CompTIA Linux+ XK0-005 (XK0-005) — Questions 901975

981 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQeasy

A systems administrator needs to automate the execution of a backup script every day at 2:00 AM using a systemd service. Which unit type should the administrator create?

A.A .service unit
B.A .path unit
C.A .mount unit
D.A .timer unit
AnswerD

A timer unit triggers a service unit on a schedule.

Why this answer

A .timer unit is the correct choice because systemd timers are designed to schedule and trigger the execution of other units (such as services) at specific times or intervals. By creating a .timer unit that activates at 2:00 AM daily and a corresponding .service unit for the backup script, the administrator can automate the backup using systemd's built-in scheduling mechanism, which is more reliable and integrated than cron for systemd-managed systems.

Exam trap

The trap here is that candidates often confuse .timer units with .service units, mistakenly thinking a .service unit alone can handle scheduling, but systemd requires a separate timer unit to define the schedule and trigger the service.

How to eliminate wrong answers

Option A is wrong because a .service unit defines how to start, stop, and manage a process, but it does not include scheduling logic; it must be triggered by another unit (like a .timer) to run at a specific time. Option B is wrong because a .path unit monitors file system changes (e.g., file creation or modification) and activates a service when those events occur, not for time-based scheduling. Option C is wrong because a .mount unit controls the mounting of file systems and has no capability to schedule periodic execution of scripts.

902
MCQeasy

An administrator needs to add a new user named 'jdoe' with a home directory and default group. Which command should be used?

A.useradd jdoe
B.groupadd jdoe
C.passwd jdoe
D.usermod jdoe
AnswerA

Correct. useradd creates a new user with default settings including home directory.

Why this answer

The useradd command creates a new user and can set up the home directory and group via options, but by default it creates a home directory and assigns the user's own group.

903
MCQmedium

A technician needs to create a self-signed certificate and private key for a web server. Which OpenSSL command should be used?

A.openssl genrsa -out key.pem 2048 && openssl req -new -key key.pem -out cert.pem
B.openssl x509 -req -in req.pem -signkey key.pem -out cert.pem
C.openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
D.openssl ca -in req.pem -out cert.pem
AnswerC

This command creates a self-signed certificate valid for 365 days.

Why this answer

Option C is correct because the `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes` command generates a new RSA 2048-bit private key and immediately creates a self-signed X.509 certificate in a single step. The `-x509` flag tells OpenSSL to output a self-signed certificate instead of a certificate signing request (CSR), and `-nodes` ensures the private key is not encrypted with a passphrase, which is typical for a web server that must start without manual intervention.

Exam trap

The trap here is that candidates often confuse the `req -new` command (which creates a CSR) with the `req -x509` command (which creates a self-signed certificate), leading them to choose Option A, which only produces a CSR, not a usable certificate for a web server.

How to eliminate wrong answers

Option A is wrong because it first generates a private key with `genrsa` and then creates a CSR (`req -new`), not a self-signed certificate; the output file `cert.pem` would be a CSR, not a certificate. Option B is wrong because `openssl x509 -req` signs a CSR using a CA private key, but it requires an existing CSR (`req.pem`) and an existing signing key (`key.pem`); it does not create a self-signed certificate from scratch. Option D is wrong because `openssl ca` is used to sign a CSR with a configured CA infrastructure (requires a CA database and configuration), not to create a self-signed certificate directly.

904
MCQeasy

Which command displays the disk usage of files and directories in a human-readable format (e.g., KB, MB)?

A.df -h
B.ls -lh
C.stat -h
D.du -h
AnswerD

du -h shows disk usage of files/directories with human-readable sizes.

Why this answer

The `du -h` command (disk usage with human-readable flag) recursively summarizes disk usage for files and directories, appending size suffixes like K, M, G for kilobytes, megabytes, and gigabytes. This directly matches the question's requirement to display disk usage in a human-readable format.

Exam trap

The trap here is that candidates confuse `df -h` (filesystem-level free space) with `du -h` (per-file/directory disk usage), or assume `ls -lh` shows disk usage when it actually shows logical file size, not the blocks consumed on disk.

How to eliminate wrong answers

Option A is wrong because `df -h` reports filesystem-level disk space usage (free/used blocks on mounted partitions), not the disk usage of individual files and directories. Option B is wrong because `ls -lh` lists file sizes in human-readable format but does not compute or display disk usage (the actual blocks consumed on disk), which can differ from file size due to sparse files or block allocation. Option C is wrong because `stat -h` is not a valid Linux command; `stat` uses `-c` or `--format` for custom output and does not have a `-h` flag for human-readable sizes.

905
Multi-Selecthard

An administrator is configuring AppArmor for a custom application. Which THREE commands are used to manage AppArmor profiles?

Select 3 answers
A.aa-logprof
B.aa-status
C.apparmor_parser
D.aa-complain
E.aa-enforce
AnswersB, D, E

Shows status of AppArmor profiles.

Why this answer

aa-status displays the status of AppArmor profiles. aa-complain sets a profile to complain mode (logs violations but does not enforce). aa-enforce sets a profile to enforce mode.

906
MCQmedium

A server's root filesystem is 100% full according to df -h. Which command should the administrator use to locate large files?

A.ls -la /
B.fdisk -l
C.du -sh /*
D.find / -size +100M
AnswerC

Shows sizes of top-level directories.

Why this answer

The `du -sh /*` command calculates disk usage for each top-level directory and file under `/`, summarizing the total in human-readable format. This directly identifies which directories or files consume the most space, allowing the administrator to pinpoint the cause of the 100% full root filesystem.

Exam trap

CompTIA often tests the distinction between listing files (`ls`) and measuring disk usage (`du`), trapping candidates who think `ls -la` shows file sizes that reflect actual disk consumption, ignoring that `ls` reports logical size while `du` reports physical blocks allocated.

How to eliminate wrong answers

Option A is wrong because `ls -la /` lists the names and metadata of files and directories in the root, but does not show their disk usage or size recursively, making it impossible to locate large files efficiently. Option B is wrong because `fdisk -l` displays partition table information (e.g., device names, sizes, types) and does not report file-level disk usage or locate large files. Option D is wrong because `find / -size +100M` searches for files larger than 100 MB, but it may miss large files that are exactly 100 MB or smaller, and it does not aggregate usage by directory, which is less efficient for identifying the primary space consumer on a full filesystem.

