CompTIA Linux+ XK0-005 (XK0-005) — Questions 676750

981 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
Multi-Selectmedium

Which THREE are valid methods to view logs in a systemd-based system?

Select 3 answers
A.cat /var/log/messages
B.journalctl
C.journalctl -u sshd
D.systemctl status sshd
E.dmesg
AnswersB, C, E

Displays the systemd journal.

Why this answer

B is correct because `journalctl` is the primary command for querying the systemd journal, which is the default logging system on systemd-based distributions. It provides structured, binary logs with advanced filtering, and is the direct equivalent of viewing logs via the journal.

Exam trap

The trap here is that candidates confuse `systemctl status` (which shows a brief log snippet) with a full log viewing method, or they assume legacy syslog files like `/var/log/messages` are always present and authoritative on systemd-based systems.

677
MCQhard

Refer to the exhibit. A technician sees that the httpd service has failed. Which command was used to view the detailed error log shown in the exhibit?

A.systemctl status httpd
B.journalctl -u httpd
C.tail -f /var/log/messages
D.systemctl show httpd
AnswerB

The output format matches journalctl filtered by service unit.

Why this answer

The `journalctl -u httpd` command is correct because it queries the systemd journal for logs specifically associated with the `httpd` unit. The exhibit shows a detailed error log with timestamps, process IDs, and error messages, which is exactly the output format of `journalctl` when filtering by a unit. This command provides the most comprehensive view of the service's recent failures, including kernel and application-level errors.

Exam trap

The trap here is that candidates often confuse `systemctl status httpd` (which shows a brief log tail) with `journalctl -u httpd` (which shows the full journal history), leading them to choose A when the exhibit clearly shows a detailed, multi-line error log that only `journalctl` can provide.

How to eliminate wrong answers

Option A is wrong because `systemctl status httpd` shows the current state, recent log tail, and process information, but it does not display the full, detailed error log with multiple entries as shown in the exhibit; it only shows a few of the most recent log lines. Option C is wrong because `tail -f /var/log/messages` follows the system log file in real time, but it is not specific to the `httpd` service and does not filter by unit; it would show all system messages, not just those from httpd. Option D is wrong because `systemctl show httpd` displays the unit's properties and configuration parameters (e.g., environment, dependencies), not its runtime logs or error messages.

678
Multi-Selecteasy

Which two commands can be used to view the SELinux context of files or processes?

Select 2 answers
A.chcon
B.getenforce
C.setenforce
D.ps auxZ
E.ls -Z
AnswersD, E

ps auxZ displays the SELinux context of processes.

Why this answer

Option D is correct because `ps auxZ` displays the SELinux context for each running process, showing the user, role, type, and sensitivity level associated with the process. Option E is correct because `ls -Z` shows the SELinux context of files and directories, including the security label that defines access controls. Both commands are standard Linux utilities that expose the SELinux security context attribute.

Exam trap

The trap here is that candidates may confuse commands that change SELinux contexts or modes (chcon, setenforce) with those that display contexts, or they may think `getenforce` shows context details when it only shows the enforcement state.

679
MCQmedium

A system is experiencing high load average. The administrator runs 'vmstat 1 5' and sees a high 'wa' value. What does this indicate?

A.High disk I/O wait
B.High memory swapping activity
C.High CPU usage by user processes
D.High network I/O
AnswerA

wa stands for I/O wait time.

Why this answer

The 'wa' column in vmstat output indicates the percentage of time the CPU is waiting for I/O operations to complete. A high 'wa' value means the CPU is idle because it is blocked waiting for disk I/O, which directly points to high disk I/O wait. This is a classic indicator of a storage bottleneck.

Exam trap

The trap here is that candidates confuse 'wa' with memory swapping or CPU usage, but vmstat columns are distinct: 'wa' is specifically I/O wait, while swapping is shown in 'si' and 'so', and CPU usage in 'us' and 'sy'.

How to eliminate wrong answers

Option B is wrong because high memory swapping activity is indicated by high 'si' (swap in) and 'so' (swap out) columns in vmstat, not the 'wa' column. Option C is wrong because high CPU usage by user processes is shown in the 'us' column, not 'wa'. Option D is wrong because high network I/O is not directly measured by vmstat; it would be diagnosed using tools like netstat or iftop, and 'wa' specifically reflects disk I/O wait, not network.

680
MCQeasy

Which command creates a symbolic link named 'link.txt' that points to 'original.txt'?

A.symlink original.txt link.txt
B.ln -s original.txt link.txt
C.ln original.txt link.txt
D.ln -s link.txt original.txt
AnswerB

Correct syntax for symbolic link.

Why this answer

ln -s target link_name creates a symbolic link.

681
MCQeasy

A technician needs to identify the network interface configuration and IP address of a system. Which command provides the most comprehensive output for this task?

A.nmcli dev show
B.ip addr show
C.netstat -i
D.ifconfig
E.hostname -I
AnswerB

Shows all interfaces with IP addresses.

Why this answer

The `ip addr show` command is the most comprehensive because it displays all network interfaces along with their IP addresses (IPv4 and IPv6), MAC addresses, MTU, state (UP/DOWN), and additional flags. It is part of the modern `iproute2` suite, which is the standard for Linux network configuration and supersedes older tools like `ifconfig`.

Exam trap

The trap here is that candidates often choose `ifconfig` out of habit, not realizing it is deprecated and may not show all interfaces or IPv6 addresses, whereas `ip addr show` is the comprehensive, modern standard.

How to eliminate wrong answers

Option A is wrong because `nmcli dev show` focuses on NetworkManager-managed devices and shows detailed connection profiles, but it may not display raw interface state or all IP addresses if NetworkManager is not in use. Option C is wrong because `netstat -i` only shows a summary of interface statistics (packets, errors, drops) and does not list IP addresses or detailed configuration. Option D is wrong because `ifconfig` is deprecated and often does not show all interfaces (e.g., it may omit virtual or bridge interfaces) and lacks modern features like IPv6 address display without additional flags.

Option E is wrong because `hostname -I` only outputs the system's IP addresses (all configured addresses) without any interface names, flags, or additional configuration details.

682
MCQmedium

Refer to the exhibit. A Linux administrator created a systemd service file for a custom script. When starting the service, it fails with 'Unit myservice.service entered failed state.' Which of the following is the most likely cause?

A.The ExecStart path is relative
B.The service type should be forking
C.The service file lacks an [Install] section
D.The Requires directive is missing
AnswerA

Systemd requires absolute paths; a relative path causes the service to fail.

Why this answer

The most likely cause is that the ExecStart path is relative. Systemd requires absolute paths for ExecStart directives; a relative path (e.g., `./script.sh` or just `script.sh`) will cause the unit to fail immediately because systemd cannot resolve the executable location. The error 'entered failed state' typically results from this path resolution failure.

Exam trap

CompTIA often tests the requirement for absolute paths in ExecStart, and the trap here is that candidates may assume relative paths are acceptable or that the [Install] section is mandatory for starting a service, when in fact it is only for enabling.

How to eliminate wrong answers

Option B is wrong because changing the service type to 'forking' would not fix a missing absolute path; forking is used for daemons that spawn child processes and requires a PIDFile, but the immediate failure here is due to the ExecStart path issue. Option C is wrong because the [Install] section is only needed for enabling the service to start at boot (via systemctl enable), not for starting the service manually; the service can start without it. Option D is wrong because the Requires directive is optional and used to declare dependency on other units; its absence does not cause a start failure—it simply means no hard dependency is enforced.

683
MCQeasy

A Bash script contains the following code: if [[ $# -eq 0 ]]; then echo 'No arguments'; fi. What does this code check?

A.Whether the first argument is empty
B.Whether the script was called with no arguments
C.Whether the script has any syntax errors
D.Whether the script is running as root
AnswerB

Correct. $# -eq 0 means zero arguments.

Why this answer

The $# variable holds the number of positional parameters passed to the script. The condition checks if it equals 0, meaning no arguments were provided.

684
MCQhard

A DevOps engineer wants to reduce the size of a Docker image by combining build stages. Which Dockerfile feature should be used?

A.RUN --mount=type=cache
B.Layer caching
C.Multi-stage builds (multiple FROM statements)
D.Using a smaller base image like Alpine
AnswerC

Copies only needed artifacts to final image.

Why this answer

Multi-stage builds, implemented by using multiple FROM statements in a single Dockerfile, allow a DevOps engineer to copy only the necessary artifacts from intermediate build stages into the final image. This eliminates build-time dependencies, tools, and intermediate layers from the final image, significantly reducing its size without sacrificing build functionality.

Exam trap

The trap here is that candidates confuse layer caching (a performance feature) with multi-stage builds (a size-reduction feature), or they assume using a smaller base image alone achieves the same result as eliminating entire build stages.

How to eliminate wrong answers

Option A is wrong because RUN --mount=type=cache is used to persist package manager caches across builds to speed up subsequent builds, not to reduce the final image size by combining build stages. Option B is wrong because layer caching is a performance optimization that reuses unchanged layers from previous builds to accelerate rebuilds, but it does not reduce the size of the final image by combining stages. Option D is wrong because using a smaller base image like Alpine reduces the starting size of the image, but it does not combine build stages or eliminate intermediate build artifacts; multi-stage builds are the specific feature for that purpose.

685
MCQeasy

A junior administrator accidentally modified the /etc/sudoers file and now users report not being able to use sudo. Which command should be used to safely edit the sudoers file?

A.visudo
B.chmod 400 /etc/sudoers
C.echo 'user ALL=(ALL) ALL' >> /etc/sudoers
D.usermod -aG wheel user
AnswerA

visudo safely edits /etc/sudoers with syntax checking and file locking.

Why this answer

The `visudo` command is the correct and safe way to edit the `/etc/sudoers` file because it locks the file against concurrent edits, performs syntax validation before saving, and prevents saving a malformed configuration that could break sudo entirely. This ensures that even if the administrator makes a mistake, the original valid file is preserved, avoiding the exact scenario described where users lose sudo access.

