
A.systemctl daemon-reload
B.systemctl status myservice
C.systemctl enable myservice
D.systemctl list-units
E.journalctl -u myservice
AnswersB, E

Displays service status and recent log entries.

Why this answer

The `systemctl status myservice` command (B) is correct because it shows the current state of the service, including whether it is active, failed, or inactive, along with recent log entries and the exit code. The `journalctl -u myservice` command (E) is correct because it retrieves the full systemd journal logs specifically for that unit, which is essential for diagnosing why the service failed to start, such as missing dependencies or configuration errors.

Exam trap

The trap here is that candidates often pick `systemctl daemon-reload` (A) thinking it will fix the issue by reloading unit files, but it does not provide diagnostic output; the exam tests the distinction between reloading configuration and retrieving failure logs.

4
MCQmedium

After a power failure, a Linux server boots into emergency mode. The system logs indicate an unclean filesystem on /dev/sda2. Which command should the administrator run to repair the filesystem?

A.fsck -f /dev/sda2
B.badblocks /dev/sda2
C.xfs_repair /dev/sda2
D.mount -o remount,ro /
AnswerA

Correct: Forces filesystem check and repair.

Why this answer

After a power failure, the system logs indicate an unclean filesystem on /dev/sda2, meaning the filesystem was not properly unmounted and may contain inconsistencies. The `fsck -f /dev/sda2` command forces a filesystem check even if the filesystem appears clean, which is necessary to repair corruption on ext2/ext3/ext4 filesystems. This is the standard tool for checking and repairing such filesystems after an unclean shutdown.

Exam trap

The trap here is that candidates may confuse filesystem repair tools (fsck vs. xfs_repair) or mistake a disk surface scan (badblocks) for a filesystem consistency check, leading them to choose an inappropriate command for the specific filesystem type.

How to eliminate wrong answers

Option B is wrong because `badblocks` scans for physical bad sectors on the disk, not filesystem metadata corruption; it does not repair filesystem inconsistencies. Option C is wrong because `xfs_repair` is used for XFS filesystems, but /dev/sda2 is likely an ext4 filesystem (common on Linux) and the question does not specify XFS; using the wrong repair tool can cause further damage. Option D is wrong because `mount -o remount,ro /` only remounts the root filesystem as read-only to prevent further writes, but it does not repair the underlying filesystem corruption.

5
MCQeasy

An administrator needs to allow a user to run all commands as root without a password. Which sudoers entry accomplishes this?

A.user ALL=(ALL) NOPASSWD: ALL
B.user ALL=(ALL) !ALL
C.user ALL=(ALL) PASSWD: ALL
D.user ALL=(ALL) ALL
AnswerA

This entry allows passwordless execution of all commands.

Why this answer

Option A is correct because the sudoers entry `user ALL=(ALL) NOPASSWD: ALL` grants the user permission to run any command as any user (including root) without being prompted for a password. The `NOPASSWD` tag overrides the default password requirement, and the `ALL` specifications cover the host list, target user list, and command list.

Exam trap

The trap here is that candidates often confuse the default behavior of `ALL` (which still requires a password) with the `NOPASSWD` tag, leading them to select option D thinking it allows passwordless execution.

How to eliminate wrong answers

Option B is wrong because `user ALL=(ALL) !ALL` uses the negation operator `!` to deny all commands, effectively preventing the user from running any command via sudo. Option C is wrong because `user ALL=(ALL) PASSWD: ALL` explicitly requires a password (the default behavior), so the user would still be prompted for a password. Option D is wrong because `user ALL=(ALL) ALL` is the standard sudoers entry that allows all commands but still requires the user to enter their own password (unless the `NOPASSWD` tag is present).

6
MCQhard

Based on the exhibit, what is the most likely cause of the 'PV Status: not available'?

A.The volume group is corrupted.
B.The logical volume is not mounted.
C.LVM metadata is damaged.
D.The physical volume is missing or disconnected.
AnswerD

PV status 'not available' indicates the PV cannot be accessed.

Why this answer

The status 'not available' indicates that the physical volume (PV) is missing or not accessible. This often happens when the underlying disk or partition is removed or fails. The VG and LV metadata may still be present but the PV cannot be found.

7
MCQmedium

A developer is writing a Bash script that must be portable across different Linux distributions. The script needs to check if a package is installed. Which command should be used to achieve this portability?

A.which package
B.command -v package
C.dpkg -l package
D.rpm -q package
AnswerB

POSIX-compliant.

Why this answer

The `command -v package` command is the most portable way to check if a package is installed across different Linux distributions because it uses the POSIX-standard `command` shell built-in, which works in any Bourne-compatible shell (bash, sh, dash, etc.) regardless of the underlying package manager. It returns the path to the executable if the package's binary is in the PATH, or nothing if it is not installed, making it distribution-agnostic.

Exam trap

The trap here is that candidates often choose `dpkg` or `rpm` because they are familiar with checking packages on their own distribution, but the question explicitly requires portability across different Linux distributions, making the distribution-agnostic `command -v` the correct choice.

How to eliminate wrong answers

Option A is wrong because `which package` is not a POSIX-standard command and its behavior can vary across distributions; it may not be installed by default or may produce different exit codes, reducing portability. Option C is wrong because `dpkg -l package` is specific to Debian-based distributions (e.g., Ubuntu) and will fail or be unavailable on Red Hat-based or other distributions. Option D is wrong because `rpm -q package` is specific to Red Hat-based distributions (e.g., CentOS, Fedora) and will not work on Debian-based or other package management systems.

8
MCQhard

An application running under an AppArmor profile is being denied access to log files. The administrator wants to troubleshoot by allowing all actions and logging denials. Which command will switch the profile to complain mode?

A.aa-complain /path/to/profile
B.aa-enforce /path/to/profile
C.aa-disable /path/to/profile
D.aa-status
AnswerA

This sets the profile to complain mode, allowing actions but logging denials.

Why this answer

The `aa-complain` command places an AppArmor profile into complain mode, which allows all actions but logs denials to the system log. This is the correct tool for troubleshooting because it lets the administrator see what the application is trying to do without actually blocking it.

Exam trap

The trap here is confusing `aa-complain` with `aa-enforce`, as candidates often assume that logging denials requires enforcement mode, but complain mode is specifically designed for logging without blocking.

How to eliminate wrong answers

Option B is wrong because `aa-enforce` activates enforcement mode, which actively blocks denied actions and logs them, not allowing all actions as required. Option C is wrong because `aa-disable` completely disables the AppArmor profile, removing all logging and access controls, which does not meet the requirement to log denials. Option D is wrong because `aa-status` only displays the current status of AppArmor profiles (e.g., which are in enforce or complain mode) and does not change the profile mode.

9
MCQhard

A Red Hat Enterprise Linux 8 system is configured with SELinux in enforcing mode. A custom application needs to write to a file in /var/log. The audit log shows an AVC denial for httpd_t attempting to write to var_log_t. Which of the following is the most appropriate persistent solution?

A.Set the SELinux boolean httpd_can_network_connect to on.
B.Change the ownership of the file to apache.
C.Use chcon to set the file context to httpd_log_t.
D.Use semanage fcontext to define the default context for the file and then restorecon.
AnswerD

Persistent method; sets default context in policy.

Why this answer

Option D is correct because semanage fcontext defines a persistent default SELinux file context rule, which survives file system relabeling. After defining the rule, restorecon applies the context to the file. This ensures the custom application's log file is labeled httpd_log_t, allowing httpd_t to write to it, while chcon (option C) only makes a temporary change that can be overwritten by restorecon or a relabel.

Exam trap

The trap here is that candidates confuse chcon (temporary) with semanage fcontext (persistent), or mistakenly think changing Unix ownership or enabling a network boolean will resolve a file-based SELinux denial.

How to eliminate wrong answers

Option A is wrong because httpd_can_network_connect controls network access, not file write permissions to /var/log. Option B is wrong because changing file ownership to apache does not affect SELinux type enforcement; the AVC denial is based on the file's SELinux context (var_log_t), not its Unix owner. Option C is wrong because chcon makes a non-persistent context change that will be lost after a file system relabel or restorecon operation; it does not create a default rule in the SELinux policy.

10
Multi-Selectmedium

A system administrator suspects a disk failure. Which TWO commands can be used to check disk health and identify bad sectors?

Select 2 answers
A.iostat -x
B.fsck /dev/sda
C.badblocks -v /dev/sda
D.smartctl -a /dev/sda
E.dd if=/dev/sda of=/dev/null
AnswersC, D

Correct: Scans for bad sectors.

Why this answer

The `badblocks` command (option C) directly scans a disk for defective sectors by performing read/write tests, making it a primary tool for identifying bad blocks. The `smartctl -a` command (option D) queries the disk's S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology) data, which includes attributes like reallocated sector count and pending sector errors, providing a proactive health assessment. Together, they cover both active scanning and passive monitoring of disk health.

Exam trap

The trap here is that candidates confuse filesystem repair tools like `fsck` with hardware diagnostic tools, or assume `iostat` or `dd` provide equivalent health checks, when only `badblocks` and `smartctl` directly assess physical disk integrity.

11
MCQhard

After building and running the container as shown in the exhibit, the administrator tries to access http://localhost:8080 but receives a connection refused error. What is the most likely cause?

A.The container exited immediately after starting.
B.The port mapping is incorrect.
C.The base image is not compatible.
D.The CMD syntax is incorrect.
AnswerA

Check docker ps to see if running.

Why this answer

The most likely cause is that the container exited immediately after starting. When a container runs a command that finishes quickly (e.g., a shell script that exits), the container stops, and no process listens on port 8080. This results in a 'connection refused' error because the container is no longer running to accept connections.

Exam trap

CompTIA often tests the distinction between a container that fails to start (e.g., due to syntax errors) and one that starts but exits immediately, where the 'connection refused' error is a symptom of the latter.

How to eliminate wrong answers

Option B is wrong because if the port mapping were incorrect, the container would still be running but inaccessible on the specified host port; the error would be 'connection timeout' or 'no route to host', not 'connection refused'. Option C is wrong because an incompatible base image would cause a build failure or runtime crash, not a clean exit with a 'connection refused' error. Option D is wrong because incorrect CMD syntax would cause a build error or a container that fails to start, not one that runs and then exits immediately.

12
Multi-Selecteasy

Which THREE commands can be used to display the mount points and file system usage? (Choose three.)

Select 3 answers
A.df -h
B.du
C.df -i
D.mount
E.lsblk
AnswersA, D, E

Shows filesystem usage with mount points.