907
MCQeasy

Which command is used to trace the network path to a destination host, showing each hop along the way, and is similar to traceroute but does not require root privileges by default?

A.ip route
B.mtr
C.ping
D.tracepath
AnswerD

Correct: tracepath traces the path without requiring root.

Why this answer

tracepath is similar to traceroute but uses UDP probes and does not require root, making it more accessible.

908
MCQhard

Refer to the exhibit. An API call returns HTTP 200 but an empty body. What is the most likely cause?

A.The request is missing required query parameters, such as pagination or filters.
B.The server is experiencing a network timeout.
C.The SSL certificate is expired or invalid.
D.The API endpoint has been moved permanently (301).
AnswerA

An empty 200 often indicates no results due to missing parameters.

Why this answer

The response has content-length: 0, so the server intentionally returned no data. The SSL handshake succeeded and the certificate is valid. A 200 with empty body often means the resource exists but no data matches the request, or the endpoint expects additional parameters (e.g., pagination).

The server (nginx) is running. Option A is incorrect because the certificate is valid. Option B is incorrect because the response status is 200, not a redirect.

Option D is incorrect because the connection was established.

909
MCQeasy

A user wants to execute a command inside a running Docker container named 'db'. Which command should be used?

A.docker attach db
B.docker start -i db
C.docker run -it db bash
D.docker exec -it db bash
AnswerD

Correct. docker exec runs a command in a running container.

Why this answer

docker exec is used to run a command in an existing running container.

910
MCQmedium

A Kubernetes YAML manifest defines a Deployment with 3 replicas. The administrator runs `kubectl get pods` and sees 3 running pods. They then run `kubectl scale deployment mydeployment --replicas=5`. What command would confirm the new number of replicas?

A.kubectl get replicasets
B.kubectl get deployment mydeployment
C.kubectl get pods | wc -l
D.kubectl describe deployment mydeployment
AnswerB

This shows the current state of the deployment, including desired and current replicas.

Why this answer

kubectl get deployment mydeployment shows the current replicas, desired replicas, and status.

911
MCQmedium

A system administrator is troubleshooting a server running Ubuntu 20.04 that cannot establish outbound SSH connections. The server can ping external IP addresses and resolve hostnames. The administrator tries `ssh user@remotehost` and gets 'Connection timed out'. The firewall (ufw) is active. Which step should be taken?

A.Check the SSH client configuration in /etc/ssh/ssh_config.
B.Restart the networking service.
C.Allow output traffic on port 22 with ufw allow out 22/tcp.
D.Disable the firewall with ufw disable.
AnswerC

Explicitly allowing outbound SSH traffic resolves the timeout while maintaining security.

Why this answer

The server can ping external IPs and resolve hostnames, so networking and DNS are working. The issue is that outbound SSH traffic on port 22 is being blocked by the active UFW firewall. The correct step is to allow outbound TCP traffic on port 22 using `ufw allow out 22/tcp`, which permits the client to initiate SSH connections to remote hosts.

Exam trap

The trap here is that candidates assume SSH issues are always server-side (e.g., checking SSH server config or restarting services) and overlook that the local firewall's outbound policy can block client-initiated connections even when inbound rules are correctly configured.

How to eliminate wrong answers

Option A is wrong because `/etc/ssh/ssh_config` controls client-side SSH settings (like preferred ciphers or host key checking), not firewall rules; a misconfigured client would produce a different error (e.g., 'Permission denied' or 'No route to host'), not a timeout. Option B is wrong because restarting the networking service would not resolve a firewall block; the server already has functional network connectivity (ping and DNS work), so the issue is at the packet filter level. Option D is wrong because disabling the entire firewall is an overly broad and insecure solution; the correct approach is to add a specific outbound allow rule for port 22/tcp rather than removing all firewall protection.

912
MCQmedium

A DevOps engineer needs to ensure that a containerized web application always restarts automatically if the container exits unexpectedly. Which Docker run option should be used?

A.--restart=on-failure
B.--restart=unless-stopped
C.--restart=no
D.--restart=always
AnswerD

Always restarts regardless of exit status.

Why this answer

The `--restart=always` policy ensures that the container restarts regardless of the exit code or reason for termination, including unexpected crashes. This is the correct choice for a containerized web application that must maintain high availability by automatically recovering from any unexpected exit.

Exam trap

CompTIA often tests the subtle distinction between `--restart=always` and `--restart=unless-stopped`, where candidates mistakenly choose `unless-stopped` thinking it provides the same automatic restart but without the risk of restarting after a manual stop, missing that the requirement explicitly says 'always restarts automatically' regardless of how the container exits.

How to eliminate wrong answers

Option A is wrong because `--restart=on-failure` only restarts the container if it exits with a non-zero exit code, which may not cover all unexpected exit scenarios (e.g., a signal-based kill). Option B is wrong because `--restart=unless-stopped` will not restart the container if it was explicitly stopped by the user, which could leave the application down after manual intervention. Option C is wrong because `--restart=no` is the default policy that never automatically restarts the container, failing to meet the requirement for automatic recovery.

913
MCQhard

A security audit reveals that a server's /etc/shadow file is readable by all users. Which command would correctly fix the permissions?

A.chmod 644 /etc/shadow
B.chmod 600 /etc/shadow
C.chmod 640 /etc/shadow
D.chmod 640 /etc/shadow && chown root:shadow
AnswerB

This restricts read and write access to root only.

Why this answer

Option A is correct because 'chmod 600 /etc/shadow' sets the file to be readable and writable only by the owner (root), which is the standard permission. Option B (640) allows group read access. Option C (644) allows world read.

Option D includes a chown that is unnecessary.

914
MCQmedium

A security audit reveals that the system's PAM configuration does not enforce password complexity. Which PAM module and configuration line should be added to /etc/pam.d/common-password to require at least one uppercase letter, one digit, and a minimum length of 12 characters?

A.password requisite pam_pwquality.so minlen=12 ucredit=-1 dcredit=-1
B.password sufficient pam_faillock.so minlen=12 ucredit=-1 dcredit=-1
C.password required pam_cracklib.so minlen=12 ucredit=-1 dcredit=-1
D.password required pam_unix.so minlen=12 ucredit=-1 dcredit=-1
AnswerA

Correct. pam_pwquality with requisite enforces the rules.