Exam trap

The trap here is that candidates may think any method that writes to the file (like `echo` or `chmod`) can fix the issue, but only `visudo` provides the syntax validation and locking necessary to safely edit the sudoers file without breaking sudo.

How to eliminate wrong answers

Option B is wrong because `chmod 400 /etc/sudoers` sets the file to read-only for the owner, which does not repair syntax errors or restore functionality; it only changes permissions and may even prevent `visudo` from writing a corrected file. Option C is wrong because using `echo` with a redirect appends text without any syntax checking, and if the appended line is malformed or duplicates entries, it can corrupt the file and break sudo. Option D is wrong because `usermod -aG wheel user` adds a user to the wheel group, which is unrelated to fixing a broken sudoers file; it does not validate or repair the syntax of `/etc/sudoers`.

686
MCQhard

After a kernel upgrade, the system fails to boot. Which file should be edited to configure GRUB2 to boot into the previous kernel version by default?

A./etc/grub.d/40_custom
B./boot/grub/grub.conf
C./boot/grub2/grub.cfg
D./etc/default/grub
AnswerD

Correct configuration file for GRUB2 defaults.

Why this answer

The correct answer is D, /etc/default/grub, because this file contains the GRUB2 configuration variables (such as GRUB_DEFAULT) that control which kernel is booted by default. After editing this file, you must run 'grub2-mkconfig -o /boot/grub2/grub.cfg' to regenerate the boot configuration, which sets the previous kernel as the default entry.

Exam trap

The trap here is that candidates confuse the manually editable configuration file (/etc/default/grub) with the generated boot file (/boot/grub2/grub.cfg), leading them to incorrectly edit the latter directly.

How to eliminate wrong answers

Option A is wrong because /etc/grub.d/40_custom is a script used to add custom menu entries, not to set the default boot kernel. Option B is wrong because /boot/grub/grub.conf is the configuration file for GRUB Legacy (version 0.97), not GRUB2, which is used in modern Linux distributions. Option C is wrong because /boot/grub2/grub.cfg is the generated boot configuration file that should not be edited manually; changes must be made via /etc/default/grub and regenerated with grub2-mkconfig.

687
MCQmedium

Refer to the exhibit. An administrator wants to optimize a server running a high-throughput database application. Which command should be used to apply the recommended profile?

A.sudo tuned-adm profile throughput-performance
B.sudo tuned-adm profile balanced
C.sudo tuned-adm off
D.sudo systemctl set-default tuned
AnswerA

This applies the recommended profile.

Why this answer

The tuned-adm recommend command suggests 'throughput-performance', which is suitable for database workloads. The correct command to apply it is 'tuned-adm profile throughput-performance'.

688
MCQhard

Refer to the exhibit. A backup script fails every 5 minutes. Which is the most likely cause?

A.The backup script lacks write permission to the destination directory or file.
B.The mount point /mnt/backup is not accessible.
C.The cron job is running too frequently, causing a race condition.
D.The backup script is not executable.
AnswerA

The log explicitly states 'Permission denied writing to /mnt/backup/backup.tar.gz'.

689
MCQhard

An administrator is tasked with creating a systemd service that runs a Python script after the network is available. The script must restart automatically if it fails. Which systemd service unit directive should be used to ensure restart on failure?

A.Restart=always
B.RemainAfterExit=yes
C.Restart=on-failure
D.RestartSec=5
AnswerC

Restarts the service only when the process exits with a non-zero exit status or is terminated by a signal.

Why this answer

The `Restart=on-failure` directive instructs systemd to restart the service unit only when the process exits with a non-zero exit code, is terminated by a signal (including SIGKILL), or times out. This is the correct choice because the requirement is to restart the script only if it fails, not unconditionally. Using `Restart=always` would restart the service even after a clean exit, which is unnecessary and could mask intentional stops.

Exam trap

CompTIA often tests the distinction between `Restart=always` and `Restart=on-failure`, trapping candidates who assume that 'always' is the safest choice without reading the exact failure condition requirement.

How to eliminate wrong answers

Option A is wrong because `Restart=always` causes the service to restart regardless of the exit status, including normal clean exits, which does not match the requirement to restart only on failure. Option B is wrong because `RemainAfterExit=yes` indicates that the service is considered active even after the main process exits, but it does not control restart behavior on failure. Option D is wrong because `RestartSec=5` specifies a delay (5 seconds) before attempting a restart, but it is not a restart condition directive; it only modifies the timing when used with a `Restart=` setting.

690
MCQhard

An administrator needs to ensure that only users from the 'ops' group can SSH into a server. Which configuration in /etc/ssh/sshd_config accomplishes this?

A.AllowGroups ops
B.Match Group ops DenyUsers *
C.AllowUsers ops
D.DenyUsers all
AnswerA

Correct: AllowGroups restricts by group membership.

Why this answer

The `AllowGroups` directive in `/etc/ssh/sshd_config` restricts SSH access to only users who are members of the specified group. By setting `AllowGroups ops`, only users belonging to the 'ops' group will be permitted to log in via SSH, which directly meets the requirement.

Exam trap

The trap here is confusing `AllowUsers` (which matches usernames) with `AllowGroups` (which matches group membership), leading candidates to select option C when the requirement specifies group-based restriction.

How to eliminate wrong answers

Option B is wrong because `Match Group ops DenyUsers *` would deny all users (including those in 'ops') when the group matches, effectively blocking everyone. Option C is wrong because `AllowUsers ops` restricts access to a user named 'ops', not to members of the 'ops' group. Option D is wrong because `DenyUsers all` is invalid syntax (the correct directive is `DenyUsers` followed by specific usernames, not the keyword 'all'), and it would not achieve group-based restriction.

691
MCQmedium

A security policy requires that SSH access be allowed only from the internal management subnet 10.10.10.0/24. Which firewalld rich rule should be added?

A.firewall-cmd --permanent --add-port=22/tcp --add-source=10.10.10.0/24
B.firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.10.10.0/24" service name="ssh" accept'
C.firewall-cmd --add-source=10.10.10.0/24 --add-service=ssh
D.iptables -A INPUT -s 10.10.10.0/24 -p tcp --dport 22 -j ACCEPT
AnswerB

This rich rule binds the source address to the SSH service.

Why this answer

Option B is correct because it uses the firewalld rich-rule syntax to explicitly define an IPv4 rule that accepts SSH traffic only from the 10.10.10.0/24 source subnet. Rich rules provide granular control over source addresses, services, and actions, which is required by the security policy. The `--add-rich-rule` option allows specifying the rule family, source address, service name, and accept action in a single, persistent rule.

Exam trap

The trap here is that candidates confuse `--add-source` (which binds a source to a zone) with a rule filter, or they think `--add-port` combined with `--add-source` creates a source-restricted port rule, when in fact firewalld requires a rich rule to enforce source-based service restrictions.

How to eliminate wrong answers

Option A is wrong because `--add-port=22/tcp --add-source=10.10.10.0/24` is not valid firewalld syntax; `--add-source` is a zone-level option that sets a source binding, not a rule filter, and `--add-port` opens the port to all sources, ignoring the intended restriction. Option C is wrong because `--add-source=10.10.10.0/24 --add-service=ssh` adds the source to a zone and enables the SSH service for the entire zone, but does not restrict SSH access to only that source; it allows SSH from any source that matches the zone's default rules. Option D is wrong because it uses `iptables` directly, which bypasses firewalld's management and dynamic zone logic; the question specifically asks for a firewalld rich rule, and direct iptables commands are not integrated with firewalld's persistent configuration.

692
MCQhard

An administrator notices that a custom application uses port 8443/TCP. To allow external access, which firewalld command permanently opens this port in the default zone?

A.firewall-cmd --add-port=8443/tcp --permanent
B.firewall-cmd --add-service=8443/tcp --zone=public --permanent
C.firewall-cmd --add-port=8443 --permanent
D.firewall-cmd --permanent --add-port=8443
AnswerA

Correct. Opens port 8443/tcp permanently.

Why this answer

The correct command is firewall-cmd --permanent --add-port=8443/tcp. The --permanent flag makes it persistent, --add-port opens the port, and the syntax includes protocol. --add-service is for predefined services, not port numbers.

693
MCQmedium

A developer runs a web application inside a Podman container. The application logs HTTP requests to stdout in JSON format. The operations team wants to centralize these logs by forwarding them to a remote syslog server. The administrator considers several approaches. Which approach is the most reliable and recommended way to forward container logs to syslog without modifying the application?

A.Use a cron job to run `podman logs -f` and pipe the output to `logger`.
B.Use `journalctl -u container-name` to export logs via a syslog forwarder.
C.Use `podman exec` to run a log shipper inside the container.
D.Configure the application to write logs to a file in a mounted volume, and have the host's syslog daemon tail that file.
AnswerD

This is a reliable and recommended approach.

Why this answer

Option D is the most reliable and recommended approach because it decouples log collection from the container runtime by having the application write logs to a file in a host-mounted volume, and then the host's syslog daemon (e.g., rsyslog or syslog-ng) tails that file using a module like `imfile`. This method does not require modifying the application, avoids dependency on Podman's log driver, and ensures logs are forwarded even if the container restarts or crashes.

Exam trap

Cisco often tests the misconception that `podman logs -f` or `journalctl` are suitable for production log forwarding, but they fail to account for reliability, persistence, and the requirement to avoid modifying the application.

How to eliminate wrong answers

Option A is wrong because `podman logs -f` streams logs from the container's stdout, but using a cron job to run it and pipe to `logger` is unreliable—cron jobs are not designed for continuous streaming, and the process would terminate after each run, missing logs between executions. Option B is wrong because `journalctl -u container-name` reads logs from systemd-journald, but Podman containers do not automatically log to journald unless explicitly configured with `--log-driver journald`, and even then, exporting via a syslog forwarder adds unnecessary complexity and potential log loss if the container's log driver is not set. Option C is wrong because `podman exec` runs a command inside the container, but running a log shipper inside the container would require modifying the container image or runtime environment, which contradicts the requirement of not modifying the application, and it introduces a dependency on the container's internal state.