Why this answer

Option A shows disk usage per directory. Option B shows filesystem usage with mount points. Option D shows mounted filesystems.

Option C shows inode usage. Option E shows overall disk space but not mount points.

13
Multi-Selectmedium

Which TWO of the following are characteristics of containers compared to virtual machines? (Choose two.)

Select 2 answers
A.Containers run their own kernel.
B.Each container has its own operating system.
C.Containers use hypervisor for isolation.
D.Containers require less overhead than VMs.
E.Containers typically start in seconds.
AnswersD, E

No hypervisor, shares OS.

Why this answer

Option D is correct because containers share the host OS kernel and do not require a full guest OS per instance, resulting in significantly lower resource overhead (CPU, memory, and storage) compared to virtual machines. Option E is correct because containers are lightweight processes that can start in seconds, whereas VMs require booting an entire operating system, which typically takes minutes.

Exam trap

The trap here is that candidates often confuse container isolation with hypervisor-based isolation, mistakenly thinking containers run their own kernel or OS, when in fact they share the host kernel and use namespaces/cgroups.

14
MCQeasy

A user reports that the /home partition is running out of space. Which command identifies the largest directories under /home?

A.du -sh /home/*
B.df -h /home
C.ls -lhS /home
D.find /home -type d -size +100M
AnswerA

du -sh gives human-readable totals for each top-level item under /home.

Why this answer

Option C is correct because 'du -sh /home/*' calculates disk usage in human-readable format (-sh) for each subdirectory. Option A is wrong because 'df -h' shows filesystem-level usage, not per-directory. Option B is wrong because 'ls -lhS' lists files sorted by size, but not recursively.

Option D is wrong because 'find /home -type d -size +100M' finds based on directory size, which is often not accurate.

15
MCQhard

Based on the exhibit, what is the purpose of the audit rule?

A.Monitor open syscalls on a specific file.
B.Monitor all open syscalls by the root user.
C.Monitor all open syscalls by users with UID 1000 or higher.
D.Monitor all open syscalls except those by users with UID 1000 or higher.
AnswerC

The condition auid>=1000 selects regular users, excluding system accounts and root (UID 0).

Why this answer

The audit rule `-a always,exit -F arch=b64 -S open -F uid>=1000 -k monitor_open` uses the `uid>=1000` filter to match only system calls made by users with UID 1000 or higher. This is a common Linux auditd rule to track user-level activity while excluding system accounts (typically UIDs below 1000). Option C correctly identifies that the rule monitors all open syscalls by users with UID 1000 or higher.

Exam trap

CompTIA often tests the direction of comparison operators in audit rules — candidates frequently confuse `uid>=1000` (monitor UIDs 1000 and above) with `uid<1000` (monitor UIDs below 1000), leading them to select the exclusion-based option D instead of the correct inclusion-based option C.

How to eliminate wrong answers

Option A is wrong because the rule does not specify a particular file path; it monitors the open syscall system-wide, not on a specific file. Option B is wrong because the rule uses `uid>=1000`, which excludes the root user (UID 0) from being monitored; root's open syscalls are not captured. Option D is wrong because the rule includes users with UID 1000 or higher, not excludes them; the `>=` operator means 'greater than or equal to', so it matches those UIDs.

16
MCQmedium

A server shows /dev/sda1 mounted at / is 100% full in df -h, but du -sh / shows only 50% usage. What is the most likely explanation?

A.The filesystem is corrupted
B.Hidden files are not counted by du
C.A process is still holding a deleted file open
D.The disk has many hard links
AnswerC

Deleted files held open by processes continue to occupy space until the process releases them.

Why this answer

When a file is deleted but still held open by a running process, the file's inode remains allocated and its disk blocks are not freed until the process closes the file descriptor. The `df` command reports filesystem usage by querying the superblock for total and free blocks, so it still counts the space occupied by the deleted-but-open file. In contrast, `du` traverses the directory tree and sums the sizes of files reachable from the specified path; since the deleted file is no longer linked in the directory, `du` does not include it, leading to the discrepancy.

Exam trap

The trap here is that candidates assume `du` and `df` should always match, and they overlook the classic Linux behavior where a file deleted while still open consumes space invisible to `du` but visible to `df`.

How to eliminate wrong answers

Option A is wrong because filesystem corruption typically causes inconsistent or erroneous output from both `df` and `du`, not a consistent discrepancy where `df` shows 100% and `du` shows 50%; corruption would likely produce errors or unmountable filesystems. Option B is wrong because `du -sh /` by default counts all files, including hidden files (those starting with a dot), as it traverses the entire directory tree; hidden files are not excluded unless specific exclusions are used. Option D is wrong because hard links do not consume additional disk space beyond the original inode; `du` counts the file's size once per inode, and `df` reports total allocated blocks, so hard links would not cause a 50% discrepancy between the two commands.

17
MCQmedium

An administrator needs to extend the size of a logical volume named 'lv_data' in volume group 'vg_data' by 10 GB. A new disk /dev/sdb has been added to the system. What is the correct sequence of commands?

A.pvcreate /dev/sdb; vgextend vg_data /dev/sdb; lvextend -L +10G /dev/vg_data/lv_data
B.lvextend -L +10G /dev/vg_data/lv_data; vgextend vg_data /dev/sdb; pvcreate /dev/sdb
C.vgextend vg_data /dev/sdb; pvcreate /dev/sdb; lvextend -L +10G /dev/vg_data/lv_data
D.pvcreate /dev/sdb; lvextend -L +10G /dev/vg_data/lv_data; vgextend vg_data /dev/sdb
AnswerA

This sequence correctly initializes the physical volume, extends the volume group, then extends the logical volume.

Why this answer

Option A is correct. The correct order is: pvcreate to initialize the disk, vgextend to add it to the volume group, then lvextend to increase the logical volume size. Options B and D have wrong order; Option C misses pvcreate or has it after vgextend.

18
MCQmedium

Refer to the exhibit. A developer is pushing an image to a private registry at `192.168.1.100:5000` but receives an error about using an insecure registry. Which part of the Docker daemon configuration allows this registry without TLS?

A.The 'insecure-registries' setting
B.The 'exec-opts' setting
C.The 'storage-driver' setting
D.The 'log-driver' setting
AnswerA

This setting explicitly allows insecure (non-TLS) connections to the specified registry.

Why this answer

The error indicates the Docker client is attempting to push an image to a registry over HTTP (port 5000) without TLS. By default, Docker Engine requires TLS for all registry communications. The `insecure-registries` setting in `/etc/docker/daemon.json` allows the daemon to bypass TLS verification for specified IP addresses or CIDR ranges, enabling communication with registries that lack a valid TLS certificate.

Exam trap

CompTIA often tests the distinction between daemon configuration options that affect registry communication versus those that affect container runtime or storage, leading candidates to confuse `insecure-registries` with unrelated settings like `exec-opts` or `storage-driver`.

How to eliminate wrong answers

Option B is wrong because `exec-opts` is used to pass options to the container runtime (e.g., native.cgroupdriver=systemd), not to configure registry security. Option C is wrong because `storage-driver` defines the storage backend (e.g., overlay2, aufs) for container layers, not registry TLS settings. Option D is wrong because `log-driver` configures the logging driver for containers (e.g., json-file, syslog), and has no role in registry TLS enforcement.

19
MCQmedium

A developer needs to run a one-time script after the network is up on a systemd-based server. Which unit type should be used?

A.forking
B.exec
C.simple
D.oneshot
AnswerD

Oneshot units run a single command and then exit.

Why this answer

The `oneshot` unit type is correct because it is designed for services that run a single task to completion and then exit, making it ideal for a one-time script that must execute after the network is up. In systemd, `oneshot` units can be configured with `RemainAfterExit=no` (the default) to indicate they do not need to stay running, and they support ordering dependencies like `After=network-online.target` to ensure the network is available before the script runs.

Exam trap

The trap here is that candidates confuse `oneshot` with `simple` or `forking`, mistakenly thinking a one-time script needs to remain running (`simple`) or fork into the background (`forking`), but systemd's `oneshot` is explicitly designed for tasks that exit after completion.

How to eliminate wrong answers

Option A is wrong because `forking` is used for daemons that fork into the background after startup, and systemd tracks the parent process; a one-time script that exits does not fork, so this type is inappropriate. Option B is wrong because `exec` is not a valid systemd service type; the correct types are `simple`, `forking`, `oneshot`, `dbus`, `notify`, and `idle`. Option C is wrong because `simple` is for services that start and remain running in the foreground, which does not match a one-time script that exits after execution.

20
MCQhard

A Linux system administrator is troubleshooting a server that runs a web application. Users report that the web application occasionally returns 503 Service Unavailable errors. The Apache web server appears to be running (systemctl status httpd shows active). The server has 8GB RAM and runs multiple applications. The administrator runs free -m and sees that swap usage is at 75% while available memory is very low. The top output shows that a process named 'databased' is consuming 40% of memory. The databased process is not a core application and is not needed for the web server. The administrator wants to resolve the issue without restarting the server. What should the administrator do?

A.Enable the OOM killer to handle memory pressure automatically
B.Increase swap space by adding a swap file
C.Kill the databased process using kill -9
D.Reduce Apache's MaxClients setting
AnswerC

Immediately frees the memory held by the databased process, alleviating memory pressure.

Why this answer

The immediate cause of the 503 errors is memory exhaustion: swap is at 75% and available RAM is critically low. The non-essential 'databased' process is consuming 40% of memory, starving Apache. Killing it with kill -9 frees that memory instantly, resolving the pressure without a restart.

This directly addresses the root cause—a rogue process hogging RAM—rather than treating symptoms.

Exam trap

The trap here is that candidates may think increasing swap (Option B) or reducing Apache workers (Option D) will fix the 503 errors, but they overlook that the real issue is a specific non-essential process consuming the memory that Apache needs, making direct termination the only efficient fix without restarting.

How to eliminate wrong answers

Option A is wrong because enabling the OOM killer does not proactively free memory; it only kills processes when the system is completely out of memory, which may kill Apache or other critical services unpredictably. Option B is wrong because increasing swap space would only mask the problem by moving more data to disk, worsening performance and not freeing RAM for Apache. Option D is wrong because reducing MaxClients limits Apache's concurrency but does not reclaim the 40% of memory consumed by 'databased'; the web server would still be starved for RAM.

21
Multi-Selectmedium

A system administrator wants to encrypt a large directory of files using GPG with a symmetric cipher. Which two steps are necessary? (Select TWO).