Why this answer

pam_pwquality is the module for password complexity. The options ucredit=-1, dcredit=-1, minlen=12 enforce the requirements. pam_unix handles password hashing, pam_faillock handles lockout, and pam_cracklib is an older module (deprecated in favor of pam_pwquality).

915
MCQhard

A server running RHEL 8 fails to boot with a 'Dependency failed for /data' error. The /data filesystem is an ext4 partition on /dev/sdb1. Which sequence of steps should be taken to repair the filesystem?

A.Use 'xfs_repair /dev/sdb1' since it's ext4
B.Run 'fsck.ext4 -f /dev/sdb1' from the running system
C.Remount the filesystem as read-only and run fsck
D.Boot into rescue mode, run 'umount /dev/sdb1', then 'fsck.ext4 -f /dev/sdb1'
AnswerD

Rescue mode ensures filesystem unmounted; fsck repairs it.

Why this answer

To repair a filesystem, it must be unmounted; using a rescue environment (e.g., systemd emergency target) ensures the partition is not in use.

916
MCQmedium

A database server is running slow. The administrator uses iostat and notices high await times on the disk. Which of the following best explains the implication of high await?

A.The CPU is waiting too long for memory access.
B.Disk I/O requests are taking a long time to complete.
C.The disk is almost full, causing fragmentation.
D.The network filesystem is experiencing latency.
AnswerB

Await includes queue time and service time; high values mean disk is slow or overloaded.

Why this answer

In iostat, 'await' measures the average time (in milliseconds) for I/O requests to be served by the disk, including time spent in the queue and the actual service time. A high await value indicates that disk I/O requests are taking a long time to complete, which directly explains the database server's slowness due to disk latency.

Exam trap

The trap here is that candidates confuse 'await' with CPU wait time (iowait) or assume it directly indicates disk fullness, when in fact await is a pure I/O completion latency metric that can be high due to queueing, slow media, or controller issues.

How to eliminate wrong answers

Option A is wrong because high await in iostat is a disk metric, not a memory metric; CPU waiting for memory access is indicated by high 'wait' or 'st' in CPU stats, not await. Option C is wrong because a nearly full disk can cause fragmentation, but fragmentation primarily increases seek time and is not directly measured by await; await reflects overall request completion time, which can be high due to many factors beyond fragmentation. Option D is wrong because network filesystem latency would be captured by network-specific metrics (e.g., nfsiostat, netstat) or by iostat if the disk is a remote block device, but await on a local disk does not imply network latency.

917
MCQmedium

An administrator is troubleshooting a DNS issue and needs to query the authoritative name servers for example.com. Which dig command should be used?

A.dig example.com MX
B.dig example.com NS
C.dig example.com A
D.dig example.com ANY
AnswerB

NS record returns authoritative name servers.

Why this answer

dig example.com NS queries the name servers (NS records). A asks for IPv4, MX for mail, and ANY is often blocked.

918
MCQhard

A containerized application is consuming excessive memory on a Linux host running Podman. Which command sets a memory limit of 512 megabytes when running a container?

A.podman run --memory=512m myimage
B.podman run --limit-memory 512 myimage
C.podman run --mem=512m myimage
D.podman run --memory-limit=512MB myimage
AnswerA

--memory=512m correctly sets a memory limit of 512 megabytes.

Why this answer

Option A is correct because Podman uses the `--memory` flag (identical to Docker's syntax) to set a hard memory limit on a container. The value `512m` specifies 512 megabytes. This directly restricts the container's memory usage via cgroups, preventing it from consuming excessive host memory.

Exam trap

CompTIA often tests the exact flag syntax and unit format, so the trap here is that candidates may confuse Podman's `--memory` with Docker's `--memory` (they are identical) or invent plausible-sounding flags like `--limit-memory` or `--mem`, or use incorrect unit capitalization like `MB` instead of `m`.

How to eliminate wrong answers

Option B is wrong because `--limit-memory` is not a valid Podman flag; the correct flag is `--memory`. Option C is wrong because `--mem` is not a valid Podman flag; the correct abbreviation is `--memory` (or `-m`). Option D is wrong because `--memory-limit` is not a valid Podman flag, and the value `512MB` uses an incorrect unit format (Podman expects lowercase 'm' for megabytes, e.g., `512m`).

919
MCQhard

An administrator needs to apply a set of permissions to an existing directory and all its contents, setting the owner to 'rwx', group to 'rx', and others to '---'. Additionally, newly created files within the directory should inherit the group. Which commands should the administrator run? (Assume the directory is /data, and the group is 'staff'.)

A.chmod -R 750 /data; chmod g+s /data
B.chmod 750 /data; chmod g+s /data
C.chmod -R 755 /data; chmod g+s /data
D.chmod -R 750 /data
AnswerA

Correct: 750 grants rwxr-x---; chmod g+s sets SGID on directory.

Why this answer

chmod -R 750 /data sets permissions recursively. chmod g+s /data sets the SGID bit so new files inherit the group. The other options are missing SGID or have wrong permissions.

920
MCQmedium

A user wants to create a symbolic link to a file named 'original' in their home directory. Which command creates a symbolic link named 'link'?

A.ln original link
B.ln -s original link
C.ln -s link original
D.symlink original link
AnswerB

Correct: -s for symbolic, original is target, link is name.

Why this answer

ln -s creates a symbolic link; order is target (existing file) then link name.

921
MCQmedium

Which command will display the disk usage of each file and directory in the current directory?

A.df -h
B.ls -lh
C.du -sh *
D.fdisk -l
AnswerC

du -sh * displays the total size of each file/directory in human-readable format.

Why this answer

Option C is correct because `du -sh *` calculates and displays the disk usage of each file and directory in the current directory. The `-s` flag summarizes each item, `-h` provides human-readable sizes (e.g., KB, MB), and the `*` wildcard expands to all non-hidden entries in the current directory, making it the precise command for this task.

Exam trap

CompTIA often tests the distinction between `df` (filesystem-level) and `du` (directory/file-level) disk usage, and the trap here is that candidates mistakenly choose `ls -lh` thinking it shows disk usage, when it only shows logical file size and does not account for blocks or directory contents.

How to eliminate wrong answers

Option A is wrong because `df -h` reports filesystem-level disk space usage (total, used, available) for mounted filesystems, not per-file or per-directory usage. Option B is wrong because `ls -lh` lists file sizes and metadata but does not calculate actual disk usage (it shows logical file size, not blocks consumed, and cannot handle directories recursively). Option D is wrong because `fdisk -l` is a partition table manipulation tool that lists disk partitions and their geometry, not file or directory disk usage.