694
MCQeasy

You are a systems administrator for a small company. The company uses a Linux server running Ubuntu 22.04 LTS that hosts a web application and a PostgreSQL database. The server has two network interfaces: eth0 (public IP) and eth1 (private IP). The web application listens on port 443 (HTTPS) on eth0, and the PostgreSQL database listens on port 5432 on eth1. The company security policy requires that only the web application should be accessible from the internet; all other ports must be blocked on the public interface. Additionally, SSH access should be allowed only from the internal network (192.168.1.0/24). The current iptables rules are as follows: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT There are no other rules. You need to implement the security policy using iptables. Which of the following sets of commands will achieve the required security policy?

A.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
B.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
C.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
D.iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT
AnswerA

This correctly implements the policy.

Why this answer

Option A is correct because it sets the default policy to DROP, allows established/related connections, permits HTTPS (port 443) on eth0, restricts SSH (port 22) to the internal network (192.168.1.0/24) on eth1, and then allows all traffic on eth1. This ensures that only the web application is accessible from the internet, SSH is limited to the internal network, and all internal traffic on eth1 is permitted, including PostgreSQL on port 5432.

Exam trap

The trap here is that candidates often forget to allow all traffic on the internal interface (eth1) after setting a default DROP policy, mistakenly thinking that only specific ports need to be opened, which would block essential internal services like PostgreSQL.

How to eliminate wrong answers

Option B is wrong because it places the SSH rule before the HTTPS rule, but more critically, it does not include a rule to allow all traffic on eth1, which would block internal services like PostgreSQL. Option C is wrong because it is identical to Option B and also lacks the rule to allow all traffic on eth1, thus blocking internal database access. Option D is wrong because it allows SSH from any source (no -i eth1 or -s 192.168.1.0/24 restriction), violating the security policy that SSH should only be allowed from the internal network.

695
MCQmedium

An administrator needs to allow incoming TCP traffic on port 8443 using firewalld. Which command should be used to make this change persistent?

A.firewall-cmd --zone=public --add-port=8443/tcp
B.firewall-cmd --add-service=8443/tcp --permanent
C.firewall-cmd --add-port=8443/tcp
D.firewall-cmd --add-port=8443/tcp --permanent && firewall-cmd --reload
AnswerD

Adds port persistently and reloads to apply.

Why this answer

To add a port, use firewall-cmd --add-port=8443/tcp --permanent and then reload.

696
MCQeasy

The backup script above always outputs 'Backup failed' even when the tar command succeeds. Which of the following is the cause?

A.The tar command should use -czvf
B.The if statement syntax is wrong
C.The variable &? is not defined
D.The correct variable is $? not &?
AnswerD

The script incorrectly uses &? instead of the correct $? variable.

Why this answer

The script uses `&?` to reference the exit status of the `tar` command, but the correct shell variable is `$?`. The `$?` variable holds the exit code of the last executed command (0 for success, non-zero for failure). Using `&?` is a syntax error that results in an empty or invalid value, causing the `if` statement to always evaluate to false (or treat the condition as non-zero), thus always printing 'Backup failed'.

Exam trap

CompTIA often tests the distinction between `$?` and common typos like `&?` or `?$`, exploiting the fact that candidates may overlook the exact syntax of shell special variables and assume any symbol before `?` works.

How to eliminate wrong answers

Option A is wrong because `-czvf` is a valid set of flags for `tar` (create, gzip, verbose, file) and would not cause the script to always output 'Backup failed' if the command succeeds; the issue is not with the tar flags. Option B is wrong because the `if` statement syntax (`if [ condition ]; then ... fi`) is correct; the problem lies in the variable name used inside the condition, not the structure of the if statement. Option C is wrong because `&?` is not a defined variable in bash; the shell does not have a built-in variable named `&?`, and using it does not trigger a special behavior—it simply evaluates to an empty string, which breaks the logic.

697
Multi-Selecthard

A server crashed with a kernel panic. After reboot, the administrator wants to analyze the crash dump. Which THREE actions should be taken to ensure a valid core dump is captured and accessible? (Choose THREE.)

Select 3 answers
A.Configure a dump target in /etc/kdump.conf.
B.Enable and start the kdump service.
C.Set crashkernel=auto in the boot loader.
D.Install kernel-debuginfo packages.
E.Ensure /var/crash has a vmcore file.
AnswersA, B, C

The dump target (e.g., a partition or NFS mount) must be defined to write the core dump.

Why this answer

Option A is correct because /etc/kdump.conf specifies where the crash dump should be saved (e.g., to a local disk, NFS, or SSH target). Without a configured dump target, the kdump mechanism does not know where to write the vmcore file, making the dump inaccessible after a kernel panic.

Exam trap

The trap here is that candidates confuse post-crash verification (checking for a vmcore file) with pre-crash configuration steps, or they mistakenly think debuginfo packages are required for capturing the dump rather than for later analysis.

698
Multi-Selecthard

An administrator notices that a user's crontab file is not executing. Which two commands can the administrator use to verify the user's crontab configuration? (Select TWO.)

Select 2 answers
A.crontab -e -u username
B.crontab -l -u username
C.cat /var/spool/cron/crontabs/username
D.systemctl status cron
E.grep username /etc/crontab
AnswersB, C

Lists the contents of the specified user's crontab.

Why this answer

Option B is correct because `crontab -l -u username` lists the current crontab entries for the specified user, allowing the administrator to verify the configured jobs. Option C is correct because on many Linux distributions, user crontab files are stored as plain text files under `/var/spool/cron/crontabs/username`, and reading that file directly shows the same content. Both commands let the administrator inspect the exact cron schedule and commands for that user.

Exam trap

The trap here is that candidates confuse commands that verify the cron daemon's status (like `systemctl status cron`) with commands that inspect the actual crontab content, or they mistakenly think editing (`-e`) is the same as listing (`-l`).

699
MCQmedium

An Ansible playbook is being written to install the Nginx web server on a group of Ubuntu servers. Which module should be used in the playbook to install the package?

A.apt
B.command
C.package
D.yum
AnswerA

apt is the correct module for Ubuntu.

Why this answer

The apt module is used for package management on Debian/Ubuntu systems.

700
MCQmedium

A Linux administrator is writing a Bash script that needs to parse a CSV file line by line and extract the second field. Which of the following approaches is the most efficient?

A.Using a `while read` loop with IFS=','
B.Using `awk -F',' '{print $2}'`
C.Using `cut -d, -f2`
D.Using `sed` to extract the second column
AnswerB

awk is designed for text processing and can handle quoted fields with proper configuration.

Why this answer

Option B is correct because `awk` is purpose-built for field-based text processing; `awk -F',' '{print $2}'` efficiently splits each line by comma and prints the second field without needing an explicit loop. It handles edge cases like empty fields and large files with minimal overhead, making it the most efficient choice for CSV parsing in a script.

Exam trap

The trap here is that candidates often choose the `while read` loop (option A) because it seems straightforward and Bash-native, but they overlook the severe performance penalty and fragility with quoted fields, while `awk` is the correct, efficient, and robust solution for field parsing in Linux scripting exams.

How to eliminate wrong answers

Option A is wrong because a `while read` loop with IFS=',' is significantly slower on large files due to the overhead of spawning a subshell and reading line by line, and it can mishandle lines with quoted commas or trailing spaces. Option C is wrong because `cut -d, -f2` cannot handle quoted fields containing commas (e.g., 'field1,"field,2",field3') and will incorrectly split such lines. Option D is wrong because `sed` is a stream editor designed for line-oriented text transformations, not field extraction; using `sed` to isolate the second column requires complex regex patterns that are error-prone and less efficient than `awk`.

701
MCQmedium

In a bash script, an administrator wants to check if a file exists and is readable. Which of the following test expressions accomplishes this?

A.[ -e file -a -w file ]
B.test -d file -o -r file
C.[[ -f file && -x file ]]
D.[ -f file -a -r file ]
AnswerD

This correctly checks both conditions using the -a operator.

Why this answer

Option D is correct because the test expression `[ -f file -a -r file ]` uses the `-f` flag to check that the file exists and is a regular file, and the `-a` logical AND operator combined with the `-r` flag verifies that the file is readable by the current user. This matches the administrator's requirement exactly.

Exam trap

Cisco often tests the confusion between file test operators (e.g., `-r` vs `-w` vs `-x`) and the misuse of logical operators (`-a` vs `-o`), leading candidates to select options that check the wrong attribute or combine conditions incorrectly.

How to eliminate wrong answers

Option A is wrong because `[ -e file -a -w file ]` checks if the file exists (`-e`) and is writable (`-w`), not readable. Option B is wrong because `test -d file -o -r file` checks if the file is a directory (`-d`) OR is readable (`-r`), which does not require both conditions and does not verify existence as a regular file. Option C is wrong because `[[ -f file && -x file ]]` checks if the file exists as a regular file (`-f`) AND is executable (`-x`), not readable.

702
MCQeasy

Which command shows the IP address, link status, and other configuration details for all network interfaces on a Linux system?

A.nmcli dev status
B.cat /etc/network/interfaces
C.ip addr
D.ifconfig -a
AnswerC

Correct: ip addr displays interface configuration.

Why this answer

ip addr shows IP addresses and link information for all interfaces.

703
Multi-Selectmedium

Which two of the following are valid methods to pass environment variables to a Docker container at runtime? (Select TWO.)

Select 2 answers
A.Defining variables in a .env file and using --env-file
B.Using the -e option in docker run
C.Using the ENV instruction in the Dockerfile
D.Using the export command inside the container
E.Using the ARG instruction in the Dockerfile
AnswersA, B

The --env-file option loads environment variables from a file at runtime.