Select 2 answers
A.gpg --decrypt file.gpg
B.Use a passphrase to encrypt
C.gpg --encrypt --recipient user file
D.Import a public key
E.gpg --symmetric --cipher-algo AES256 file
AnswersB, E

Symmetric encryption requires a passphrase.

Why this answer

Option B is correct because symmetric encryption in GPG requires a passphrase to derive the encryption key. When using `gpg --symmetric`, the cipher key is generated from a passphrase provided by the user, making the passphrase the essential secret for both encryption and decryption. Without a passphrase, symmetric encryption cannot proceed.

Exam trap

The trap here is that candidates confuse symmetric encryption with asymmetric encryption and select `--recipient` or public key import, not realizing that `--symmetric` requires only a passphrase, not a key pair.

22
Multi-Selecteasy

A Linux administrator is creating a shell script to back up configuration files to a remote server. The script must ensure that if any command fails (e.g., rsync or tar), the script exits immediately and does not continue. Which TWO of the following should be included in the script to achieve this behavior? (Choose two.)

Select 2 answers
A.trap 'exit 1' ERR
B.set -o pipefail
C.set -x
D.set -e
E.set -u
AnswersA, D

Traps the ERR signal and exits when any command fails.

Why this answer

Option A is correct because `trap 'exit 1' ERR` instructs the shell to execute `exit 1` whenever a command returns a non-zero exit status, which immediately terminates the script on any failure. Option D is correct because `set -e` causes the shell to exit immediately if any command (or pipeline, unless overridden) fails, providing a straightforward way to enforce fail-fast behavior in a backup script.

Exam trap

The trap here is that candidates often confuse `set -o pipefail` with `set -e`, thinking it alone causes script exit, or they mistakenly believe `set -x` or `set -u` handle command failures, when in fact only `set -e` and `trap ... ERR` directly enforce exit on any non-zero exit status.

23
Multi-Selecteasy

Which TWO commands can be used to check disk space usage on a Linux system?

Select 2 answers
A.mount
B.lsof
C.du
D.fdisk
E.df
AnswersC, E

Summarizes disk usage of files/directories.

Why this answer

The `du` (disk usage) command estimates file and directory space usage, allowing you to check disk space consumed by specific paths. The `df` (disk free) command reports the total, used, and available space on mounted filesystems. Both are standard tools for inspecting disk space on Linux systems.

Exam trap

The trap here is that candidates may confuse `du` and `df` with commands like `mount` or `fdisk`, which are related to filesystem management but do not directly report disk space usage.

24
MCQhard

A Linux server experiences a kernel panic during boot. You need to capture the panic message for analysis. Which kernel parameter should be added to the GRUB command line to ensure the panic message is displayed before the system halts?

A.panic=10
B.nomodeset
C.quiet
D.single
AnswerA

Adds a delay before rebooting after panic.

Why this answer

The `panic=<seconds>` kernel parameter instructs the kernel to wait the specified number of seconds after a kernel panic before automatically rebooting. By setting `panic=10`, the system pauses for 10 seconds, allowing the panic message to remain on the console for capture and analysis before the system halts or reboots. This is the correct parameter to ensure the panic output is visible.

Exam trap

The trap here is that candidates often confuse `panic=` with a boot-time delay or a recovery mode option, mistakenly thinking `single` or `quiet` will help display the panic message, when in fact `panic=` is the specific parameter that controls the post-panic behavior to keep the message visible.

How to eliminate wrong answers

Option B (`nomodeset`) is wrong because it disables kernel mode-setting for video drivers, which can help with display issues but does not affect the display or retention of kernel panic messages. Option C (`quiet`) is wrong because it suppresses most kernel log messages, including panic details, making it counterproductive for capturing panic output. Option D (`single`) is wrong because it boots the system into single-user mode (runlevel 1) for maintenance, which does not alter the behavior of kernel panic handling or message display.

25
MCQmedium

Based on the exhibit, what is the most likely cause of the repeated connection refused errors?

A.The DNS resolution for the database host fails.
B.A firewall is blocking port 3306.
C.The database service is down.
D.The database credentials are incorrect.
AnswerC

Connection refused typically means no process listening.

Why this answer

The 'connection refused' error indicates that the client's TCP SYN packet reached the target host on port 3306, but the host actively rejected the connection because no process is listening on that port. This is the classic symptom of the MySQL/MariaDB database service being stopped or crashed, as the OS TCP stack sends an RST packet when a connection attempt hits a port with no listening socket.

Exam trap

CompTIA often tests the distinction between 'connection refused' (service down) and 'connection timeout' (firewall blocking) — candidates confuse the two because both prevent access, but the TCP error message uniquely identifies the cause.

How to eliminate wrong answers

Option A is wrong because DNS resolution failures would produce a 'Name or service not known' error, not a TCP-level 'connection refused'. Option B is wrong because a firewall blocking port 3306 would cause the connection to time out (no response) or be silently dropped, not produce an immediate 'connection refused' which requires a TCP RST from the target host. Option D is wrong because incorrect credentials result in an authentication failure after the TCP connection is established, typically returning 'Access denied for user' from the database server, not a transport-layer refusal.

26
MCQhard

A DevOps engineer is creating a Podman container that needs to communicate with a host service listening on a Unix socket at /run/host-service.sock. Which of the following mount options will make the socket available inside the container?

A.--device /run/host-service.sock:/run/host-service.sock
B.--bind /run/host-service.sock:/run/host-service.sock
C.--volume /run/host-service.sock:/run/host-service.sock
D.--mount type=bind,source=/run/host-service.sock,target=/run/host-service.sock
AnswerC

Correctly binds the host socket into the container.

Why this answer

Option C is correct because `--volume` in Podman (and Docker) can bind-mount a single file, such as a Unix socket, from the host into the container. This makes `/run/host-service.sock` available at the same path inside the container, allowing the containerized process to communicate with the host service over the socket.

Exam trap

The trap here is that candidates confuse `--device` (for hardware devices) with bind-mounting a socket file, or they misremember the exact syntax for `--mount`, which requires `type=bind` and comma-separated key=value pairs.

How to eliminate wrong answers

Option A is wrong because `--device` is used to expose host devices (e.g., `/dev/sda`) to a container, not regular files or sockets; it does not handle Unix socket bind mounts. Option B is wrong because `--bind` is not a valid Podman or Docker flag; the correct syntax for a bind mount uses `--volume`, `--mount`, or `-v`. Option D is wrong because the `--mount` flag requires a comma-separated list of key=value pairs (e.g., `type=bind,source=/run/host-service.sock,target=/run/host-service.sock`), but the given syntax is missing the `type=bind` key and uses incorrect formatting; it would be rejected by Podman.

27
MCQmedium

A process is consuming excessive CPU. The administrator wants to reduce its priority. Which command should be used?

A.renice +10 PID
B.taskset -c 0 PID
C.nice -n -20 PID
D.chrt -r 99 PID
AnswerA

Lowers priority of a running process.

Why this answer

The `renice` command is used to change the priority of an already running process. By specifying `+10`, the administrator increases the nice value, which lowers the process's scheduling priority and reduces its CPU consumption. This directly addresses the requirement to reduce the priority of a currently executing process.

Exam trap

The trap here is confusing `nice` (which starts a new process with a specified priority) with `renice` (which changes the priority of an existing process), leading candidates to choose option C even though it uses a negative value that increases priority.

How to eliminate wrong answers

Option B is wrong because `taskset -c 0 PID` binds the process to CPU core 0, which does not change its scheduling priority or reduce CPU consumption; it only restricts which CPU the process can run on. Option C is wrong because `nice -n -20 PID` would start a new process with a very high priority (low nice value), which is the opposite of what is needed and does not apply to an already running process. Option D is wrong because `chrt -r 99 PID` sets the process to real-time FIFO scheduling with the highest priority (99), which would increase its CPU priority, not reduce it.

28
MCQeasy

A new user 'jdoe' has been added using the command 'useradd jdoe', but upon first login, the user receives a message that the home directory does not exist. Which command should the administrator run to resolve this issue while also populating the home directory with default skeleton files?

A.chown jdoe:jdoe /home/jdoe
B.mkdir /home/jdoe; cp /etc/skel/* /home/jdoe/
C.usermod -d /home/jdoe jdoe
D.useradd -m jdoe
AnswerD

The -m flag creates the home directory and copies skeleton files from /etc/skel.

Why this answer

Option B is correct because useradd -m creates the home directory and copies skeleton files. Option A only changes the home directory entry in /etc/passwd but does not create it. Option C manually creates the directory but is not the standard tool.

Option D only fixes ownership.

29
MCQmedium

A junior administrator is writing a bash script that should exit immediately if any command in a pipeline fails. Which command should be added at the beginning of the script?

A.set -u
B.shopt -s extglob
C.set -e
D.set -o pipefail
AnswerD

Ensures pipeline fails on any component error.

Why this answer

Option D is correct because `set -o pipefail` ensures that if any command in a pipeline fails (returns a non-zero exit status), the entire pipeline is considered to have failed, and with `set -e` (which is often used alongside it), the script will exit immediately. This is specifically required by the question: 'exit immediately if any command in a pipeline fails.' Without `pipefail`, only the exit status of the last command in the pipeline is considered, so earlier failures would be ignored.

Exam trap

The trap here is that candidates often choose `set -e` (option C) thinking it covers all command failures, but they overlook that `set -e` does not propagate failures through pipelines unless `set -o pipefail` is also set, which is the specific requirement in the question.

How to eliminate wrong answers

Option A is wrong because `set -u` causes the script to exit when an unset variable is referenced, but it does nothing to handle pipeline failures or exit on command errors. Option B is wrong because `shopt -s extglob` enables extended pattern matching in bash (e.g., `?(pattern)`, `*(pattern)`), which is unrelated to error handling or pipeline exit behavior. Option C is wrong because `set -e` alone causes the script to exit on a command failure, but it does not apply to pipelines; by default, only the last command in a pipeline determines the exit status, so a failure in an earlier command would not trigger `set -e`.

30
MCQhard

A server with multiple disks is configured with RAID 5 for performance and redundancy. The administrator notices that write performance is lower than expected. Which RAID level would provide better write performance while still offering fault tolerance with the same number of disks (minimum 4)?

A.RAID 0
B.RAID 6
C.RAID 10
D.RAID 1
AnswerC

RAID 10 combines striping and mirroring, providing high write performance and fault tolerance.

Why this answer

Option C is correct. RAID 10 (striping + mirroring) offers better write performance than RAID 5 because it does not require parity calculation. RAID 0 has no fault tolerance.

RAID 1 has slower writes due to mirroring. RAID 6 has double parity, even slower writes.