922
Multi-Selectmedium

A system administrator needs to collect performance data over time to analyze CPU and memory usage trends. Which THREE of the following commands can be used to gather historical performance data? (Choose THREE.)

Select 2 answers
A.iostat
B.uptime
C.free
D.sar
E.vmstat
AnswersA, D

iostat can show historical I/O stats if sysstat logs are used.

Why this answer

sar can collect and report historical data; vmstat gives point-in-time; free shows current memory; iostat shows I/O; uptime shows load averages but not historical.

923
MCQeasy

A user wants to look up the mail exchange (MX) records for a domain. Which command should be used?

A.dig domain.com MX
B.ping domain.com
C.host -t mx domain.com
D.nslookup -type=mx domain.com
AnswerA

dig domain.com MX queries the MX records.

Why this answer

The `dig` command is a flexible DNS lookup utility that can query any record type by specifying it after the domain name. `dig domain.com MX` directly queries the DNS for mail exchange records, which specify the mail servers responsible for receiving email for the domain. This is the most straightforward and commonly used command for this purpose in Linux.

Exam trap

The trap here is that candidates may think `nslookup` or `host` are incorrect because they are older tools, but they can technically query MX records; however, Cisco tests the understanding that `dig` is the preferred and most comprehensive DNS query tool for Linux troubleshooting.

How to eliminate wrong answers

Option B is wrong because `ping` uses ICMP to test network reachability and does not perform DNS record lookups, so it cannot retrieve MX records. Option C is wrong because `host -t mx domain.com` is a valid command, but the question asks for the command that should be used; while `host` can query MX records, `dig` is more detailed and is the standard tool for DNS troubleshooting. Option D is wrong because `nslookup -type=mx domain.com` is a valid command, but `nslookup` is deprecated in many modern Linux distributions and is less flexible than `dig`; the question expects the most appropriate command, which is `dig`.

924
MCQeasy

Which tool is used for encrypting files with public-key cryptography on Linux systems?

A.bcrypt
B.LUKS
C.OpenSSL
D.GnuPG
AnswerD

Implements the OpenPGP standard for encrypting and signing data.

Why this answer

GnuPG (GNU Privacy Guard) is the correct tool because it implements the OpenPGP standard (RFC 4880) for encrypting and signing files using public-key cryptography. It allows users to generate a key pair, encrypt a file with the recipient's public key, and decrypt it with the corresponding private key, making it the standard Linux utility for asymmetric file encryption.

Exam trap

The trap here is that candidates confuse OpenSSL's ability to perform asymmetric operations (e.g., `openssl rsautl`) with it being the standard tool for public-key file encryption, while GnuPG is the dedicated utility for OpenPGP-compliant file encryption on Linux.

How to eliminate wrong answers

Option A is wrong because bcrypt is a password-hashing function based on the Blowfish cipher, designed for securely storing passwords, not for encrypting files with public-key cryptography. Option B is wrong because LUKS (Linux Unified Key Setup) is a disk encryption specification that encrypts entire block devices using symmetric keys, not public-key cryptography for individual files. Option C is wrong because OpenSSL is a cryptographic library that supports symmetric and asymmetric encryption, but it is primarily a toolkit for SSL/TLS protocols and command-line encryption of data using symmetric ciphers (e.g., `openssl enc`), not a dedicated public-key file encryption tool like GnuPG.

925
Multi-Selecteasy

Which TWO commands can be used to display the current kernel version on a Linux system?

Select 2 answers
A.modinfo
B.uname -r
C.cat /proc/version
D.lsmod
E.dmesg
AnswersB, C

Shows kernel release.

Why this answer

The `uname -r` command displays the kernel release version, which is the standard way to quickly check the current kernel version. The `cat /proc/version` command reads the /proc/version file, which contains a string that includes the kernel version, compiler information, and build date, making it another reliable method to view the kernel version.

Exam trap

CompTIA often tests the distinction between commands that display kernel version (`uname -r`, `/proc/version`) versus commands that show kernel module information (`lsmod`, `modinfo`) or boot logs (`dmesg`), leading candidates to confuse related but incorrect options.

926
MCQhard

An administrator wants to ensure that the Apache web server can only listen on port 443 (HTTPS) and not on port 80, enforced by SELinux. Which SELinux boolean should be set to allow Apache to use port 443?

A.httpd_use_nfs
B.httpd_can_network_connect
C.httpd_enable_homedirs
D.None of the above; port 443 is already permitted by default
AnswerD

SELinux allows Apache to bind to port 443 by default; no boolean change needed.

Why this answer

The boolean httpd_use_nfs is irrelevant; the port context needs to be managed. However, SELinux has a boolean 'httpd_can_network_connect' but for specific ports, the administrator should use semanage port. But among the options, the correct one is 'httpd_can_network_connect' is not correct; actually, the answer is not about booleans but about port labeling.

Since options are booleans, the correct answer is none; but the question expects that no boolean is needed because port 443 is already allowed. However, the best answer is that the boolean 'httpd_can_network_connect' is needed for outbound, not inbound. Given the options, choose the one that is correct for allowing HTTPS.

927
Multi-Selecteasy

Which TWO commands can be used to view a list of all running processes with their PIDs? (Choose two.)

Select 2 answers
A.ps
B.pidof
C.top
D.ls
E.pstree
AnswersA, C

ps -ef displays all processes with PIDs.

Why this answer

The `ps` command (option A) is correct because it displays a snapshot of current processes, and when used without options it shows processes for the current shell; with options like `-e` or `aux` it lists all running processes along with their PIDs. The `top` command (option C) is correct because it provides a real-time, dynamic view of all running processes, including their PIDs, and is commonly used for monitoring system activity.

Exam trap

The trap here is that candidates may confuse `pidof` (which only finds PIDs for a named program) with a general process listing tool, or think `pstree` shows all processes when it actually defaults to the current user's process tree unless used with `-p` and `-a` options.

928
Multi-Selectmedium

Which TWO statements about container security are correct when using Docker? (Choose two.)

Select 2 answers
A.SELinux is automatically enabled inside containers.
B.Containers have their own kernel, isolated from the host.
C.Using --cap-drop=ALL removes all capabilities, making the container more secure.
D.By default, containers run with a reduced set of Linux capabilities.
E.Using --network=host increases container isolation.
AnswersC, D

Dropping all capabilities and adding only needed ones is a security best practice.