Why this answer

Option A is correct because the `--env-file` flag in `docker run` allows you to pass environment variables from a file (typically a `.env` file) to the container at runtime. This method is useful for managing multiple variables without cluttering the command line and supports variable substitution and quoting rules as defined by Docker.

Exam trap

CompTIA often tests the distinction between build-time instructions (`ENV`, `ARG`) and runtime options (`-e`, `--env-file`), so the trap here is confusing the `ENV` instruction in the Dockerfile (which sets variables at build time) with the `-e` option (which sets variables at runtime).

704
MCQeasy

An administrator wants to view the current SELinux mode on a system. Which command displays whether SELinux is enforcing, permissive, or disabled?

A.seinfo
B.sestatus
C.getenforce
D.getsebool -a
AnswerC

getenforce returns Enforcing, Permissive, or Disabled.

Why this answer

The `getenforce` command directly displays the current SELinux mode as either 'Enforcing', 'Permissive', or 'Disabled'. It reads the enforcing status from the kernel's SELinux state and outputs the mode in a simple, single-word format, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse `sestatus` (which shows the mode among many details) with `getenforce` (which is the dedicated command for just the mode), leading them to choose the more familiar but less precise option.

How to eliminate wrong answers

Option A is wrong because `seinfo` is used to query SELinux policy components (such as types, roles, and users) and does not display the current enforcement mode. Option B is wrong because `sestatus` provides a detailed status report of SELinux, including the current mode, but the question specifically asks for a command that displays whether SELinux is enforcing, permissive, or disabled; while `sestatus` can show this, it is not the most direct command for just the mode, and `getenforce` is the standard utility for that single piece of information. Option D is wrong because `getsebool -a` lists all SELinux boolean values and their current state, not the enforcement mode.

705
MCQhard

A developer needs to grant a colleague read and write access to a directory /project, but the colleague should not have permission to delete any files created by the developer. The developer wants to set the directory so that all new files created in it automatically belong to the group 'project' and are writable by group. Which combination of configuration should be used?

A.chmod g+s /project && setfacl -m default:g:project:rw /project
B.chmod 1770 /project && usermod -aG project colleague
C.chmod g+s /project && setfacl -m g:project:rwx /project
D.chown .project /project && chmod 2775 /project
AnswerA

Setgid ensures new files inherit project group; default ACL ensures new files have group rw permissions.

Why this answer

Option A is correct because it combines the setgid bit (`chmod g+s`) on the directory, which ensures new files inherit the group 'project', with a default ACL (`setfacl -m default:g:project:rw`) that grants read and write permissions to the group on newly created files. This setup gives the colleague (who is a member of the 'project' group) read/write access without delete permission on files owned by the developer, as the colleague cannot delete files they do not own unless the directory's sticky bit is set (which is not configured here).

Exam trap

Cisco often tests the distinction between an ACL applied to a directory versus a default ACL, where candidates mistakenly think a regular ACL on the directory will propagate to new files, but only default ACLs are inherited by newly created objects.

How to eliminate wrong answers

Option B is wrong because `chmod 1770` sets the sticky bit, which prevents users from deleting files they do not own, but it does not ensure new files inherit the group 'project' or are automatically group-writable; additionally, `usermod -aG project colleague` only adds the colleague to the group, which is necessary but insufficient without the setgid bit and default ACL. Option C is wrong because `setfacl -m g:project:rwx /project` sets an ACL on the directory itself, not a default ACL, so new files created inside will not automatically inherit the group 'project' permissions; the `rwx` also grants execute permission, which is not required for read/write access. Option D is wrong because `chown .project /project` changes the group ownership of the directory to 'project', and `chmod 2775` sets the setgid bit and permissions (rwx for owner, rwx for group, r-x for others), but this does not grant the colleague write access to new files created by the developer unless a default ACL is applied; the 2775 mode gives group write permission on the directory but not on new files, and the colleague could still delete files they own or if the directory permissions allow.

706
MCQhard

A Linux server runs a critical service managed by a systemd service unit. The administrator needs to configure the service to automatically restart if it crashes, but only up to 3 times within a 30-second window. If the service restarts more than 3 times in 30 seconds, systemd should stop attempting to restart and leave the service in a failed state. Which set of directives should be added to the [Service] section of the unit file to achieve this behavior?

A.`Restart=on-abort` and `MaxStartups=3`
B.`Restart=on-failure` and `StartLimitBurst=5` and `StartLimitIntervalSec=60`
C.`Restart=always` and `RestartSec=10`
D.`Restart=on-failure` and `StartLimitBurst=3` and `StartLimitIntervalSec=30`
AnswerD

This correctly limits restarts to 3 times within 30 seconds.

Why this answer

Option D is correct because it uses `Restart=on-failure` to trigger a restart only when the service crashes (not on other stops), combined with `StartLimitBurst=3` and `StartLimitIntervalSec=30` to limit restarts to 3 attempts within a 30-second window. When the burst limit is exceeded, systemd automatically places the unit in a failed state, exactly matching the requirement.

Exam trap

The trap here is that candidates often confuse `Restart=always` (which restarts on any exit, including intentional stops) with `Restart=on-failure` (which only restarts on crashes), or they misremember the default values of `StartLimitBurst` and `StartLimitIntervalSec`, leading them to pick options with incorrect burst counts or intervals.

How to eliminate wrong answers

Option A is wrong because `Restart=on-abort` only restarts the service if it terminates due to a signal that is not caught (e.g., SIGABRT), not on general crashes, and `MaxStartups` is not a valid systemd directive (it is used in sshd configuration, not unit files). Option B is wrong because `StartLimitBurst=5` and `StartLimitIntervalSec=60` would allow up to 5 restarts in 60 seconds, not the required 3 in 30 seconds. Option C is wrong because `Restart=always` restarts the service regardless of exit reason (including manual stops), and `RestartSec=10` only sets a delay between restarts, with no limit on the number of restart attempts, so the service would keep restarting indefinitely.

707
MCQeasy

A user needs to view the first 15 lines of a large log file. Which command is most appropriate?

A.head -n 15 filename
B.cat filename | head -n 15
C.less -N 15 filename
D.tail -n 15 filename
AnswerA

Correct: head -n 15 shows the first 15 lines.

Why this answer

head -n 15 filename displays the first 15 lines of a file.

708
MCQeasy

A developer wants to view the logs from a running Docker container named 'myapp'. Which docker command should be used?

A.docker logs myapp
B.docker ps myapp
C.docker exec myapp logs
D.docker inspect myapp
AnswerA

Correct. docker logs displays the logs of the container.

Why this answer

The 'docker logs' command fetches the logs of a container.

709
Multi-Selectmedium

An administrator wants to gather information about disk usage for a specific directory and its subdirectories. Which TWO commands can be used for this purpose? (Choose two.)

Select 2 answers
A.du -sh /path
B.df -h /path
C.ls -lh /path
D.du -h /path
E.stat /path
AnswersA, D

Summarizes total disk usage of the directory.

Why this answer

du -sh /path gives a summary of total disk usage. du -h /path shows disk usage for each subdirectory in human-readable format. df shows filesystem-level usage, not directory-level.

710
MCQhard

A file has permissions rwxr-x--- and is owned by user alice and group devs. Which command would add the SUID bit while preserving existing permissions?

A.chmod a+s file
B.chmod u+s file
C.chmod 2755 file
D.chmod 4750 file
AnswerB

Adds SUID bit without altering other permissions.

Why this answer

chmod u+s adds the SUID bit. The symbolic mode 'u+s' sets the SUID without changing the existing permission bits.

711
MCQmedium

A Kubernetes administrator needs to expose a deployment named 'webapp' as a service accessible externally on port 80. Which kubectl command should be used?

A.kubectl port-forward deployment/webapp 80:80
B.kubectl run webapp --port=80
C.kubectl expose deployment webapp --type=NodePort --port=80
D.kubectl create service clusterip webapp --port=80
AnswerC

NodePort exposes the service on a port accessible externally.

Why this answer

kubectl expose deployment webapp --type=NodePort --port=80 creates a service that exposes the deployment externally.

712
Multi-Selecthard

Which THREE of the following are valid methods to troubleshoot a service that fails to start?

Select 3 answers
A.Run the service executable manually from the command line to see error output.
B.Review the service logs using journalctl.
C.Check if the service's required dependencies are installed and running.
D.Run df -h to check disk space.
E.Reload the systemd daemon with systemctl daemon-reload.
AnswersA, B, C

Manual execution often gives direct error messages.

Why this answer

Option A is correct because running the service executable manually from the command line often reveals stderr output, error codes, or missing configuration details that are suppressed when the service is started by systemd. This direct execution bypasses the service manager's logging and can show immediate, unfiltered error messages that help pinpoint the failure reason.

Exam trap

The trap here is that candidates often confuse general system health commands (like `df -h`) with service-specific troubleshooting methods, or they think `systemctl daemon-reload` is a diagnostic step when it only reloads configuration without providing error details.

713
MCQeasy

A DevOps engineer needs to automate the deployment of a microservice using Ansible. The playbook should install the latest version of nginx on all web servers. Which Ansible module should be used in the playbook?

A.service: name=nginx state=started
B.command: apt install nginx
C.apt: name=nginx state=latest
D.yum: name=nginx state=latest
AnswerC

The apt module with state=latest ensures the latest version is installed.

Why this answer

Option C is correct because the `apt` module is the proper Ansible module for managing packages on Debian-based systems, and `state=latest` ensures the most recent version of nginx is installed. This aligns with the requirement to automate deployment using Ansible's declarative package management rather than imperative shell commands.

Exam trap

The trap here is that candidates often confuse the `service` module (for managing service state) with package installation modules, or they default to the `command` module out of habit, missing Ansible's dedicated package modules that ensure idempotency and cross-platform compatibility.