31
MCQhard

A Linux system fails to boot and displays a kernel panic immediately after the GRUB menu. The administrator needs to boot into a rescue environment. Which GRUB boot parameter should the administrator add to the kernel line?

A.single
B.init=/bin/bash
C.systemd.unit=rescue.target
D.quiet splash
AnswerC

Boots into systemd rescue target.

Why this answer

Option C is correct because when a Linux system experiences a kernel panic immediately after GRUB, the administrator needs to boot into a minimal rescue environment that loads essential system services. The `systemd.unit=rescue.target` parameter tells systemd to start the rescue target, which mounts the root filesystem and starts only the most basic services, allowing the administrator to diagnose and repair the system. This is the proper GRUB kernel parameter for systemd-based distributions to enter a rescue shell without fully booting into the default multi-user or graphical target.

Exam trap

The trap here is that candidates confuse the legacy SysVinit `single` parameter or the direct `init=/bin/bash` shortcut with the correct systemd-based rescue target, not realizing that modern distributions require the `systemd.unit=` syntax to properly initialize the rescue environment with necessary services and filesystem mounts.

How to eliminate wrong answers

Option A is wrong because `single` is a legacy SysVinit parameter that boots into single-user mode, but on modern systemd-based distributions, it is often mapped to `rescue.target`; however, it is not the correct GRUB kernel parameter for systemd rescue environments and may not work reliably with kernel panics. Option B is wrong because `init=/bin/bash` bypasses the init system entirely and drops directly into a Bash shell without mounting the root filesystem properly or starting any services, which can lead to a read-only root filesystem and lack of necessary tools for recovery. Option D is wrong because `quiet splash` are kernel parameters that suppress boot messages and show a splash screen; they do not change the boot target and will not prevent a kernel panic or provide a rescue environment.

32
MCQmedium

A system administrator needs to configure a Linux server to automatically synchronize time with the NTP pool servers. The server should also act as an NTP peer for other servers on the local network. Which file should be modified, and which directive should be added?

A./etc/chrony/chrony.conf with "pool pool.ntp.org iburst" and "allow 192.168.1.0/24"
B./etc/npt.conf with "peer pool.ntp.org"
C./etc/systemd/timesyncd.conf with "NTP=pool.ntp.org" and "LocalPort=123"
D./etc/ntp.conf with "server pool.ntp.org iburst"
AnswerA

Correct file and directives for both client sync and allowing other servers to peer.

Why this answer

Chrony is the default NTP implementation on modern RHEL/CentOS 7+ and many distributions. The configuration file is /etc/chrony/chrony.conf. The 'pool' directive with 'iburst' synchronizes with NTP servers, and 'allow' specifies which networks can query the server as an NTP peer.

Option A uses ntpd but lacks the 'allow' directive. Option C uses timesyncd which is client-only. Option D has typo and incorrect directive.

33
MCQmedium

Based on the exhibit, the myapp service fails to start. Which troubleshooting step should be taken first?

A.Increase the RestartSec value to allow more time for startup
B.Verify that /usr/local/bin/myapp has execute permission
C.Inspect the system journal for more detailed error messages
D.Check that the application's configuration file exists and is readable
AnswerD

The error indicates a missing config file.

Why this answer

The exhibit shows a systemd unit file for the myapp service with `ExecStart=/usr/local/bin/myapp` and `Restart=on-failure`. The service fails to start, and the most common cause for such a failure is a missing or misconfigured application configuration file that the binary expects at launch. Option D is correct because verifying the configuration file's existence and readability is a fundamental prerequisite before investigating deeper issues like permissions or logs.

Exam trap

The trap here is that candidates often jump to inspecting logs (Option C) or adjusting restart timers (Option A) without first verifying the most basic prerequisite—the configuration file—which is a direct and faster check that aligns with the 'first step' in systematic troubleshooting.

How to eliminate wrong answers

Option A is wrong because increasing RestartSec only affects the delay between restart attempts, not the root cause of the startup failure; it would merely slow down retries without fixing the underlying issue. Option B is wrong because if the binary lacked execute permission, systemd would typically report a specific 'Permission denied' error in the journal, and the exhibit does not indicate that; also, the binary path is hardcoded in ExecStart, and execute permission is a secondary check after ensuring the configuration file is valid. Option C is wrong because while inspecting the system journal is a valid troubleshooting step, it is not the first step; the question asks for the first step, and checking the configuration file is a quicker, more direct check that often reveals the problem without needing to parse logs.

34
MCQmedium

The system is experiencing slow disk I/O. Based on the exhibit, which step should the administrator take to improve performance?

A.Increase the filesystem block size
B.Enable write-back caching on the drive using hdparm
C.Add the 'noatime' mount option in /etc/fstab
D.Change the I/O scheduler to 'deadline'
AnswerC

Correct: Reduces disk writes by not updating access times.

Why this answer

The 'noatime' mount option disables updating the access time (atime) on every file read, which eliminates a significant source of metadata write operations. Since the exhibit indicates slow disk I/O, reducing unnecessary writes directly improves performance by freeing I/O bandwidth for actual data transfers. This is a standard, low-risk optimization for workloads where access timestamps are not required.

Exam trap

The trap here is that candidates often focus on I/O schedulers or caching mechanisms to fix slow I/O, overlooking the simple and effective filesystem mount option that reduces unnecessary write operations.

How to eliminate wrong answers

Option A is wrong because increasing the filesystem block size can improve throughput for large sequential I/O but may waste space and degrade performance for small random I/O; it does not address the root cause of slow disk I/O from excessive metadata writes. Option B is wrong because enabling write-back caching with hdparm on a drive that does not support it or without proper power-loss protection can cause data corruption; it is a risky hardware-level change, not a safe filesystem tuning step. Option D is wrong because changing the I/O scheduler to 'deadline' may help with latency for certain workloads, but it does not reduce the volume of I/O operations; the exhibit points to unnecessary metadata updates, which the scheduler cannot mitigate.

35
MCQhard

An organization is migrating from a legacy automation tool to Ansible. Which of the following best describes the role of Ansible playbooks in configuration management?

A.YAML files that declare the desired state of systems and tasks to achieve it.
B.Executable scripts written in Python that run on managed nodes.
C.Configuration files that list the inventory of managed hosts.
D.Shell scripts that execute ad-hoc commands across servers.
AnswerA

Defines tasks and states declaratively.

Why this answer

Ansible playbooks are YAML files that declare the desired state of systems and the tasks to achieve that state, making them the core configuration management tool in Ansible. They are idempotent, meaning running them multiple times yields the same result, and they use modules to enforce configurations without requiring an agent on managed nodes.

Exam trap

The trap here is confusing playbooks with ad-hoc commands or inventory files, as candidates often think playbooks are scripts that execute directly on nodes rather than declarative YAML files that define desired state and tasks.

How to eliminate wrong answers

Option B is wrong because Ansible playbooks are not executable Python scripts; they are YAML declarative files that invoke Python modules on the control node, not scripts that run directly on managed nodes. Option C is wrong because inventory files, not playbooks, list managed hosts; playbooks define tasks and desired states. Option D is wrong because playbooks are not shell scripts; they are structured YAML files that orchestrate idempotent tasks, while ad-hoc commands are run via the `ansible` command, not playbooks.

36
MCQmedium

A company is deploying a new web application using Docker containers. The application requires configuration values that vary between environments (development, staging, production). Which approach ensures the configuration is securely managed and applied without modifying the container image?

A.Pass configuration via environment variables and use Docker secrets for sensitive data.
B.Build separate images for each environment with the configuration baked in.
C.Store configuration in a JSON file within the base image and override it at runtime.
D.Use a Dockerfile to copy the configuration file from the host at build time.
AnswerA

Environment variables allow runtime configuration without modifying the image, and secrets provide secure handling of sensitive data.

Why this answer

Option A is correct because Docker supports passing configuration via environment variables at runtime without altering the image, and Docker secrets securely manage sensitive data (e.g., passwords, API keys) by storing them in encrypted memory and mounting them as temporary files in `/run/secrets/`. This decouples configuration from the immutable image, adhering to the twelve-factor app methodology and ensuring environment-specific values are applied without rebuilding.

Exam trap

CompTIA often tests the misconception that environment variables alone are sufficient for all configuration, including secrets, but the trap here is that Docker secrets provide an additional security layer for sensitive data, while environment variables are appropriate for non-sensitive configuration values.

How to eliminate wrong answers

Option B is wrong because building separate images for each environment violates immutability and defeats the purpose of a single deployable artifact, leading to configuration drift and increased maintenance overhead. Option C is wrong because storing configuration in a JSON file within the base image requires modifying the image or using a bind mount at runtime, which either breaks immutability or relies on host filesystem access, not a secure or portable approach. Option D is wrong because using a Dockerfile to copy a configuration file from the host at build time bakes the configuration into the image, making it environment-specific and requiring separate builds for each environment, which is inefficient and insecure.

37
MCQmedium

A company runs a critical web application on a single server using Docker containers. The application consists of a web frontend container and a backend API container. Recently, the server ran out of disk space due to Docker logs and temporary images. The sysadmin is tasked with automating cleanup to prevent recurrence. The solution must not disrupt running containers. Which approach should be taken?

A.Increase disk space by adding a new volume.
B.Create a script that stops all containers, removes unused images, and restarts containers.
C.Schedule a cron job to run `docker system prune -a -f` daily.
D.Configure log rotation for containers using `--log-opt max-size=10m` and `--log-opt max-file=3` in the Docker run command, and schedule `docker image prune -f` weekly.
AnswerD

Log rotation keeps log files small, and pruning unused images safely removes them without affecting running containers.

Why this answer

Option D is correct because it addresses both root causes: log growth and dangling images. Configuring `--log-opt max-size=10m` and `--log-opt max-file=3` limits container log file size and count without stopping containers, while `docker image prune -f` removes unused images safely. This combination prevents disk exhaustion without disrupting running containers, meeting all requirements.

Exam trap

The trap here is that candidates may choose Option C because `docker system prune -a -f` seems like a comprehensive cleanup, but they overlook that it can remove images needed by running containers (if they use intermediate layers) and does not address log growth, which is the primary cause of disk space exhaustion in this scenario.

How to eliminate wrong answers

Option A is wrong because adding a new volume only postpones the problem by increasing capacity, but does not automate cleanup of logs or unused images, so disk space will eventually run out again. Option B is wrong because stopping all containers disrupts the critical web application, violating the requirement to not disrupt running containers. Option C is wrong because `docker system prune -a -f` removes all unused images, containers, networks, and volumes, including those that might be needed for running containers (e.g., intermediate layers), and it does not address log rotation, so logs will continue to grow unchecked.