Why this answer

Option C is correct because using `--cap-drop=ALL` removes all Linux capabilities from the container, which eliminates any privileged operations the container could perform. This forces the container to run with the absolute minimum privileges, significantly reducing the attack surface and making it more secure.

Exam trap

CompTIA often tests the misconception that containers have their own kernel or that SELinux is automatically active, while the real focus is on Linux capabilities and the shared kernel model.

929
MCQhard

A custom udev rule for a new USB device is not being applied. The rule file is correctly placed in /etc/udev/rules.d/ with .rules extension. What is the most likely cause?

A.The rule file is not executable
B.The rule uses a wrong attribute or value
C.The device is not recognized by the kernel
D.The rule file is in a subdirectory
AnswerB

Use 'udevadm info' to get correct attributes for matching.

Why this answer

The most likely cause is that the rule uses a wrong attribute or value. Udev rules are matched against device attributes (e.g., vendor ID, product ID, subsystem) exposed by the kernel via sysfs. If the rule specifies an incorrect attribute name, a typo in a value, or a mismatch with the actual device properties, the rule will not trigger.

Since the file is correctly placed and named, the failure is almost always due to a mismatch in the matching criteria.

Exam trap

The trap here is that candidates often assume the rule file must be executable or that the device is not recognized, but the XK0-005 exam tests the understanding that udev rule matching is attribute-driven and that incorrect attribute values are the most common cause of non-application.

How to eliminate wrong answers

Option A is wrong because udev rule files do not need the executable permission; they are read by udev as configuration files, not executed as scripts. Option C is wrong because if the device were not recognized by the kernel, it would not appear in sysfs or generate a uevent, but the question states the rule is not being applied, implying the device is present but the rule fails to match. Option D is wrong because udev does not scan subdirectories; placing the rule file in a subdirectory would cause it to be ignored entirely, but the question explicitly states the file is correctly placed in /etc/udev/rules.d/.

930
MCQmedium

An administrator needs to capture network traffic on interface eth0 to a file for later analysis. Which tcpdump command is correct?

A.tcpdump -w capture.pcap -i eth0
B.tcpdump -i eth0 -f capture.pcap
C.tcpdump -i eth0 -w capture.pcap
D.tcpdump -w eth0 capture.pcap
AnswerC

Correct syntax: -i interface, -w output file.

Why this answer

tcpdump -i eth0 -w capture.pcap captures packets from eth0 and writes to file. -n disables name resolution, not needed for capture.

931
MCQmedium

A cron job runs a script that produces output, but the administrator does not receive the expected email notification. Which is the most likely cause?

A.The script uses absolute paths for all commands.
B.MAILTO variable is not set in the crontab.
C.The PATH environment variable is not set.
D.The script is not executable.
AnswerB

Cron only sends output to the address specified in MAILTO; if not set, output is lost.

Why this answer

The MAILTO variable in a crontab specifies the email address to which cron sends the output (stdout/stderr) of a job. If MAILTO is not set, cron defaults to mailing output to the owner of the crontab (the user who created it). However, if the administrator expects notifications at a different address, the missing MAILTO variable would prevent that specific email from being sent.

This is the most direct cause of not receiving the expected email notification.

Exam trap

CompTIA often tests the distinction between variables that affect script execution (PATH) versus those that control cron's mail behavior (MAILTO), leading candidates to mistakenly choose PATH or executable permissions when the issue is specifically about email delivery.

How to eliminate wrong answers

Option A is wrong because using absolute paths for all commands does not affect email delivery; it actually helps ensure the script runs correctly regardless of the cron environment. Option C is wrong because the PATH environment variable affects command resolution within the script, not the sending of email notifications by cron. Option D is wrong because if the script were not executable, it would fail to run entirely, producing an error that would still be mailed to the crontab owner (or the MAILTO address if set), so the lack of email notification is not explained by this.

932
MCQmedium

An Ansible playbook fails with a syntax error. Which command validates the playbook syntax without running it?

A.ansible-lint playbook.yml
B.ansible-playbook --check
C.ansible-playbook --validate
D.ansible-playbook --syntax-check
AnswerD

This command parses the playbook and reports syntax errors without executing any tasks.

Why this answer

The `--syntax-check` flag is a built-in option of `ansible-playbook` that parses the YAML file and validates its syntax without executing any tasks. This is the correct tool for catching syntax errors in a playbook before running it.

Exam trap

The trap here is that candidates may confuse `--syntax-check` with `--check` (dry run) or assume `ansible-lint` is the syntax validator, but `--syntax-check` is the only command that validates syntax without any execution.

How to eliminate wrong answers

Option A is wrong because `ansible-lint` is a separate tool that checks for best practices, style, and potential issues, but it does not perform a strict syntax validation of the playbook. Option B is wrong because `--check` performs a dry run that executes the playbook in check mode, which still runs the playbook logic and can fail on syntax errors, not just validate syntax. Option C is wrong because `--validate` is not a valid flag for `ansible-playbook`; the correct flag for syntax validation is `--syntax-check`.

933
MCQhard

Based on the exhibit, which file has an incorrect SELinux context for serving web content via Apache?

A.Neither
B.style.css
C.Both
D.index.html
AnswerD

index.html has context user_home_t, which prevents Apache from serving it; the correct context is httpd_sys_content_t.

Why this answer

The correct answer is D (index.html) because the exhibit shows that index.html has the SELinux context type 'user_home_t', which is not accessible by Apache's httpd process. Apache requires files served via HTTP to have the 'httpd_sys_content_t' context type (or 'httpd_sys_rw_content_t' for writable content) to be readable by the httpd daemon. Without this context, SELinux will block Apache from serving the file, even if file permissions and ownership are correct.

Exam trap

Cisco often tests the distinction between file permissions (DAC) and SELinux contexts (MAC), where candidates assume that correct ownership and permissions (e.g., 644, owned by apache) are sufficient, overlooking that SELinux must also allow the httpd process to access the file via the correct context type.

How to eliminate wrong answers

Option A is wrong because the question explicitly asks which file has an incorrect SELinux context, and index.html does have an incorrect context, so 'Neither' is false. Option B is wrong because style.css has the correct SELinux context type 'httpd_sys_content_t', which allows Apache to serve it, so it is not the file with the incorrect context. Option C is wrong because only index.html has the incorrect context; style.css is correctly labeled, so 'Both' is incorrect.