How to eliminate wrong answers

Option A is wrong because the `service` module manages the state of a service (started/stopped), not the installation of a package; it assumes nginx is already installed. Option B is wrong because using the `command` module to run `apt install nginx` bypasses Ansible's idempotency and package state management, making the playbook fragile and non-declarative. Option D is wrong because the `yum` module is for Red Hat-based systems (using RPM), while the question does not specify the OS family; without context, `apt` is the safer choice for Debian/Ubuntu, and `yum` would fail on non-RHEL systems.

714
Multi-Selectmedium

An administrator needs to update the package cache and upgrade all installed packages on a Debian-based system. Which TWO commands are appropriate for this task? (Select TWO.)

Select 2 answers
A.apt dist-upgrade
B.apt update
C.apt upgrade
D.dpkg --configure -a
E.apt list --upgradable
AnswersB, C

Updates the package index.

Why this answer

apt update refreshes the package cache; apt upgrade upgrades all packages. apt-get update and apt-get upgrade are also valid. The question asks for two commands; typically the sequence is update then upgrade. Both apt and apt-get are acceptable.

715
MCQhard

A company uses a Linux server running Ubuntu 22.04 LTS as a file server to share documents via Samba. The server has been in operation for over a year without issues. Following a routine system update that included kernel patches and updated Samba packages, users began reporting that they could no longer access any shared folders. The administrator verifies that the smbd and nmbd services are running and have not failed. The Samba configuration has not been changed recently. The server uses ufw as its firewall. When the administrator runs 'ufw status', the output shows that only SSH (port 22) is allowed. The administrator checks for SELinux but finds it is not installed; however, AppArmor is active and the smbd profile is in enforce mode. The administrator examines the AppArmor logs and finds no denials related to smbd. Which of the following is the most likely reason for the connectivity failure?

A.The firewall is blocking Samba ports 137, 138, 139, and 445.
B.The Samba configuration file was corrupted during the update.
C.The kernel update changed the default file system mount options, restricting access.
D.The AppArmor profile is preventing smbd from binding to network interfaces.
AnswerA

ufw only allows SSH; Samba ports are not permitted.

Why this answer

The firewall (ufw) is only allowing SSH (port 22), which means Samba ports 137/138 (NetBIOS), 139 (SMB over NetBIOS), and 445 (SMB over TCP) are blocked. Since the smbd and nmbd services are running and AppArmor shows no denials, the most likely cause is that the firewall rules were reset or not updated after the system update, preventing Samba traffic from reaching the server.

Exam trap

The trap here is that candidates may focus on AppArmor or SELinux because they are security modules, but the absence of denials in AppArmor logs and the explicit ufw output showing only SSH allowed points directly to the firewall as the culprit.

How to eliminate wrong answers

Option B is wrong because the administrator verified that the Samba configuration has not been changed recently, and the services are running without errors, so corruption is unlikely. Option C is wrong because kernel updates do not change default file system mount options; mount options are set in /etc/fstab or at mount time and are not altered by kernel patches. Option D is wrong because the administrator checked AppArmor logs and found no denials related to smbd, indicating the profile is not blocking network binding.

716
MCQeasy

A system administrator wants to enforce a password policy requiring a minimum length of 12 characters, at least one uppercase letter, and one digit. Which PAM module should be configured?

A.pam_pwquality
B.pam_unix
C.pam_faillock
D.pam_tally2
AnswerA

pam_pwquality enforces password complexity rules.

Why this answer

pam_pwquality is the correct PAM module because it is specifically designed to enforce password complexity requirements, such as minimum length, uppercase letters, and digits, through configurable parameters like minlen, ucredit, and dcredit. It replaces the older pam_cracklib and is the standard module for password quality checks on modern Linux systems.

Exam trap

The trap here is that candidates confuse pam_unix (which handles authentication and password aging) with pam_pwquality (which enforces complexity), because both are commonly used together in password policies but serve distinct roles.

How to eliminate wrong answers

Option B (pam_unix) is wrong because it handles traditional Unix authentication (password hashing and verification) but does not enforce complexity rules like length or character classes. Option C (pam_faillock) is wrong because it is used for account lockout after failed login attempts, not for password composition policies. Option D (pam_tally2) is wrong because it also manages login failure counting and account locking, not password quality enforcement.

717
MCQhard

An administrator needs to deploy a set of microservices using Docker Compose. The services require configuration values that vary between development and production environments. Which approach allows the administrator to override values without modifying the docker-compose.yml file?

A.Define multiple services in one docker-compose.yml and use profiles.
B.Use environment variables in the Dockerfile and pass them via docker run -e.
C.Use the extends keyword in docker-compose.yml.
D.Use multiple compose files with the -f flag: docker-compose -f docker-compose.yml -f docker-compose.prod.yml up.
AnswerD

Correct. Multiple -f files allow overriding settings from the base file.

Why this answer

Docker Compose supports multiple compose files; using multiple -f options allows overriding values from the base file. Environment-specific files like docker-compose.override.yml are automatically used if present, but using explicit -f options is more flexible for different environments.

718
MCQhard

An administrator is tasked with setting up a new server that will run a time-sensitive application. The system must have accurate time synchronization. The administrator configures chronyd and adds four NTP servers. After verifying, the administrator notices that the system time drifts significantly. Which configuration parameter in /etc/chrony.conf is most likely causing the drift despite multiple servers?

A.pollinterval 2
B.minsources 2
C.makestep 100 -1
D.maxslewrate 1000
E.local stratum 10
AnswerE

Declares local clock as a high-priority time source, overriding NTP servers.

Why this answer

The `local stratum 10` directive tells chronyd to treat the local clock as a time source with stratum 10 even when it is not synchronized to any external NTP server. This effectively disables the client's ability to discipline the system clock using the configured NTP servers, because chronyd will consider the local clock as a valid reference and not apply corrections from the remote servers, leading to significant time drift.

Exam trap

Cisco often tests the misconception that adding more NTP servers or adjusting polling intervals is the solution to drift, when the real issue is a directive like `local stratum` that overrides external synchronization.

How to eliminate wrong answers

Option A is wrong because `pollinterval 2` sets the minimum polling interval to 2 seconds (2^2 = 4 seconds), which would actually increase synchronization frequency, not cause drift. Option B is wrong because `minsources 2` sets the minimum number of NTP sources required before chronyd can update the clock; this would prevent synchronization if fewer than 2 servers are reachable, but with four servers configured it would not cause drift. Option C is wrong because `makestep 100 -1` allows chronyd to step the clock if the offset exceeds 100 seconds, and the -1 disables the slew limit; this would actually help correct large drifts, not cause them.

Option D is wrong because `maxslewrate 1000` sets the maximum rate at which chronyd can slew the clock (1000 ppm), which is a very high limit and would allow aggressive correction, not cause drift.

719
MCQeasy

A system administrator needs to run a script every 15 minutes. Which systemd unit type is used to schedule this?

A.systemd timer
B.at job
C.anacron
D.cron job
AnswerA

Timer units can be configured with OnCalendar or OnUnitActiveSec to run every 15 minutes.

Why this answer

Systemd timers are the native systemd unit type for scheduling tasks at specified intervals, such as every 15 minutes. They replace traditional cron jobs in systemd-based Linux distributions and are defined with a .timer unit file that triggers a corresponding .service unit. This makes option A correct because the question explicitly asks for the systemd unit type used for scheduling.

Exam trap

The trap here is that candidates familiar with traditional Linux scheduling immediately think of cron, but the question explicitly asks for a 'systemd unit type,' making cron a distractor despite its functional similarity.

How to eliminate wrong answers

Option B (at job) is wrong because the 'at' command schedules a one-time task at a specific time, not recurring every 15 minutes. Option C (anacron) is wrong because anacron is designed for tasks that need to run daily, weekly, or monthly, assuming the system may not be running continuously, and it does not support sub-daily intervals like 15 minutes. Option D (cron job) is wrong because while cron can schedule tasks every 15 minutes, the question specifically asks for a systemd unit type, and cron is a separate service, not a systemd unit.

720
Multi-Selectmedium

A security audit reveals that user accounts remain active after employees leave the company. Which TWO commands should be used to disable an account immediately?

Select 3 answers
A.chage -E 0 username
B.usermod -e 1 username
C.usermod -L username
D.passwd -l username
E.userdel username
AnswersB, C, D

Sets account expiration to epoch (Jan 1, 1970), disabling the account.

Why this answer

Option B is correct because `usermod -e 1 username` sets the account's expiration date to January 1, 1970 (epoch time), which immediately expires the account and prevents login. This is a standard method to disable an account without deleting it, preserving the user's files and UID for auditing or reassignment.

Exam trap

The trap here is that candidates often confuse locking an account (which only disables password authentication) with expiring an account (which disables all login methods), leading them to select `usermod -L` or `passwd -l` as the sole solution, but the question requires immediate disablement that covers all authentication paths.

721
MCQeasy

A developer writes a Python script that uses the `requests` library to fetch data from an API. The script works on the developer's workstation but fails on the server with an import error. What is the most likely cause?

A.The `requests` module is not installed on the server
B.The script uses an incorrect API endpoint
C.The server lacks internet connectivity
D.The script has a syntax error in the import statement
AnswerA

The `requests` module is not part of the standard library and must be installed via pip.

Why this answer

The `requests` library is a third-party Python package that must be installed separately via `pip` or a package manager. The script works on the developer's workstation because `requests` is present there, but fails on the server with an import error, indicating the module is missing from the server's Python environment. This is the most likely cause because an import error specifically points to a missing module, not to network or syntax issues.

Exam trap

CompTIA often tests the distinction between runtime errors (e.g., network issues, bad endpoints) and import-time errors (e.g., missing modules), trapping candidates who confuse an ImportError with a connectivity or syntax problem.

How to eliminate wrong answers

Option B is wrong because an incorrect API endpoint would cause an HTTP error (e.g., 404 or 400) at runtime, not an import error when the script starts. Option C is wrong because lack of internet connectivity would cause a connection timeout or DNS resolution failure during the `requests.get()` call, not an import error when loading the module. Option D is wrong because a syntax error in the import statement would be caught by Python's parser before execution, producing a SyntaxError, not an ImportError; the script works on the workstation, so the import syntax is correct.