38
MCQeasy

An administrator needs to schedule a backup script located at '/usr/local/bin/backup.sh' to run every Sunday at 2:30 AM. The server uses cron for task scheduling. The administrator currently has the following crontab entry: '30 2 * * 0 /usr/local/bin/backup.sh'. However, the administrator wants to verify that the cron job is configured correctly and will run as expected. Which of the following commands should the administrator use to list the current user's cron jobs and verify the entry?

A.cat /var/spool/cron/crontabs/root
B.systemctl status cron
C.cron -l
D.crontab -l
AnswerD

Lists the current user's crontab entries, allowing verification.

Why this answer

The 'crontab -l' command lists the current user's crontab entries. Option A is correct. 'cron -l' is not a valid command. 'cat /var/spool/cron/crontabs/root' might work for root but not for a regular user, and the path varies. 'systemctl status cron' shows the cron service status, not the job list.

39
Matchingmedium

Match each Linux package manager to its distribution family.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Debian/Ubuntu

RHEL/CentOS 7

Fedora/RHEL 8+

openSUSE/SLES

Arch Linux

Why these pairings

Different distributions use different package managers.

40
Multi-Selectmedium

Which THREE of the following actions can help prevent unauthorized access to a Linux server via SSH?

Select 3 answers
A.Allow only specific users with AllowUsers.
B.Set MaxAuthTries to 6.
C.Use protocol version 1.
D.Disable password authentication.
E.Set PermitRootLogin to no.
AnswersA, D, E

Restricts SSH access to authorized users.

Why this answer

Option A is correct because the `AllowUsers` directive in `/etc/ssh/sshd_config` restricts SSH logins to only the specified user accounts, blocking all others even if they have valid credentials. This reduces the attack surface by explicitly whitelisting authorized users, making it an effective access control measure.

Exam trap

CompTIA often tests the misconception that increasing `MaxAuthTries` (option B) or using protocol version 1 (option C) improves security, when in fact they either have no preventive effect or actively weaken security.

41
MCQmedium

Refer to the exhibit. A Docker container using a bind mount fails to start with a permission error. What is the most likely cause?

A.The container is running in privileged mode.
B.The Docker daemon is not running as root.
C.SELinux is blocking the mount.
D.The volume path on the host does not exist.
AnswerC

SELinux policies can restrict bind mounts, resulting in permission denied errors.

Why this answer

When a Docker container uses a bind mount and fails with a permission error, SELinux is a common cause because it enforces mandatory access controls that can block container processes from accessing host files. By default, SELinux labels container processes with a confined domain (e.g., container_t), and if the bind-mounted host directory lacks the proper SELinux context (e.g., container_file_t), the mount is denied. This is resolved by adding the `:Z` or `:z` flag to the bind mount in the Docker run command to relabel the host directory appropriately.

Exam trap

CompTIA often tests the distinction between filesystem permission errors (e.g., user ID mismatch) and SELinux denials, where candidates mistakenly choose 'privileged mode' or 'daemon not root' because they overlook SELinux as the underlying cause in a bind mount context.

How to eliminate wrong answers

Option A is wrong because running the container in privileged mode grants all capabilities and bypasses most security restrictions, but it does not automatically resolve SELinux denials; in fact, privileged mode may still be blocked by SELinux unless SELinux is disabled or the context is set. Option B is wrong because the Docker daemon typically runs as root, and even if it did not, the permission error from a bind mount is more likely related to SELinux or filesystem permissions, not the daemon's user ID. Option D is wrong because if the volume path on the host did not exist, Docker would create it as a directory (unless a file is expected), and the error would be a 'no such file or directory' message, not a permission error.

42
MCQmedium

An administrator is troubleshooting a server that fails to boot. The system displays 'kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0).' Which of the following is the most likely cause?

A.The init binary is missing
B.The hard drive has a hardware failure
C.The kernel image is corrupted
D.The Master Boot Record is damaged
E.Incorrect root= parameter in the kernel command line
AnswerE

The root filesystem cannot be mounted due to wrong root= parameter.

Why this answer

Option B is correct because this error indicates the kernel cannot find or mount the root filesystem, often due to an incorrect root= parameter in the boot loader configuration. Option A is wrong because missing init would cause a different error about /sbin/init. Option C is wrong because a corrupted kernel would usually cause an earlier error during decompression.

Option D is wrong because GRUB stage 1 damage would prevent the boot loader from loading. Option E is wrong because a hardware failure is unlikely to produce this specific message.

43
Drag & Dropmedium

Drag and drop the steps to mount a new filesystem in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Mounting a filesystem requires creating a mount point and using the mount command with the device and mount point.

44
MCQhard

A company requires that all systems be configured to log all authentication attempts, both successful and failed. Which configuration file and directive should be used to ensure all auth messages are logged to /var/log/secure?

A.In /etc/rsyslog.conf: *.info /var/log/secure
B.In /etc/rsyslog.conf: auth.* /var/log/secure
C.In /etc/rsyslog.conf: authpriv.* /var/log/secure
D.In /etc/rsyslog.conf: kern.* /var/log/secure
AnswerC

Correct facility and action.

Why this answer

In rsyslog, the `authpriv` facility covers authentication and authorization messages, including both successful and failed login attempts. The directive `authpriv.* /var/log/secure` directs all messages from this facility to `/var/log/secure`, which is the standard secure log file on RHEL/CentOS systems. This meets the requirement to log all authentication attempts.

Exam trap

The trap here is that candidates confuse the `auth` and `authpriv` facilities, assuming `auth.*` is correct because it sounds like 'authentication', but `authpriv` is the actual facility used by modern Linux authentication subsystems like PAM and sshd.

How to eliminate wrong answers

Option A is wrong because `*.info` selects all messages with severity info or higher, which would flood `/var/log/secure` with non-authentication messages (e.g., cron, mail, daemon logs), not specifically auth messages. Option B is wrong because `auth.*` uses the `auth` facility, which is typically used for legacy or non-privileged authentication; on modern Linux systems, authentication logs are generated under the `authpriv` facility, so `auth.*` would miss many auth-related messages. Option D is wrong because `kern.*` selects kernel messages only, which are unrelated to authentication attempts and are typically logged to `/var/log/kern.log` or `/var/log/messages`.

45
MCQeasy

A Linux administrator needs to check which process is using the most memory on a system. The administrator wants to view dynamically updating list of processes sorted by memory usage. Which command should the administrator use?

A.ps aux --sort=-%mem
B.top -o %MEM
C.htop -s MEM
D.vmstat 1 5
AnswerB

top with -o sorts by the specified field and updates dynamically.

Why this answer

The top command provides a real-time, dynamically updating view of system processes. Using the -o %MEM flag sorts processes by memory usage. Option A (ps) shows a static snapshot.

Option C (htop) is not installed by default on many systems and uses -s for sort. Option D (vmstat) shows system-wide stats, not per process.

46
MCQmedium

A user reports that a service fails to start with the error 'Permission denied'. The service runs under a non-root user. Which command should the administrator use to check if the service has the correct file permissions?

A.namei -l /path/to/service
B.ls -l /path/to/service
C.getfacl /path/to/service
D.stat /path/to/service
AnswerA

namei -l walks the entire path and shows permissions for each component, revealing any 'Permission denied' at intermediate steps.

Why this answer

The error 'Permission denied' when starting a service under a non-root user often involves not just the file's own permissions but also the permissions of each directory in the path leading to the service binary. The `namei -l` command recursively lists the permissions of every component in the path, revealing if any parent directory lacks execute (search) permission for the service user, which would block access even if the binary itself is correctly set. This makes it the most comprehensive tool for diagnosing path-based permission issues.

Exam trap

The trap here is that candidates assume `ls -l` or `stat` on the service binary alone is sufficient, overlooking that the 'Permission denied' error often originates from a missing execute bit on a parent directory in the path, which only `namei -l` can reveal by checking every component.

How to eliminate wrong answers

Option B is wrong because `ls -l` only shows the permissions of the final file or directory, not the intermediate directories in the path, so it cannot detect a missing execute permission on a parent directory that causes the 'Permission denied' error. Option C is wrong because `getfacl` displays only the ACL entries for a single file or directory, not the recursive path permissions, and ACLs are an extended permission mechanism that may not be the root cause if standard Unix permissions are misconfigured on a parent directory. Option D is wrong because `stat` provides detailed metadata (inode, timestamps, permissions) for a single file or directory but, like `ls -l`, does not traverse and display permissions for each component in the path, missing the common scenario where a parent directory lacks the execute bit.

47
MCQeasy

A user cannot access a file. The file has permissions 640 and is owned by root:root. The user is not root and not in the root group. Which command should the administrator use to allow the user to read the file?

A.chmod o+r file
B.chgrp user file
C.setfacl -m u:user:r file
D.chown user file
AnswerA

Correct: Adds read permission for others.

Why this answer

The file has permissions 640, which means the owner (root) has read/write, the group (root) has read, and others have no permissions. Since the user is not root and not in the root group, they fall into the 'others' category. The command `chmod o+r file` adds read permission for others, allowing the user to read the file without changing ownership or group membership.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing `setfacl` or `chown` when a simple `chmod` on the 'others' class is the correct and most efficient fix for a user who is neither the owner nor a group member.

How to eliminate wrong answers

Option B is wrong because `chgrp user file` changes the group owner of the file to the user's primary group, but the user may not be in that group (or the group may still not grant read access if the group permissions are insufficient). Option C is wrong because `setfacl -m u:user:r file` would work to grant read access via an ACL, but the question asks for a command to allow the user to read the file, and while this is technically valid, it is not the most direct or standard answer; the exam expects the simpler `chmod` solution. Option D is wrong because `chown user file` changes the file owner to the user, which would grant the user owner permissions (read/write), but this is overly permissive and unnecessary when only read access is needed; it also violates the principle of least privilege.

48
MCQmedium

A container is running a database service that requires persistent storage. The administrator wants to ensure that data persists even if the container is removed. Which volume mount type should be used in the Docker run command?

A.--mount type=volume
B.--mount type=bind
C.COPY in Dockerfile
D.--mount type=tmpfs
AnswerB

Bind mounts map a host directory, ensuring data persists.

Why this answer

Option B is correct because a bind mount directly maps a host directory into the container, ensuring that data written to that mount point persists on the host filesystem even after the container is removed. This is ideal for database services that require persistent storage independent of the container lifecycle.