934
Multi-Selectmedium

Which three are valid systemd unit types?

Select 3 answers
A.process
B.socket
C.service
D.timer
E.job
AnswersB, C, D

socket is a unit type for IPC or network sockets.

Why this answer

B (socket), C (service), and D (timer) are all valid systemd unit types. A socket unit encapsulates a local IPC or network socket in the system for socket-based activation, a service unit describes a process controlled and supervised by systemd, and a timer unit provides a mechanism for triggering activation of other units based on time events. These are among the 12 standard systemd unit types defined in the systemd documentation.

Exam trap

Cisco often tests candidates' familiarity with the exact list of systemd unit types, and the trap here is that 'process' and 'job' sound plausible but are not defined unit types, leading candidates to confuse generic Linux concepts with systemd-specific terminology.

935
Multi-Selectmedium

A system administrator is writing an Ansible playbook to manage a web server. Which three of the following are valid Ansible modules for system administration? (Choose THREE.)

Select 3 answers
A.service
B.copy
C.useradd
D.apt
E.chmod
AnswersA, B, D

Controls system services.

Why this answer

apt, service, and copy are standard Ansible modules for package management, service control, and file copying.

936
MCQhard

A server has a volume group 'vg_data' with a single logical volume 'lv_data' of 100GB mounted at /data. The filesystem on lv_data is XFS. The administrator needs to extend it to 150GB. A new 60GB disk /dev/sdc has been added and partitioned as LVM. The administrator runs `pvcreate /dev/sdc1`, then `vgextend vg_data /dev/sdc1`, then `lvextend -L +50G /dev/vg_data/lv_data`. The administrator runs `df -h /data` and sees that the filesystem still shows 100GB. Which command should be run next?

A.lvreduce -L -50G /dev/vg_data/lv_data
B.fsck /dev/vg_data/lv_data
C.xfs_growfs /data
D.resize2fs /dev/vg_data/lv_data
AnswerC

xfs_growfs grows an XFS filesystem to fill the available space.

Why this answer

For XFS filesystems, after extending the logical volume, the filesystem must be grown using xfs_growfs with the mount point as argument. resize2fs is for ext2/3/4. Option C checks the filesystem, but it's not needed. Option D would shrink, which is incorrect.

937
MCQmedium

In the exhibit, what does 'Tasks: 11 (limit: 512)' indicate?

A.The process is using 512 MB of memory.
B.The service has been running for 512 seconds.
C.The cgroup pids controller is limiting the number of processes/threads.
D.The number of threads is limited to 512.
AnswerC

The limit is enforced by the pids cgroup controller.

Why this answer

The output shown is from the `systemd-cgls` command, which displays cgroup (control group) information. The line `Tasks: 11 (limit: 512)` indicates that the cgroup's pids controller is currently tracking 11 processes/threads within that cgroup and has a configured limit of 512. This limit restricts the total number of processes and threads that can be created in that cgroup, preventing fork bombs or resource exhaustion.

Exam trap

The trap here is that candidates confuse the 'Tasks' count with memory usage or runtime, or assume it refers only to threads without recognizing the cgroup pids controller as the mechanism enforcing the limit.

How to eliminate wrong answers

Option A is wrong because the value 512 is a count of processes/threads, not a memory size in MB; memory limits are shown separately (e.g., `memory.limit_in_bytes`). Option B is wrong because the output does not display any time-related information; `Tasks` refers to process/thread count, not runtime duration. Option D is wrong because while the limit applies to both processes and threads, the statement is incomplete—it omits that the limit is enforced by the cgroup pids controller, and the output explicitly shows the cgroup context, not just a thread limit.

938
MCQhard

A Bash script uses getopts to parse command-line options. The options are -a (requires an argument) and -b (flag). Which code correctly implements this and stores the argument for -a in $optarg?

A.while getopts 'a:b' opt; do case $opt in a) arg=$OPTARG ;; b) flag=true ;; esac done
B.while getopts 'ab:' opt; do case $opt in a) arg=$OPTARG ;; b) flag=true ;; esac done
C.while getopts 'a:b' opt; do case $opt in a) arg=$optarg ;; b) flag=true ;; esac done
D.while getopts ':a:b' opt; do case $opt in a) arg=$OPTARG ;; b) flag=true ;; esac done
AnswerA

Correct. The colon after a indicates it requires an argument, and $OPTARG holds the value.

Why this answer

getopts uses the option string 'a:b' where 'a:' indicates -a requires an argument. The argument is stored in the variable $OPTARG (not $optarg).

939
MCQhard

A company's security policy requires that all user passwords must expire every 90 days. The administrator runs 'chage -M 90 jdoe' for user jdoe. Which additional step ensures that the password expiration policy is enforced for all new users?

A.Set PASS_MAX_DAYS 90 in /etc/login.defs
B.Add 'password required pam_unix.so remember=5' to /etc/pam.d/system-auth
C.Set EXPIRE=90 in /etc/default/useradd
D.Modify /etc/shadow to set max days for each user
AnswerA

This sets the default maximum password age for new users.

Why this answer

Option A is correct because /etc/login.defs contains default values used by useradd and other tools when creating new users. Setting PASS_MAX_DAYS 90 in this file ensures that every new user account created will automatically have a 90-day password expiration, enforcing the policy globally without manual intervention.

Exam trap

The trap here is that candidates confuse the purpose of /etc/login.defs (defaults for new users) with /etc/shadow (current user settings) or think that modifying a single user's policy with chage will propagate to all users.

How to eliminate wrong answers

Option B is wrong because the pam_unix.so remember=5 setting controls password history (preventing reuse of the last 5 passwords), not the maximum password age. Option C is wrong because /etc/default/useradd does not contain an EXPIRE parameter; the correct parameter for account expiration is EXPIRE (which sets an absolute expiry date), but there is no PASS_MAX_DAYS equivalent in that file. Option D is wrong because modifying /etc/shadow manually for each user is not scalable and does not enforce the policy for future new users; it only applies to existing accounts.

940
MCQmedium

A Linux engineer is troubleshooting a cron job that does not execute as expected. The crontab entry reads: '*/5 * * * * /usr/local/bin/backup.sh'. The script runs manually when executed as root. Which of the following is the most likely cause?

A.The cron daemon is not running.
B.The script file does not have execute permissions.
C.The system clock is incorrect.
D.The script requires environment variables that are not set in cron's shell.
AnswerD

Common issue: cron has limited PATH and env.