722
Multi-Selecthard

Which THREE files are commonly used to store local user account information? (Select 3.)

Select 3 answers
A./etc/group
B./etc/gshadow
C./etc/shadow
D./etc/login.defs
E./etc/passwd
AnswersA, C, E

Contains group information and group member lists.

Why this answer

The /etc/passwd file stores basic user account information (username, UID, GID, home directory, shell) in a colon-separated format. /etc/shadow stores encrypted password hashes and password aging data, separated from the world-readable /etc/passwd for security. /etc/group stores group definitions, including group name, GID, and member list, which is essential for local user group membership.

Exam trap

Cisco often tests the distinction between files that store actual user records (/etc/passwd, /etc/shadow, /etc/group) versus configuration files that control behavior (/etc/login.defs) or shadowed group data (/etc/gshadow), leading candidates to select /etc/gshadow or /etc/login.defs incorrectly.

723
MCQmedium

A technician is troubleshooting a service that fails to start at boot. Which systemctl command should be used to ensure the service starts automatically on subsequent boots?

A.systemctl mask service
B.systemctl start service
C.systemctl enable service
D.systemctl reenable service
AnswerC

Enables the service to start at boot.

Why this answer

systemctl enable creates symlinks so the service starts at boot. The status shown by is-enabled confirms if it is enabled.

724
MCQmedium

A technician suspects that a DNS resolution issue is causing connectivity problems. Which command can be used to query the DNS server for an A record for 'example.com'?

A.traceroute example.com
B.dig example.com A
C.ping example.com
D.nslookup example.com A
AnswerB

dig queries DNS for A record.

Why this answer

The `dig` command is a flexible DNS lookup utility that can query specific record types. Using `dig example.com A` directly queries the DNS server for the IPv4 address (A record) of 'example.com', making it the correct choice for diagnosing DNS resolution issues.

Exam trap

Cisco often tests the distinction between commands that perform name resolution (like `ping` or `traceroute`) versus those that directly query DNS servers for specific record types, leading candidates to choose `ping` or `traceroute` when a DNS-specific query is needed.

How to eliminate wrong answers

Option A is wrong because `traceroute` traces the network path to a host but does not perform DNS queries for specific record types; it relies on the system's resolver for name resolution. Option C is wrong because `ping` tests network connectivity using ICMP echo requests and uses the system resolver to resolve names, but it cannot query for a specific DNS record type like an A record. Option D is wrong because `nslookup` can query DNS records, but the syntax `nslookup example.com A` is incorrect; the proper syntax is `nslookup -type=A example.com` or `nslookup` in interactive mode, and the given form will likely fail or return unexpected results.

725
MCQmedium

A pod in the Kubernetes cluster is in CrashLoopBackOff. Based on the exhibit, what is the most likely cause?

A.The application inside the container is crashing repeatedly.
B.The container failed to start because of a missing configuration file.
C.The image pull failed due to authentication issues.
D.The container image is not available in the registry.
AnswerA

The CrashLoopBackOff status and BackOff event indicate the application is crashing right after start.

Why this answer

The CrashLoopBackOff status indicates that a container in a pod is repeatedly crashing after starting. Kubernetes attempts to restart the container, but the application inside exits with a non-zero exit code, causing the restart loop. This is most commonly caused by the application itself crashing due to a bug, misconfiguration, or resource issue.

Exam trap

CompTIA often tests the distinction between container startup failures (ImagePullBackOff, ErrImagePull) and runtime crashes (CrashLoopBackOff), so candidates must remember that CrashLoopBackOff implies the container started at least once before crashing.

How to eliminate wrong answers

Option B is wrong because a missing configuration file would typically cause an Init:Error or CreateContainerConfigError, not CrashLoopBackOff, as the container would fail to start at all. Option C is wrong because image pull failures due to authentication issues result in ImagePullBackOff or ErrImagePull, not CrashLoopBackOff. Option D is wrong because an unavailable container image also leads to ImagePullBackOff or ErrImagePull, as the container never starts to crash.

726
Multi-Selectmedium

A Linux administrator is troubleshooting a firewall issue using nftables. The ruleset is complex. Which two commands are useful for listing the current ruleset and adding a new rule? (Choose TWO.)

Select 2 answers
A.nft insert rule
B.nft list ruleset
C.nft add rule inet filter input tcp dport 443 accept
D.nft show ruleset
E.nft -a list ruleset
AnswersB, C

Lists all current rules.

Why this answer

Option B is correct because `nft list ruleset` is the standard command to display the entire current nftables ruleset in a human-readable format, which is essential for troubleshooting complex firewall configurations. Option C is correct because `nft add rule inet filter input tcp dport 443 accept` is the proper syntax to append a new rule to the specified chain (here, the 'input' chain of the 'filter' table in the 'inet' family) that accepts TCP traffic on port 443.

Exam trap

The trap here is that candidates may confuse `nft show ruleset` (invalid) with `nft list ruleset` (valid), or think that `nft insert rule` is used for listing rules instead of adding them at a specific position.

727
MCQhard

An administrator needs to view all current nftables rules. Which command should be used?

A.nft list ruleset
B.nft --list
C.nft show ruleset
D.iptables -L
AnswerA

This command shows all rulesets.

Why this answer

nft list ruleset displays the entire ruleset. nft list table only shows a specific table.

728
MCQmedium

A server running RHEL 8 has intermittent network connectivity. The administrator wants to view the current DNS resolver configuration. Which file should be examined?

A./etc/sysconfig/network-scripts/ifcfg-eth0
B./etc/nsswitch.conf
C./etc/resolv.conf
D./etc/hosts
AnswerC

Contains nameserver IP addresses.

Why this answer

/etc/resolv.conf contains nameserver entries. /etc/nsswitch.conf defines order, /etc/hosts for static mapping, and /etc/sysconfig/network-scripts/ifcfg-* for interface config.

729
Multi-Selectmedium

A systems administrator is troubleshooting a server that fails to boot and displays the error: 'Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)'. Which TWO of the following are most likely causes? (Choose two.)

Select 2 answers
A.Missing or misconfigured root filesystem in /etc/fstab
B.Faulty RAM
C.Corrupted initramfs image
D.Overwritten MBR
E.Incorrect boot loader configuration pointing to wrong kernel
AnswersA, C

Correct: If the root filesystem is missing or misconfigured, the kernel cannot mount it.

Why this answer

Option A is correct because the error 'VFS: Unable to mount root fs on unknown-block(0,0)' indicates the kernel cannot locate or mount the root filesystem. A missing or misconfigured root filesystem entry in /etc/fstab (e.g., wrong device name, wrong UUID, or missing entry) prevents the kernel from mounting the root partition, leading to a kernel panic. The 'unknown-block(0,0)' specifically means the kernel cannot resolve the block device for the root filesystem.

Exam trap

The trap here is that candidates often confuse a boot loader misconfiguration (Option E) with a root filesystem issue, but the kernel must successfully load before a VFS error can occur, so the problem lies after boot loader execution.

730
MCQhard

A containerized application uses a bind mount to persist logs. When the container is removed and recreated, the logs are missing. What is the most likely cause?

A.The container was run with --rm, which deletes the bind mount
B.The host directory was deleted when the container was removed
C.The log files were written to the container's writable layer instead of the mount
D.The bind mount was not specified in the new container run command
AnswerD

Bind mounts are not automatically recreated; they must be specified each time.

Why this answer

Bind mounts depend on the host path; if the bind mount was not re-specified, the new container does not have access to the previous host directory unless explicitly mounted.

731
MCQhard

An administrator configures a new web server with Apache and needs to ensure it starts automatically after a system reboot. The administrator runs 'systemctl enable httpd' but the service still does not start after reboot. What is the most likely reason?

A.The service name is incorrect; it should be 'apache2' instead of 'httpd'.
B.The administrator forgot to run 'systemctl start httpd' after enabling it.
C.The httpd service is masked, preventing it from starting.
D.The systemd daemon needs to be reloaded with 'systemctl daemon-reload'.
AnswerC

A masked service cannot be started; check with 'systemctl is-enabled httpd'.

Why this answer

The most likely reason the httpd service does not start after reboot despite being enabled is that it is masked. A masked service is symlinked to /dev/null, which prevents systemd from starting it even if it is enabled. The 'systemctl enable' command creates the necessary symlinks for automatic startup, but a mask overrides this by blocking the service unit entirely.

Exam trap

The trap here is that candidates often confuse 'enabled' with 'started' and assume the service must be started manually after enabling, overlooking the more subtle masking mechanism that prevents automatic startup despite the enable state.

How to eliminate wrong answers

Option A is wrong because the service name 'httpd' is correct for Apache on RHEL/CentOS/Fedora systems; 'apache2' is used on Debian/Ubuntu, but the question does not specify the distribution, and the administrator used 'httpd' which is standard for the given context. Option B is wrong because 'systemctl start httpd' starts the service immediately but is not required for automatic startup after reboot; enabling the service is sufficient for that purpose. Option D is wrong because 'systemctl daemon-reload' is used to reload systemd manager configuration after unit files change, but it is not needed after enabling a service; enabling only creates symlinks, not unit file modifications.

732
MCQeasy

Refer to the exhibit. An administrator creates this systemd unit file for a backup script. When the administrator runs `systemctl start backup.service`, the script runs but the service shows 'inactive (dead)' immediately. What change should be made to keep the service active until the script finishes?

A.Add 'RemainAfterExit=yes' to the [Service] section
B.Change the service type to 'forking'
C.Add 'ExecStop' to the service definition
D.Change the service type to 'simple'
AnswerA

RemainAfterExit=yes keeps the service in 'active' state even after the process exits, which is what the administrator wants.