Exam trap

The trap here is that candidates often confuse Docker volumes with bind mounts, assuming volumes are the only persistent option, but bind mounts also provide persistence and are the correct choice when the question explicitly requires a host directory mapping.

How to eliminate wrong answers

Option A is wrong because `--mount type=volume` creates a Docker-managed volume that persists data, but the question specifies the administrator wants data to persist even if the container is removed; while volumes also persist, the correct answer for the given scenario is bind mount, as the question implies a direct host path mapping. Option C is wrong because `COPY` in a Dockerfile only copies files into the image at build time, not at runtime, and does not provide persistent storage that survives container removal. Option D is wrong because `--mount type=tmpfs` mounts a temporary filesystem stored in memory, which is volatile and data is lost when the container stops or is removed.

49
MCQeasy

A DevOps engineer needs to run a container that executes a batch job and then exits. The container image is stored in a private registry. Which Docker command should be used to run the container and automatically remove it after it exits?

A.docker run --rm private.registry.com/batch:latest
B.docker start --rm private.registry.com/batch:latest
C.docker run -d private.registry.com/batch:latest
D.docker exec --rm private.registry.com/batch:latest
AnswerA

The --rm flag ensures the container is removed after it exits, and the image is pulled from the registry.

Why this answer

The `docker run --rm` command automatically removes the container after it exits, which is ideal for batch jobs that should not leave behind stopped containers. The image reference `private.registry.com/batch:latest` pulls from a private registry when not cached locally. This combination ensures the container runs once, completes its task, and is cleaned up without manual intervention.

Exam trap

CompTIA often tests the distinction between `docker run` (creates and starts a new container) and `docker start` (restarts an existing container), and the trap here is that candidates may confuse `--rm` as a generic cleanup flag applicable to any Docker command, when it is only valid with `docker run`.

How to eliminate wrong answers

Option B is wrong because `docker start` only starts an existing stopped container; it cannot pull or run a new image from a registry, and `--rm` is not a valid flag for `docker start`. Option C is wrong because `docker run -d` runs the container in detached mode (background) and does not automatically remove it after exit; the container would remain as a stopped container. Option D is wrong because `docker exec` runs a command inside an already running container, not a new container from an image, and `--rm` is not a valid flag for `docker exec`.

50
MCQeasy

Based on the exhibit, what is the most likely cause of the sshd service failure?

A.The SSH configuration file has a syntax error.
B.The privilege separation directory /var/empty/sshd does not exist.
C.The sshd PID file cannot be written.
D.The SSH port is already in use by another service.
AnswerB

The error message directly states this directory is missing.

Why this answer

The error message 'Privilege separation directory /var/empty/sshd does not exist' directly indicates that the required chroot directory for the unprivileged sshd process is missing. Without this directory, sshd cannot drop privileges after authentication, causing it to fail on startup. This is a common issue after a partial installation or cleanup of OpenSSH.

Exam trap

CompTIA often tests the specific error message 'Privilege separation directory /var/empty/sshd does not exist' to trap candidates who assume the failure is due to a configuration syntax error or port conflict, rather than recognizing the missing chroot directory as a distinct startup prerequisite.

How to eliminate wrong answers

Option A is wrong because a syntax error in the SSH configuration file would typically produce a specific parse error message (e.g., 'Bad configuration option' or 'line X: syntax error'), not a missing directory error. Option C is wrong because the inability to write the PID file would generate a 'Could not create PID file' or 'Permission denied' message, not a privilege separation directory error. Option D is wrong because if the SSH port were already in use, the error would be 'Address already in use' or 'bind: Address in use', which is a socket binding failure, not a missing directory.

51
Multi-Selectmedium

Which TWO of the following are valid methods to pass environment variables to a Docker container at runtime?

Select 2 answers
A.Using the -e flag with docker run
B.Using the ENV instruction in the Dockerfile
C.Using the --environment flag with docker run
D.Using the --env-file flag with docker run
E.Using the --env flag with docker run
AnswersA, D

Valid runtime option.

Why this answer

Option A is correct because the `-e` flag (or `--env`) with `docker run` allows you to set environment variables directly on the command line, e.g., `docker run -e MY_VAR=value`. This is a standard and widely used method to pass environment variables at runtime without modifying the image.

Exam trap

CompTIA often tests the distinction between build-time (`ENV` in Dockerfile) and runtime (`-e` or `--env-file`) variable injection, and candidates may mistakenly think `--env-file` is invalid or that `--environment` is a real flag.

52
MCQmedium

A container named web2 exited with status 0. Which of the following is the most likely reason?

A.The container ran a task and completed
B.The container's entrypoint crashed
C.The container was stopped manually with docker stop
D.The container ran out of memory
AnswerC

docker stop sends SIGTERM, causing a clean exit with code 0.

Why this answer

Exit code 0 indicates a successful termination. When a container exits with status 0, it means the main process (entrypoint or command) completed its task without errors. Option C is correct because `docker stop` sends a SIGTERM signal to the container's PID 1, allowing it to shut down gracefully; if the process handles the signal and exits cleanly, the exit code will be 0.

Exam trap

The trap here is that candidates often assume exit code 0 always means the container completed its intended work, but Cisco tests the nuance that a manual `docker stop` can also produce exit code 0 if the process handles the shutdown gracefully.

How to eliminate wrong answers

Option A is wrong because while a container that runs a task and completes will also exit with status 0, the question states the container was 'stopped manually with docker stop', which is the most likely reason given the explicit action. Option B is wrong because if the container's entrypoint crashed, it would typically exit with a non-zero status (e.g., 1, 2, or 139 for a segfault), not 0. Option D is wrong because running out of memory causes the container to be killed by the OOM killer, which results in exit code 137 (128 + 9, where 9 is SIGKILL), not 0.

53
MCQmedium

The output of df -h shows the root filesystem at 100% capacity. Which of the following commands should the administrator run NEXT to identify the cause?

A.fdisk -l /dev/sda
B.fsck /dev/sda1
C.ls -la /
D.du -sh /*
AnswerD

Shows directory sizes to find space hogs.

Why this answer

The `du -sh /*` command calculates and displays the disk usage of each top-level directory in the root filesystem. When `df -h` shows 100% capacity, the next logical step is to identify which directories are consuming the most space, so the administrator can drill down further. This command is the standard tool for pinpointing space hogs before taking corrective action.

Exam trap

CompTIA often tests the distinction between listing files (`ls`) and measuring disk usage (`du`), trapping candidates who think `ls -la /` will reveal space consumption when it only shows metadata and not recursive sizes.

How to eliminate wrong answers

Option A is wrong because `fdisk -l /dev/sda` is used to list partition tables, not to identify which files or directories are consuming disk space; it provides no insight into filesystem usage. Option B is wrong because `fsck /dev/sda1` checks and repairs filesystem integrity, but running it on a mounted, full filesystem can cause data corruption and does not address the root cause of capacity exhaustion. Option C is wrong because `ls -la /` lists the contents of the root directory with metadata but does not aggregate sizes recursively, so it cannot show which subdirectories are using the most space.

54
MCQeasy

What does the output in the exhibit indicate about the /etc/shadow file?

A.The file has an SELinux context.
B.The file is encrypted.
C.The file has an ACL applied.
D.The file is compressed.
AnswerA

The output format is standard for SELinux labels.

Why this answer

The output shows an SELinux context: system_u (user), object_r (role), shadow_t (type), and s0 (sensitivity). This indicates the file has an SELinux security label.

55
Multi-Selecthard

A security policy requires that containers run with minimal privileges. Which THREE measures should be implemented? (Select THREE.)

Select 3 answers
A.Use --security-opt seccomp=default
B.Mount host filesystem read-write
C.Run as non-root user
D.Expose all ports to host
E.Drop all Linux capabilities and add only required
AnswersA, C, E

The default seccomp profile restricts system calls, improving security.

Why this answer

Running as non-root, dropping capabilities, and using a default seccomp profile all reduce privileges. Mounting host filesystem read-write and exposing all ports increase risk.

56
MCQmedium

What is the effect of the firewall rules shown?

A.Only SSH traffic to 192.168.1.10 is allowed; all other traffic is dropped.
B.Only SSH and loopback traffic are allowed; all other traffic is dropped.
C.All traffic on eth0 is allowed; loopback is allowed.
D.SSH and ICMP echo-request are allowed; all other traffic is dropped.
AnswerD

The rules allow SSH, ICMP echo-request, and loopback; default drop handles the rest.

Why this answer

The firewall rules shown explicitly allow SSH (port 22) and ICMP echo-request (type 8) traffic while the final default rule drops all other traffic. This matches option D, as the rules do not permit any other protocols or services, including loopback traffic unless it is SSH or ICMP echo-request.

Exam trap

The trap here is that candidates often assume loopback traffic is implicitly allowed or that the rules apply to all interfaces, but the rules only apply to the INPUT chain on eth0 and do not include any explicit loopback allowance, so only the specified protocols are permitted.

How to eliminate wrong answers

Option A is wrong because it states only SSH traffic to 192.168.1.10 is allowed, but the rules also permit ICMP echo-request, not just SSH. Option B is wrong because it claims loopback traffic is allowed, but the rules do not include any explicit allow rule for loopback (lo) interface traffic; only SSH and ICMP echo-request are permitted. Option C is wrong because it says all traffic on eth0 is allowed, but the rules include a default drop rule that denies all traffic not matching the SSH or ICMP echo-request allow rules.

57
MCQmedium

An administrator needs to deploy a containerized web application on a Linux server. The application requires port 8080 to be mapped to host port 80. Which command will run the container in detached mode with this port mapping?

A.docker run -p 80:8080 webapp
B.docker run -d -p 8080:80 webapp
C.docker run -d -p 8080:80 webapp
D.docker run -d -p 80:8080 webapp
AnswerD

Correctly maps host port 80 to container port 8080 in detached mode.

Why this answer

Option D is correct because the `-d` flag runs the container in detached mode, and `-p 80:8080` maps host port 80 to container port 8080, which matches the requirement. The syntax is `-p host_port:container_port`, so `-p 80:8080` correctly exposes the application's container port 8080 on the host's port 80.

Exam trap

The trap here is that candidates often confuse the order of port mapping in the `-p` flag, mistakenly thinking `-p container_port:host_port` is correct, when the correct syntax is `-p host_port:container_port`.

How to eliminate wrong answers

Option A is wrong because it omits the `-d` flag, so the container runs in the foreground (attached mode), not detached. Option B is wrong because it uses `-p 8080:80`, which maps host port 8080 to container port 80, reversing the required mapping (the application listens on container port 8080, not 80). Option C is identical to Option B and is wrong for the same reason: it incorrectly maps host port 8080 to container port 80.