Why this answer

D is correct because cron jobs run in a minimal shell environment (typically /bin/sh) with a very limited set of environment variables. The script /usr/local/bin/backup.sh may rely on variables like PATH, HOME, or custom variables that are not set in cron's shell, causing it to fail even though it runs fine manually as root. This is a classic cron issue where the interactive shell's environment differs from cron's non-interactive environment.

Exam trap

CompTIA often tests the misconception that a script failing in cron is due to permissions or the cron daemon status, when the real issue is the stripped-down environment that lacks variables the script depends on.

How to eliminate wrong answers

Option A is wrong because if the cron daemon were not running, no cron jobs would execute at all, but the question states only this specific job fails, and the script runs manually. Option B is wrong because the script runs manually when executed as root, which implies it has execute permissions; if permissions were missing, the manual execution would also fail. Option C is wrong because an incorrect system clock would affect all cron jobs based on timing, but the job is scheduled with '*/5 * * * *' and would still attempt to run; the issue is specific to the script's execution environment, not the timing.

941
MCQmedium

A bash script needs to test whether a string variable $NAME is non-empty and equals 'admin'. Which of the following conditionals is correct?

A.if [[ $NAME -ne '' && $NAME -eq 'admin' ]]; then
B.if [[ -n $NAME && $NAME == 'admin' ]]; then
C.if [ $NAME != '' ] && [ $NAME == 'admin' ]; then
D.if [ ! -z $NAME -a $NAME = 'admin' ]; then
AnswerB

Correct. -n tests non-empty, == compares strings.

Why this answer

In bash, [[ -n $NAME ]] tests if the string is non-empty, and == compares strings. Using double brackets is safer for string comparison.

942
MCQhard

An administrator wants to display only the second field from a colon-delimited file named 'passwd' using a text processing tool. Which command will achieve this?

A.sed 's/:.*//' passwd
B.awk -F: '{print $2}' passwd
C.cut -d: -f2 passwd
D.grep -o '^[^:]*:[^:]*' passwd
AnswerB

Correct: awk sets delimiter and prints field 2.

Why this answer

awk -F: '{print $2}' passwd sets field separator to : and prints second field. cut -d: -f2 also works, but the options include awk. sed is for editing, not field extraction; grep is for pattern matching.

943
Multi-Selectmedium

A system administrator needs to remove all files in /tmp that have not been accessed in the last 30 days and are not owned by root. Which two commands, combined, could be used to accomplish this? (Select TWO).

Select 2 answers
A.find /tmp -atime +30 -not -user root -delete
B.find /tmp -mtime +30 -not -user root -delete
C.find /tmp -atime -30 -user root -delete
D.find /tmp -atime +30 -user root -exec rm {} \;
E.find /tmp -atime +30 -not -user root -exec rm {} \;
AnswersA, E

Correct: uses -delete instead of -exec rm, also works.

Why this answer

find with -atime and -not -user root locates files; then use -exec rm or -delete to remove.

944
MCQmedium

A system is experiencing high disk I/O wait. Which command can provide disk I/O statistics such as requests per second and average wait time?

A.sar -u 1 5
B.iostat -x 1
C.free -h
D.vmstat 1 5
AnswerB

iostat -x gives extended stats like r/s, w/s, await, %util.

Why this answer

iostat reports disk I/O statistics including r/s, w/s, await, %util. vmstat shows memory and CPU stats, free shows memory, sar can show I/O but iostat is I/O-specific.

945
MCQeasy

A developer wants to run a container with a specific command that overrides the default entrypoint. Which Docker command should be used?

A.docker run myimage /bin/bash
B.docker exec myimage /bin/bash
C.docker run --entrypoint /bin/bash myimage
D.docker start myimage /bin/bash
AnswerC

Overrides ENTRYPOINT.

Why this answer

Option C is correct because the `--entrypoint` flag in `docker run` allows you to override the default entrypoint defined in the Docker image. By specifying `--entrypoint /bin/bash`, the container will start with `/bin/bash` as its entrypoint, ignoring any `ENTRYPOINT` or `CMD` instructions in the Dockerfile. This is the standard Docker syntax for replacing the entrypoint at runtime.

Exam trap

The trap here is that candidates often confuse `docker run` with `docker exec` or assume that appending a command after the image name (as in option A) overrides the entrypoint, when in fact it only overrides the CMD unless the entrypoint is explicitly changed with `--entrypoint`.

How to eliminate wrong answers

Option A is wrong because `docker run myimage /bin/bash` appends `/bin/bash` as a command argument to the image's default entrypoint (if one exists), or overrides the default CMD, but it does not override the entrypoint itself; if the image has an ENTRYPOINT, the `/bin/bash` argument is passed to that entrypoint, not executed directly. Option B is wrong because `docker exec` is used to run a command in an already running container, not to start a new container with a different entrypoint. Option D is wrong because `docker start` only restarts an existing stopped container and does not accept a command argument; it cannot override the entrypoint or run a new command.

946
MCQmedium

An administrator needs to give a user read and write access to a file without changing the file's group or adding the user to any group. Which method should be used?

A.chown user: file
B.chmod u+rw file
C.setfacl -m u:username:rw file
D.chgrp to user's primary group
AnswerC

ACL allows specific user permissions without changing group.

Why this answer

Access Control Lists (ACLs) allow setting permissions for specific users beyond the traditional owner/group/others model, without changing group membership.

947
Multi-Selectmedium

Which THREE are valid SELinux modes?

Select 3 answers
A.Strict
B.Permissive
C.Enforcing
D.Disabled
E.Audit
AnswersB, C, D

Permissive mode logs violations but does not enforce.

Why this answer

SELinux has three modes: enforcing (policy enforced), permissive (only logs violations), and disabled (SELinux turned off).

948
MCQhard

An administrator is writing a Dockerfile. They need to set a default command that can be overridden when running the container. Which instruction should be used?

A.RUN
B.CMD
C.ENTRYPOINT
D.EXPOSE
AnswerB

CMD provides default command and arguments, which can be overridden by docker run command.

Why this answer

CMD provides defaults that can be overridden by command-line arguments, while ENTRYPOINT cannot be easily overridden without --entrypoint.

949
Multi-Selectmedium

A user has a file with permissions set to 644. Which of the following commands will add the setuid permission to the file? (Choose two.)