Why this answer

The correct answer is A because adding 'RemainAfterExit=yes' to the [Service] section tells systemd to consider the service as active even after the main process (the backup script) exits. Without this directive, systemd sees the process terminate and immediately marks the service as 'inactive (dead)', even though the script may still be running or its effects are ongoing. This is the standard way to keep a service unit in an 'active' state after the main command completes.

Exam trap

The trap here is that candidates often confuse 'RemainAfterExit' with service types like 'forking' or 'simple', mistakenly thinking changing the type will keep the service active, when in fact only 'RemainAfterExit' explicitly tells systemd to remain active after the process exits.

How to eliminate wrong answers

Option B is wrong because changing the service type to 'forking' is used when the process forks and the parent exits, leaving a child process running; it does not keep the service active after the script finishes if the script itself exits. Option C is wrong because adding 'ExecStop' defines a command to run when the service is stopped, but it does not affect the service state after the main process exits. Option D is wrong because changing the service type to 'simple' is the default and behaves the same as the current configuration—systemd considers the service active only while the main process is running, so it will still show 'inactive (dead)' immediately after the script finishes.

733
MCQhard

After a kernel panic, the system fails to boot. The administrator suspects a missing kernel module. Which command line should be added to the GRUB boot parameters to access a rescue shell and investigate?

A.systemd.unit=emergency.target
B.rd.break
C.single
D.nomodeset
AnswerB

rd.break stops before pivot_root, giving a shell to inspect initramfs.

Why this answer

Adding 'rd.break' breaks before pivot_root and drops to a shell for troubleshooting. 'single' boots to single-user mode but may not help if module is missing. 'emergency' is for systemd targets.

734
MCQhard

A file server running RHEL 8 uses NFS to export directories. Clients report that they cannot mount an NFS share. The server's firewall is configured but NFS-related services are enabled. The administrator checks `exportfs -v` and sees the export is listed. Which service must be added to the firewall to allow NFS?

A.rpc-bind
B.nfs
C.samba
D.mountd
AnswerB

The nfs service is essential; adding it allows the NFS server port (2049).

Why this answer

Option B is correct because NFS on RHEL 8 requires the 'nfs' service to be added to the firewall to allow incoming NFS traffic. The 'nfs' service in firewalld opens TCP and UDP ports 2049, which is the standard port for NFSv4. Even though NFS-related services are enabled, the firewall must explicitly permit this port for clients to mount the share.

Exam trap

CompTIA often tests the misconception that 'mountd' is a valid firewalld service name, when in fact it must be configured as a custom port or covered by the 'nfs' service, leading candidates to select option D incorrectly.

How to eliminate wrong answers

Option A is wrong because 'rpc-bind' opens port 111 for RPC portmapper, which is needed for NFSv3 but not for NFSv4; the question does not specify NFS version, and RHEL 8 defaults to NFSv4, making 'nfs' the required service. Option C is wrong because 'samba' is used for SMB/CIFS file sharing, not NFS, and adding it would not allow NFS mounts. Option D is wrong because 'mountd' is not a standard firewalld service; the NFS mount protocol (rpc.mountd) uses a dynamically assigned port and is typically handled by adding the 'nfs' service or explicitly opening the port range, but 'mountd' as a service name is not valid in firewalld.

735
MCQmedium

A Linux server is experiencing slow boot times. The administrator wants to identify which systemd services are taking the longest to start. Which command should be used?

A.systemd-analyze time
B.journalctl -b -p 3
C.systemctl list-units --all
D.systemd-analyze blame
AnswerD

This displays each service and its initialization time, sorted descending.

Why this answer

The `systemd-analyze blame` command prints a list of all running systemd units, sorted by the time they took to initialize during boot. This directly answers the administrator's need to identify which services are causing slow boot times by showing the exact startup duration for each unit.

Exam trap

The trap here is that candidates confuse `systemd-analyze time` (which gives a high-level summary) with `systemd-analyze blame` (which provides the per-service detail needed to identify the slowest service).

How to eliminate wrong answers

Option A is wrong because `systemd-analyze time` only shows the total boot time broken into firmware, kernel, and userspace segments, not a per-service breakdown. Option B is wrong because `journalctl -b -p 3` filters the systemd journal for error-level (priority 3) messages from the current boot, which is used for troubleshooting errors, not for measuring service startup durations. Option C is wrong because `systemctl list-units --all` lists all loaded units and their states (active, inactive, etc.), but does not provide any timing or performance data.

736
MCQhard

A system administrator needs to set the umask so that newly created files have permissions of 644 and directories have permissions of 755. Which umask value should be set?

A.0222
B.0022
C.000
D.077
AnswerB

Correct: umask 022 subtracts group and others write permission, resulting in 644 for files and 755 for directories.

Why this answer

Default base permissions are 666 for files and 777 for directories. To get 644 (rw-r--r--) for files: 666 - 644 = 022. To get 755 (rwxr-xr-x) for directories: 777 - 755 = 022.

So umask 022 works for both.

737
Multi-Selecthard

A network administrator needs to diagnose connectivity issues from a Linux server to a remote host. Which of the following tools can provide information about the path and latency? (Choose three.)

Select 3 answers
A.iproute
B.netstat
C.mtr
D.traceroute
E.ping
AnswersC, D, E

Combines ping and traceroute functionality.

Why this answer

C (mtr) is correct because it combines the functionality of traceroute and ping into a single diagnostic tool, continuously probing each hop along the path to a remote host and reporting both the route and real-time latency statistics. This makes it ideal for identifying where packet loss or high latency occurs along the network path.

Exam trap

The trap here is that candidates may think ping alone is sufficient for diagnosing path issues, but ping only tests end-to-end connectivity and latency to the final destination, not the performance of each intermediate hop, which is why mtr and traceroute are needed alongside ping.

738
MCQmedium

A system administrator is troubleshooting a service that fails to start. They want to see the recent logs for that specific service unit. Which journalctl command should be used?

A.journalctl -k
B.journalctl -u service_name
C.tail -f /var/log/syslog
D.journalctl -p err
AnswerB

Correct: -u filters by unit.

Why this answer

The `-u` option in `journalctl` filters logs by the systemd unit name, allowing you to view recent logs specifically for a service. This is the correct approach when troubleshooting a service that fails to start, as it isolates the relevant log entries without noise from other system messages.

Exam trap

The trap here is that candidates may confuse `journalctl -u` with other common options like `-k` (kernel) or `-p` (priority), or fall back to legacy syslog commands like `tail -f /var/log/syslog`, which do not directly filter by systemd unit and may miss critical journal-only logs.

How to eliminate wrong answers

Option A is wrong because `journalctl -k` shows kernel messages only, not service-specific logs. Option C is wrong because `tail -f /var/log/syslog` is a traditional syslog command that does not filter by systemd unit and may not capture all journald entries, especially on systems using only journald. Option D is wrong because `journalctl -p err` filters by priority level (error and above), which may omit informational or debug messages that are crucial for diagnosing a startup failure.

739
Multi-Selectmedium

Which TWO container networking modes allow a container to have its own IP address on the host network? (Choose TWO.)

Select 2 answers
A.Macvlan
B.Host
C.None
D.Overlay
E.Bridge
AnswersA, E

Container gets its own MAC/IP on physical network.

Why this answer

Macvlan mode assigns each container a unique MAC address and IP address from the host's physical network, making the container appear as a separate device on the same subnet. Bridge mode creates a virtual bridge (typically docker0) and assigns containers IPs from a private subnet, allowing them to communicate with the host network via NAT. Both modes give the container its own IP address on the host network, though bridge uses a private range while macvlan uses the host's subnet directly.

Exam trap

The trap here is that candidates often confuse 'own IP address' with 'own network namespace'—Host mode gives the container its own namespace but shares the host's IP, while Bridge gives a private IP that is not directly on the host's physical subnet, leading some to incorrectly select Host or Overlay.

740
Multi-Selecteasy

A Linux system fails to boot with the error 'No bootable device found'. Which two troubleshooting steps should be taken? (Select TWO).

Select 2 answers
A.Check the SATA cable connections
B.Reinstall the kernel
C.Run fsck on the root filesystem
D.Verify the GRUB configuration
E.Check the boot order in BIOS/UEFI
AnswersD, E

Corrupted or missing GRUB can cause 'No bootable device' error.

Why this answer

The error 'No bootable device found' indicates that the system's BIOS/UEFI cannot locate a valid bootloader or operating system on any available storage device. Verifying the boot order in BIOS/UEFI (Option E) ensures that the correct disk is set as the first boot device, which is a common cause of this error. Checking the GRUB configuration (Option D) is also critical because if GRUB is missing, corrupted, or misconfigured, the system will not find a bootable kernel, even if the disk is correctly detected.

Exam trap

The trap here is that candidates often confuse filesystem corruption (fsck) or kernel issues with bootloader problems, but the 'No bootable device found' error specifically points to the firmware's inability to locate a bootable partition or bootloader, not to filesystem or kernel corruption.

741
Multi-Selecthard

An administrator is configuring iptables on a server. The requirements are: allow incoming SSH (port 22) from the 192.168.1.0/24 network, drop all other incoming traffic, and allow all outgoing traffic. Which three iptables rules achieve this? (Choose THREE.)

Select 3 answers
A.iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
B.iptables -P OUTPUT ACCEPT
C.iptables -P FORWARD ACCEPT
D.iptables -A INPUT -p tcp --dport 22 -j ACCEPT
E.iptables -P INPUT DROP
AnswersA, B, E

Allows SSH from subnet.

Why this answer

Default policies: INPUT DROP, OUTPUT ACCEPT. Then allow SSH from subnet.

742
MCQeasy

A user attempts to run a command using sudo but receives 'user is not in the sudoers file. This incident will be reported.' Which file should be edited to grant the user sudo access?

A.Edit /etc/passwd directly
B.Edit /etc/group to add user to the wheel group
C.Edit /etc/shadow
D.Use visudo to edit /etc/sudoers
AnswerD

The proper way to grant sudo access.