58
MCQhard

A system administrator notices that a cron job runs every 5 minutes but should run only on weekdays. The current crontab entry is: */5 * * * * /usr/local/bin/script.sh. Which change to the time fields will restrict execution to Monday through Friday?

A.*/5 9-17 * * 1-5 /usr/local/bin/script.sh
B.*/5 * * * 1-6 /usr/local/bin/script.sh
C.*/5 * * * 1-5 /usr/local/bin/script.sh
D.5 * * * 1-5 /usr/local/bin/script.sh
AnswerC

Runs every 5 minutes, every hour, every day of month, every month, on weekdays (1-5).

Why this answer

Option C is correct because the fifth field in a crontab entry specifies the day of the week, where 1 represents Monday and 5 represents Friday. By setting this field to `1-5`, the cron job will only execute on weekdays, while the `*/5` in the minute field ensures it still runs every 5 minutes. The other fields remain as `*` to allow execution at any hour and any day of the month.

Exam trap

The trap here is that candidates may confuse the day-of-week field with the day-of-month field, or incorrectly assume that `1-5` excludes weekends without realizing that cron's day-of-week numbering starts with Sunday as 0, so `1-5` correctly maps to Monday-Friday.

How to eliminate wrong answers

Option A is wrong because it adds a range `9-17` in the hour field, which restricts execution to business hours (9 AM to 5 PM) instead of only weekdays, and this is not required by the question. Option B is wrong because it uses `1-6` for the day-of-week field, which includes Saturday (6) in addition to weekdays, causing the job to run on Saturdays as well. Option D is wrong because it changes the minute field from `*/5` to `5`, meaning the job would run only at minute 5 of every hour, not every 5 minutes, thus altering the frequency requirement.

59
MCQeasy

A junior administrator writes a bash script to check disk usage and send an email alert. The script runs manually but does not execute from cron. Which of the following is the most likely cause?

A.Script not marked executable
B.Incorrect file permissions on cron job
C.Missing shebang line
D.Absolute path not specified in crontab
AnswerD

Cron runs with a minimal PATH; without a full path to the script, the job will not find it.

Why this answer

When a script runs manually from the command line but fails from cron, the most common cause is that cron does not inherit the user's PATH environment. Without an absolute path to the script in the crontab entry, cron cannot locate the script. Option D directly addresses this: specifying the full path (e.g., /home/user/script.sh) ensures cron can find and execute it.

Exam trap

CompTIA often tests the misconception that cron failures are due to file permissions or missing shebangs, when the real issue is the restricted cron environment—specifically the lack of an absolute path or a missing PATH variable.

How to eliminate wrong answers

Option A is wrong because if the script were not marked executable, it would also fail when run manually from the command line (unless invoked with 'bash script.sh'), but the question states it runs manually. Option B is wrong because cron jobs themselves are not files with permissions; the cron table (crontab) is a configuration file, and its permissions (typically 600 owned by the user) are not the issue—the script's permissions or cron's environment are. Option C is wrong because a missing shebang line would cause the script to fail regardless of how it is invoked (manual or cron), but the script runs manually, so a shebang is present or the shell is explicitly specified.

60
Multi-Selecthard

A database server running on Linux is experiencing high load. The administrator runs 'strace -p <pid>' and sees many 'epoll_wait' and 'futex' calls. Which THREE of the following are possible causes of the high load? (Choose THREE.)

Select 3 answers
A.Disk I/O contention causing processes to wait.
B.A large number of concurrent connections.
C.CPU frequency scaling is set to powersave.
D.A memory leak in the database process.
E.Inefficient database queries causing high CPU usage.
AnswersA, B, E

Waiting on I/O increases load average as processes are in uninterruptible sleep.

Why this answer

Option A is correct because 'epoll_wait' indicates the process is waiting for I/O events, and 'futex' calls are used for synchronization. Disk I/O contention can cause the database process to block on these system calls, leading to high load as the kernel schedules other tasks while waiting for I/O to complete.

Exam trap

The trap here is that candidates may incorrectly associate 'futex' calls solely with memory issues or CPU scaling, rather than recognizing them as indicators of thread contention and I/O waiting under high concurrency.

61
MCQhard

A container needs to communicate with a database on the host machine using the default bridge network. The container cannot resolve the host by hostname. Which approach should be used?

A.Set --net=host
B.Use --link db:db
C.Create a custom bridge network
D.Use --add-host host.docker.internal:host-gateway
AnswerD

This adds a host entry that resolves to the host's IP via the gateway, allowing the container to reach host services.

Why this answer

Option D is correct because `--add-host host.docker.internal:host-gateway` adds a special entry to the container's `/etc/hosts` file that resolves `host.docker.internal` to the host machine's gateway IP address, which on the default bridge network is the host itself. This allows the container to reach the host by a consistent hostname without relying on Docker's internal DNS, which does not resolve hostnames on the default bridge. The `host-gateway` magic value automatically maps to the host's IP (typically 172.17.0.1 on Linux).

Exam trap

The trap here is that candidates often confuse `--net=host` as a quick fix for hostname resolution, not realizing it sacrifices network isolation and is not the intended method for reaching the host from a container on the default bridge.

How to eliminate wrong answers

Option A is wrong because `--net=host` removes network isolation entirely, making the container share the host's network stack, which is overly permissive and not a targeted solution for hostname resolution. Option B is wrong because `--link` is a legacy feature that provides name resolution between containers, not between a container and the host machine. Option C is wrong because creating a custom bridge network enables automatic DNS resolution for container names, but it does not automatically provide a hostname for the host machine; you would still need to use `--add-host` or similar to resolve the host by name.

62
Multi-Selectmedium

A Linux administrator suspects a memory leak in a process. Which TWO commands can be used to monitor memory usage over time for a specific process? (Choose two.)

Select 2 answers
A.top
B.vmstat
C.iostat
D.ps aux --sort=-%mem
E.free
AnswersA, D

top shows real-time memory usage per process in the RES and VIRT columns.

Why this answer

Option A (top) is correct because it provides a real-time, interactive view of system processes, including memory usage (RES, VIRT, %MEM) that updates by default every 3 seconds. You can filter by PID to monitor a specific process over time, making it ideal for detecting memory growth patterns indicative of a leak.

Exam trap

The trap here is that candidates may think vmstat or free can monitor per-process memory, but they only show aggregate system memory, while top and ps are the correct tools for per-process memory tracking over time.

63
MCQeasy

A company needs to verify that the Apache HTTP server is running and see its current status along with recent log entries. Which command should be used?

A.systemctl status httpd
B.service httpd status
C.journalctl -u httpd
D.systemctl list-units --type=service
AnswerA

Correct: Displays service status and recent log entries.

Why this answer

The `systemctl status httpd` command is correct because it provides a comprehensive view of the Apache HTTP server's current state (active/inactive), its process ID, memory usage, and the most recent log entries from the service's journal. This aligns with the question's requirement to both verify the service is running and see its status along with recent log entries, all in a single command output.

Exam trap

The trap here is that candidates often confuse `systemctl status` with `journalctl -u`, thinking both provide the same information, but `journalctl` lacks the live status and process details that `systemctl status` includes.

How to eliminate wrong answers

Option B is wrong because `service httpd status` is a legacy SysVinit command that only shows the service's running state (e.g., 'httpd is running') without displaying recent log entries or detailed status information. Option C is wrong because `journalctl -u httpd` shows only the log entries for the httpd unit but does not display the current running status or process details; it requires a separate command to verify if the service is active. Option D is wrong because `systemctl list-units --type=service` lists all loaded service units and their states but does not filter to httpd specifically, nor does it show recent log entries or detailed status for a single service.

64
MCQhard

A company policy requires all systems to have a specific set of security patches applied. The administrator needs to generate a report listing all installed packages that contain security updates available. Which command sequence should be used on Red Hat-based systems?

A.yum check-update
B.yum updateinfo list security
C.yum info-sec
D.yum list-security
E.yum list updates
AnswerD

Lists security-related updates.

Why this answer

Option D is correct because `yum list-security` (or `dnf list-security`) lists security advisories and the associated packages with available updates. Option A is wrong because `yum check-update` lists all updates, not just security. Option B is wrong because `yum updateinfo list security` is not a valid command; the correct is `yum updateinfo list --sec`.

Option C is wrong because `yum list updates` lists all updateable packages. Option E is wrong because `yum info-sec` is not a valid command.

65
MCQmedium

Based on the exhibit, which statement is true about the sshd service?

A.The service is masked.
B.The service is inactive.
C.The service has exited.
D.The service is not enabled to start at boot.
AnswerD

'disabled' indicates the service is not enabled for automatic start.

Why this answer

The exhibit shows the output of `systemctl status sshd.service`. The line `Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: enabled)` indicates the service is currently loaded but its enablement state is `disabled`, meaning it is not configured to start automatically at boot. The `Active: inactive (dead)` line confirms the service is not running now, but the question asks about boot-time behavior, which is governed by the `disabled` state.

Therefore, option D is correct.

Exam trap

The trap here is that candidates see `inactive (dead)` and incorrectly assume the service is not enabled to start at boot, but the actual evidence for boot behavior is the `disabled` keyword in the Loaded line, not the Active line.

How to eliminate wrong answers

Option A is wrong because the service is `loaded`, not `masked`; a masked service would show `masked` in the Loaded line and cannot be started directly. Option B is wrong because while the service is currently `inactive (dead)`, the question asks for a true statement about the service overall, and the key fact is its disabled boot status, not just its current runtime state. Option C is wrong because `exited` is a specific active state for services that run and terminate (e.g., oneshot type), but this service shows `inactive (dead)`, not `exited`; `exited` would appear as `Active: active (exited)`.

66
MCQmedium

A system administrator is configuring a firewall using iptables. The requirement is to allow incoming SSH connections from the 192.168.1.0/24 network only. Which iptables rule should be added to the INPUT chain?

A.iptables -A INPUT -p tcp --dport 22 -d 192.168.1.0/24 -j ACCEPT
B.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j REJECT
C.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j LOG
E.iptables -A INPUT -p tcp --dport 22 -j ACCEPT
AnswerC

Allows SSH from the specified network.

Why this answer

Option A is correct because it specifies the source IP range, destination port 22, and accepts the connection. Option B is wrong because it refers to the output interface. Option C is wrong because it uses REJECT instead of DROP, but more importantly, it doesn't specify source.

Option D is wrong because it only logs and does not accept. Option E is wrong because -s is missing, so it accepts from any source.

67
Multi-Selecteasy

A Linux administrator writes a Python script to parse configuration files. Which TWO practices improve security and portability? (Select TWO.)

Select 2 answers
A.Validate all external input before processing
B.Use absolute paths for all file operations
C.Use sudo within the script to run privileged commands
D.Use raw_input() instead of input() in Python 2
E.Use shebang #!/usr/bin/env python3
AnswersA, E

Input validation prevents injection attacks and improves security.

Why this answer

Using #!/usr/bin/env python3 ensures the script uses the correct interpreter from the environment, enhancing portability. Validating all external input prevents injection attacks. The other options are either deprecated or bad practices.

68
Multi-Selecteasy

A technician is troubleshooting a user's inability to execute a script. The script has execute permissions for the user. Which of the following could be causing the issue? (Choose two.)

Select 2 answers
A.The user is not the owner
B.The script has a syntax error
C.The script is being blocked by a firewall
D.The script is in a directory without execute permission
E.The script's SELinux context is incorrect
AnswersD, E

Directories need execute permission for users to traverse.

Why this answer

Option D is correct because even if the script file itself has execute permissions, the user must also have execute permission on the directory containing the script. The directory's execute bit (often called the 'search' bit) is required to traverse the directory and access files within it. Without it, the kernel will deny access to any file in that directory, regardless of the file's own permissions.

Exam trap

The trap here is that candidates focus solely on the file's execute permission and overlook the directory's execute permission, or they confuse SELinux context errors with simple permission issues.

69
MCQmedium

A Linux administrator receives reports that the system's log files are growing rapidly and consuming disk space. The administrator needs to configure the system to rotate logs weekly, keep 4 weeks of logs, compress old logs, and ensure that log rotation does not cause logs to be lost if the log file is still being written. Which configuration file and setting should be used?

A./etc/rsyslog.conf with action(type="omfile" file="/var/log/syslog" rotate="weekly" keep="4" compress)
B./etc/logrotate.d/syslog with directives: weekly, rotate 4, compress, delaycompress
C./etc/systemd/journald.conf with Settings=MaxRetentionSec=4weeks and Compress=yes
D./etc/cron.daily/logrotate script that calls logrotate -f /etc/logrotate.conf
AnswerB

logrotate is the standard tool; delaycompress ensures current log is not compressed until next rotation, preventing data loss.

Why this answer

The logrotate utility is responsible for log rotation. The configuration snippet 'weekly, rotate 4, compress, delaycompress' in /etc/logrotate.d/syslog will rotate logs weekly, keep 4 rotations, compress older logs, and delay compression by one rotation to avoid losing data if the log is still being written. Option B uses rsyslog which does not handle rotation.

Option C is for journald. Option D is a cron job but not specific.

70
MCQeasy

A company uses a Linux server running a web application. Users report that they cannot access the website. The administrator checks the web server status and finds it is not running. Which command should the administrator use to view the reason for the service failure?

A.journalctl -xe
B.systemctl status httpd --full
C.tail -f /var/log/httpd/access_log
D.dmesg | grep httpd
AnswerA

Displays recent journal entries with explanations.

Why this answer

The `journalctl -xe` command displays the systemd journal log with the `-x` flag adding explanatory context and `-e` jumping to the end of the log, which is the most direct way to view the reason a systemd-managed service like httpd failed. Since the web server is managed by systemd, its failure reason (e.g., exit code, segfault, configuration error) is recorded in the journal, and this command retrieves that specific failure detail without requiring manual log file parsing.

Exam trap

The trap here is that candidates confuse the access log (option C) with the error log, or assume `systemctl status` shows the full failure reason when it only shows a truncated snippet, while `journalctl -xe` is the standard command for detailed failure diagnostics in systemd-based distributions.

How to eliminate wrong answers

Option B is wrong because `systemctl status httpd --full` shows the current status and recent log lines of the service, but it does not provide the detailed failure reason from the journal; it only truncates output lines to full width, not the cause. Option C is wrong because `tail -f /var/log/httpd/access_log` tails the HTTP access log, which records client requests, not service failure reasons; the relevant log for failures is typically `/var/log/httpd/error_log`. Option D is wrong because `dmesg | grep httpd` searches kernel ring buffer messages, which are for hardware/driver issues and kernel panics, not for user-space service failures like an httpd crash.

71
MCQhard

After a kernel update, the system boots but the network interface enp0s3 is not detected. The administrator verifies that the kernel module for the NIC is built for the new kernel. Which of the following should be done to ensure the module loads correctly?

A.Load the module with modprobe
B.Rebuild the initramfs
C.Update the udev rules
D.Reinstall the kernel package
AnswerB

Ensures the new kernel's module is available at boot.

Why this answer

After a kernel update, the initramfs (initial RAM filesystem) must be rebuilt to include the new kernel's modules. Even though the NIC module is built for the new kernel, the initramfs may still contain the old kernel's modules or lack the new module entirely, preventing it from being loaded during early boot. Running `dracut -f` (or `update-initramfs -u` on Debian-based systems) rebuilds the initramfs to match the current kernel, ensuring the NIC module is available at boot time.

Exam trap

The trap here is that candidates assume loading the module with modprobe (Option A) will fix the issue, but they overlook that the module must be available in the initramfs to be loaded during early boot before the root filesystem is accessible.

How to eliminate wrong answers

Option A is wrong because modprobe loads a module at runtime, but the issue occurs during boot before the root filesystem is mounted; the module must be present in the initramfs to be loaded early. Option C is wrong because udev rules handle device naming and permissions after the kernel has detected the hardware, but they do not cause the kernel to fail to detect the NIC; the problem is that the module is not loaded at all. Option D is wrong because reinstalling the kernel package would simply reapply the same kernel files; it does not rebuild the initramfs, which is the specific step needed to include the updated module.

72
Multi-Selecteasy

Which TWO commands display disk usage information for filesystems? (Select 2.)

Select 2 answers
A.ls
B.du
C.parted
D.df
E.fdisk
AnswersB, D

du estimates file and directory space usage.

Why this answer

Options A (df) and B (du) are correct. df shows filesystem-level usage, du shows per-directory usage. ls, fdisk, and parted do not primarily show disk usage.

73
MCQmedium

An administrator views the exhibit output. Which command should be used first to investigate why sshd failed?

A.systemctl status sshd.service
B.systemctl restart sshd.service
C.journalctl -u sshd.service
D.systemctl list-units
AnswerC

Shows the service logs for diagnosis.

Why this answer

The `journalctl -u sshd.service` command is the correct first step because it displays the systemd journal logs specifically for the sshd service, providing detailed error messages and timestamps that explain why the service failed. This diagnostic approach follows the principle of checking logs before attempting to restart or modify a service, as the logs contain the root cause information needed for troubleshooting.

Exam trap

The trap here is that candidates often jump to `systemctl status` or `systemctl restart` out of habit, not realizing that the journal logs provide the specific error details needed to diagnose a failure, and that restarting without investigation can hide the root cause.

How to eliminate wrong answers

Option A is wrong because `systemctl status sshd.service` shows the current state and recent log tail, but it may not show the full historical log output needed to diagnose a failure that occurred earlier. Option B is wrong because `systemctl restart sshd.service` attempts to restart the service without first understanding why it failed, which could mask the underlying issue or cause repeated failures. Option D is wrong because `systemctl list-units` lists all loaded units and their states, but it does not provide any diagnostic details about why a specific service like sshd failed.

74
MCQhard

A Linux server that hosts a critical database application has been experiencing occasional kernel panics. The administrator wants to ensure the system automatically reboots after a panic and logs the crash dump. Which sysctl parameter should be set?

A.kernel.panic_on_warn = 10
B.kernel.panic_on_oops = 10
C.kernel.panic_print = 10
D.kernel.panic = 10
AnswerD

Sets seconds before reboot after panic.

Why this answer

Option D is correct because setting `kernel.panic = 10` instructs the Linux kernel to wait 10 seconds after a kernel panic before automatically rebooting. This ensures the system recovers without manual intervention, and combined with a configured crash dump mechanism (e.g., kdump), the crash dump is captured before the reboot.

Exam trap

CompTIA often tests the distinction between parameters that cause a panic (`panic_on_oops`, `panic_on_warn`) and the parameter that controls the reboot delay after a panic (`kernel.panic`), leading candidates to confuse the cause with the recovery action.

How to eliminate wrong answers

Option A is wrong because `kernel.panic_on_warn` controls whether the kernel panics on a warning (WARN()), not the reboot behavior after a panic; setting it to 10 would be invalid as it expects 0 or 1. Option B is wrong because `kernel.panic_on_oops` determines if the kernel panics on an oops (a non-fatal error), not the timeout before reboot; it also expects a boolean value (0 or 1), not 10. Option C is wrong because `kernel.panic_print` controls the verbosity of kernel messages printed during a panic, not the reboot action or delay.

75
MCQhard

An administrator is troubleshooting a web server that is not accessible from the internet. The server is running on port 80. Based on the iptables output, which of the following is the MOST likely reason?

A.The HTTP rule only allows traffic from the internal network.
B.The SSH rule is blocking HTTP traffic.
C.The loopback interface is not accepting traffic.
D.The default INPUT policy is DROP.
AnswerA

The rule for port 80 sources from 192.168.1.0/24, so internet traffic is blocked.

Why this answer

The iptables output shows an HTTP rule that explicitly matches traffic from the internal network (e.g., 192.168.1.0/24) and does not include a rule allowing HTTP traffic from external (internet) sources. Since the web server is running on port 80 but the only HTTP rule restricts source IPs to the internal subnet, traffic from the internet is not matched by any ACCEPT rule and will be subject to the default policy. This is the most likely reason the server is inaccessible from the internet.

Exam trap

CompTIA often tests the misconception that a default DROP policy is the primary cause of connectivity issues, when in fact a specific rule with an overly restrictive source or destination match is the actual problem.

How to eliminate wrong answers

Option B is wrong because SSH rules (typically port 22) do not block HTTP traffic; iptables rules are evaluated sequentially, and an SSH rule would only affect SSH packets, not HTTP packets on port 80. Option C is wrong because the loopback interface (lo) is used for local communication within the host, not for external internet traffic; its ACCEPT or DROP status does not affect inbound HTTP connections from the internet. Option D is wrong because the default INPUT policy being DROP would only apply to packets that do not match any existing rule; if the HTTP rule were correctly allowing all sources, the default policy would not block internet traffic, but here the HTTP rule itself restricts the source, so the issue is the rule's source limitation, not the default policy.

Page 1 of 7

Page 2

All pages