Why this answer

The correct answer is D because the sudoers file, typically located at /etc/sudoers, controls which users and groups are permitted to run commands with sudo. The visudo command must be used to edit this file safely, as it performs syntax checking to prevent lockouts due to misconfiguration. Directly editing /etc/sudoers with a regular text editor can lead to syntax errors that break sudo functionality.

Exam trap

The trap here is that candidates may think adding a user to the wheel group (Option B) is sufficient, but without a corresponding entry in the sudoers file (e.g., '%wheel ALL=(ALL) ALL'), the group membership alone does not grant sudo privileges.

How to eliminate wrong answers

Option A is wrong because /etc/passwd stores user account information (like UID, home directory, shell) but does not contain sudo privileges; editing it would not grant sudo access. Option B is wrong because simply adding a user to the wheel group does not automatically grant sudo access unless the sudoers file contains an entry like '%wheel ALL=(ALL) ALL'; the group membership alone is insufficient. Option C is wrong because /etc/shadow stores encrypted password hashes and password aging information, not sudo permissions; editing it would not affect sudo access.

743
MCQhard

A Linux server is experiencing high I/O wait, as shown by the 'iostat -x' command: 'avg-cpu: %iowait=45' and '/dev/sda: await=120ms, %util=95%'. The server has 16 GB of RAM, and the administrator notices that the system is using a significant amount of swap: 'free -m' shows 4 GB of swap used out of 8 GB. The server runs a database application that performs many synchronous writes. The administrator wants to reduce I/O wait without adding physical memory. Which of the following kernel parameter changes is most likely to help by reducing the frequency of write operations to disk?

A.Increase vm.dirty_ratio from 20 to 40.
B.Increase vm.dirty_writeback_centisecs from 500 to 1000.
C.Set vm.swappiness to 0.
D.Decrease vm.dirty_background_ratio from 10 to 5.
AnswerB

Increasing the interval between writeback cycles allows more dirty pages to accumulate, possibly merging writes and reducing the number of I/O operations, thus lowering iowait.

Why this answer

Increasing vm.dirty_writeback_centisecs (time between writeback flushes) allows more dirty pages to accumulate before being written, reducing write frequency and potentially merging writes, which can lower I/O wait if the I/O subsystem is efficient at handling larger writes. However, if the writeback interval is too high, it may increase burstiness. The other options: increasing dirty_ratio or dirty_background_ratio would allow more dirty pages in memory, which could temporarily reduce writes but might cause burstier writes and not reduce overall I/O wait.

Decreasing dirty_writeback_centisecs would increase write frequency, likely worsening iowait. So Option C is the most plausible correct answer. Option D (swappiness) affects swap tendency, but swap usage indicates memory pressure; reducing swappiness might reduce swap but not directly address synchronous database writes.

744
MCQeasy

A user reports that they cannot access a web server at 192.168.1.100. The administrator wants to check if the server is reachable and measure round-trip time. Which command is most appropriate?

A.nmap -sn 192.168.1.100
B.traceroute 192.168.1.100
C.ping 192.168.1.100
D.ss -tlnp | grep 192.168.1.100
AnswerC

ping tests connectivity and shows RTT.

Why this answer

The `ping` command sends ICMP Echo Request packets to the target host and waits for ICMP Echo Reply packets, which directly tests reachability and measures round-trip time (RTT). This is the most appropriate tool for the administrator's stated goal of checking if the server is reachable and measuring RTT.

Exam trap

The trap here is that candidates confuse `nmap -sn` (host discovery) with connectivity testing and RTT measurement, or they think `traceroute` measures end-to-end RTT when it actually measures per-hop latency.

How to eliminate wrong answers

Option A is wrong because `nmap -sn` performs a ping sweep (ICMP, TCP SYN to port 443/80, or ARP) to discover live hosts, but it does not provide round-trip time measurements; it only reports whether the host is up. Option B is wrong because `traceroute` shows the path (hops) packets take to reach the destination and measures per-hop latency, not the end-to-end round-trip time to the server itself. Option D is wrong because `ss -tlnp` lists listening TCP sockets on the local system and cannot be used to test reachability to a remote host; it would not even accept an IP address as a filter in that syntax.

745
MCQmedium

A system administrator notices that the httpd service fails to start. Which command should be used to view the most recent log entries for that specific service?

A.systemctl status httpd
B.dmesg | grep httpd
C.journalctl -u httpd
D.tail -f /var/log/messages
AnswerC

Displays journal entries for the httpd unit.

Why this answer

C is correct because `journalctl -u httpd` queries the systemd journal for log entries specifically associated with the httpd service unit. This command shows the most recent log messages for that service, including startup failures, error codes, and dependency issues, making it the direct and precise tool for troubleshooting a service that fails to start.

Exam trap

The trap here is that candidates often choose `systemctl status httpd` (Option A) because it shows recent logs by default, but they overlook that it only displays a truncated snippet (usually the last 10–20 lines) and is not the command for viewing the most recent or complete log entries for a specific service.

How to eliminate wrong answers

Option A is wrong because `systemctl status httpd` shows the current state, recent log lines (usually the last 10–20), and process info, but it does not display the full or most recent log entries in a scrollable, filterable way; it truncates older messages and is not designed for deep log inspection. Option B is wrong because `dmesg | grep httpd` searches the kernel ring buffer, which contains kernel-level messages (hardware, drivers, kernel modules) and rarely includes application-level httpd logs unless the service writes to the kernel log, which it does not by default. Option D is wrong because `tail -f /var/log/messages` follows a general system log file that may contain httpd entries, but it is not service-specific, may not include all httpd log entries (especially if httpd logs to its own file like /var/log/httpd/error_log), and requires manual filtering; it also does not leverage the structured journald database.

746
MCQmedium

A Linux administrator is troubleshooting a DNS resolution issue. They need to query the MX record for example.com using a specific DNS server at 8.8.8.8. Which command should they use?

A.dig MX example.com @8.8.8.8
B.host -t MX example.com 8.8.8.8
C.nslookup -type=MX example.com 8.8.8.8
D.ping -c 1 example.com
AnswerA

Correct: dig MX example.com @8.8.8.8 queries the MX record from the specified server.

Why this answer

dig @server type name queries a specific DNS server for the specified record type.

747
MCQmedium

A Linux administrator needs to find which process is using a specific file. Which command provides this information?

A.lsof /path/to/file
B.fuser /path/to/file
C.strace /path/to/file
D.ltrace /path/to/file
AnswerA

lsof shows processes that have the file open.

Why this answer

The `lsof` command (List Open Files) is the correct tool to identify which process is using a specific file. When invoked with a file path as an argument, `lsof` displays the PID, process name, and other details of any process that has the file open. This directly answers the administrator's need to find the process using that file.

Exam trap

The trap here is that candidates may confuse `fuser` with `lsof` because both can identify processes using a file, but `fuser` is less detailed and not the primary tool for this task in the exam context.

How to eliminate wrong answers

Option B is wrong because `fuser` identifies processes using a file or socket, but it outputs only PIDs by default, not process names or detailed information like `lsof` does; while it can work, `lsof` is the more comprehensive and standard command for this task. Option C is wrong because `strace` is a debugging tool that intercepts and records system calls made by a process, not a command to find which process is using a file. Option D is wrong because `ltrace` intercepts library calls, not system calls, and is used for debugging dynamic library interactions, not for identifying processes that have a file open.

748
MCQmedium

A system is running out of disk space in the /var/log directory. The administrator needs to temporarily free up space while preserving the latest log entries. Which approach is best?

A.Run logrotate with compression enabled
B.find /var/log -mtime +7 -delete
C.cat /dev/null > /var/log/messages
D.rm -rf /var/log/*
AnswerA

Rotates and compresses logs, preserving recent entries.

Why this answer

Logrotate with compression is the best approach because it rotates, compresses, and optionally removes old log files while preserving the latest entries. It can be configured to keep a specific number of rotated logs, thus freeing disk space without deleting current logs. This matches the requirement to temporarily free up space while retaining the most recent log data.

Exam trap

CompTIA often tests the misconception that deleting old files with find or truncating a log file is a safe way to free space, but the correct approach is to use logrotate to manage log rotation and compression while preserving the latest entries.

How to eliminate wrong answers

Option B is wrong because 'find /var/log -mtime +7 -delete' deletes all log files older than 7 days, which may remove important historical logs and does not preserve the latest entries in a controlled manner. Option C is wrong because 'cat /dev/null > /var/log/messages' truncates the file, which destroys all existing log entries in that file, failing to preserve the latest entries. Option D is wrong because 'rm -rf /var/log/*' removes all files and subdirectories in /var/log, including current logs, which is destructive and does not preserve any entries.

749
MCQmedium

A security auditor notices that users can set weak passwords on a Linux system. The administrator wants to enforce password complexity requiring a minimum of 12 characters, at least one uppercase letter, and at least one digit. Which PAM module should be configured in /etc/pam.d/common-password?

A.pam_unix.so
B.pam_pwquality.so
C.pam_tally2.so
D.pam_faillock.so
AnswerB

pam_pwquality enforces password complexity rules.

Why this answer

pam_pwquality provides password strength checking with parameters like minlen, ucredit, dcredit. The other modules do not handle complexity.

750
Multi-Selecthard

A security-conscious administrator runs containers with Podman. Which THREE methods ensure that a container runs with the least privilege required?

Select 3 answers
A.--privileged
B.--user 1000
C.--cap-drop=ALL
D.--read-only=true
E.--security-opt seccomp=default.json
AnswersB, C, E

Runs the container as a non-root user, reducing privilege.

Why this answer

Option B is correct because using `--user 1000` runs the container process with a non-root user (UID 1000), which reduces the attack surface by preventing root-level access inside the container. This is a fundamental least-privilege practice, as containers default to running as root unless explicitly changed.

Exam trap

CompTIA often tests the misconception that `--read-only=true` is a privilege-reduction method, when in fact it only restricts filesystem writes and does not limit user or capability privileges.

Page 9

Page 10 of 14

Page 11