Select 2 answers
A.chmod u+s file
B.chmod g+s file
C.chmod 1644 file
D.chmod 4644 file
E.chmod 2644 file
AnswersA, D

Correct: symbolic mode for setuid.

Why this answer

chmod u+s file adds setuid via symbolic. chmod 4644 file sets permissions to rwsr--r-- (setuid). The other options: chmod 2644 sets SGID; chmod 1644 sets sticky bit; chmod g+s sets SGID.

950
MCQeasy

Which command displays the current umask value in symbolic mode?

A.umask
B.umask --symbolic
C.umask -S
D.umask -s
AnswerC

Correct. umask -S shows symbolic mode.

Why this answer

umask -S displays the umask in symbolic (rwx) format. The plain umask shows octal.

951
Multi-Selectmedium

A system administrator needs to configure a cron job to run a script every Monday at 3:00 AM. Which two cron expressions are correct? (Select TWO).

Select 2 answers
A.0 3 * * 0
B.0 3 1 * 1
C.0 3 * * 1
D.0 3 * * 1-5
E.0 3 * * Mon
AnswersC, E

Correct: minute 0, hour 3, any day, any month, Monday.

Why this answer

Option C is correct because the cron expression `0 3 * * 1` schedules the script to run at minute 0, hour 3 (3:00 AM), every day of the month (`*`), every month (`*`), and on Monday (day-of-week 1, where 0=Sunday, 1=Monday). Option E is correct because cron also accepts three-letter abbreviations for days of the week, so `Mon` is equivalent to `1`.

Exam trap

CompTIA often tests the misconception that day-of-week `0` is Monday (it is Sunday) and that using a specific day-of-month value like `1` combined with a day-of-week value still runs every Monday (it actually runs only when both conditions are true, but cron uses OR logic, so it would run on the 1st of any month OR any Monday, not just Mondays).

952
Multi-Selectmedium

A security analyst is investigating a potential breach and needs to examine user login history. Which THREE commands or log files provide information about user logins? (Select THREE.)

Select 3 answers
A.last
B.lastlog
C.lastb
D./var/log/syslog
E./var/log/messages
AnswersA, B, C

Shows user login history.

Why this answer

The `last` command reads the /var/log/wtmp file to display a list of all user logins and logouts since that file was created, showing timestamps and source IPs. This makes it a primary tool for investigating login history during a breach.

Exam trap

The trap here is that candidates often confuse general system logs like /var/log/syslog or /var/log/messages with dedicated authentication logs, but these files lack the structured login/out records that commands like last, lastlog, and lastb specifically parse.

953
MCQmedium

An administrator needs to replace all occurrences of 'oldhost' with 'newhost' in the configuration file /etc/hosts. Which command will perform the replacement and save the changes directly to the file?

A.sed 's/oldhost/newhost/g' /etc/hosts
B.awk '{gsub(/oldhost/,"newhost")}1' /etc/hosts
C.grep -r 'oldhost' /etc/hosts | sed 's/oldhost/newhost/g'
D.sed -i 's/oldhost/newhost/g' /etc/hosts
AnswerD

Correct: -i edits file in-place, s/oldhost/newhost/g replaces all occurrences.

Why this answer

Option D is correct because the `-i` flag (in-place editing) tells `sed` to write the changes directly back to the file specified. Without `-i`, `sed` only prints the modified output to stdout and does not alter the original file. The substitution command `s/oldhost/newhost/g` performs a global replacement of all occurrences of 'oldhost' with 'newhost' on each line.

Exam trap

The trap here is that candidates often forget the `-i` flag for in-place editing, assuming `sed` modifies the file by default, or they confuse `sed`'s stream behavior with editors like `vim` that directly change the file.

How to eliminate wrong answers

Option A is wrong because it omits the `-i` flag, so the replacement is performed on the stream and printed to stdout, but the original /etc/hosts file remains unchanged. Option B is wrong because `awk` by default writes to stdout only; it does not have an in-place editing flag, so the file is not saved. Option C is wrong because `grep -r` recursively searches for 'oldhost' in /etc/hosts (which is a single file, not a directory) and pipes matching lines to `sed`, but `sed` again lacks `-i` and the pipeline only processes matched lines, not the entire file, so the original file is not modified.

954
Multi-Selectmedium

A Linux administrator is hardening an SSH server. Which two of the following settings should be applied to /etc/ssh/sshd_config to improve security?

Select 2 answers
A.Port 2222
B.X11Forwarding yes
C.PermitRootLogin no
D.PasswordAuthentication no
E.Protocol 1
AnswersC, D

Disables root SSH login, reducing attack surface.

Why this answer

PermitRootLogin no prevents root login; PasswordAuthentication no forces key-based authentication. Changing the port and enabling X11 forwarding are not necessarily hardening.

955
MCQmedium

A file has permissions set to 2755. Which special permission is enabled, and what does it do?

A.SGID; new files in the directory inherit the group
B.No special permission; it is just octal 755
C.Sticky bit; only file owners can delete their files
D.SUID; the file runs with the owner's privileges
AnswerA

Correct: SGID on directories.

Why this answer

The permission 2755 includes the SGID (Set Group ID) special permission, indicated by the leading digit '2'. When SGID is set on a directory, new files and subdirectories created within it inherit the group ownership of the directory, rather than the primary group of the user who creates them. This is critical for collaborative environments where multiple users need shared group access.

Exam trap

Cisco often tests the distinction between the numeric representations of special permissions (1=sticky, 2=SGID, 4=SUID) and their specific effects on directories versus files, leading candidates to confuse SGID with SUID or the sticky bit.

How to eliminate wrong answers

Option B is wrong because the leading '2' in 2755 explicitly indicates a special permission (SGID) is set, not just octal 755. Option C is wrong because the sticky bit is represented by a leading '1' (e.g., 1755), not '2', and it restricts file deletion to owners, not group inheritance. Option D is wrong because SUID is represented by a leading '4' (e.g., 4755), and it applies to executable files to run with the owner's privileges, not to directories for group inheritance.

956
Multi-Selecthard

A system fails to boot with a kernel panic. The administrator suspects a corrupt initramfs or missing kernel module. Which three methods could be used to recover the system? (Choose three.)

Select 3 answers
A.Boot from a live CD/DVD, mount the root filesystem, and chroot
B.At GRUB, edit the kernel line and add 'rd.break' to enter an emergency shell
C.Run 'fsck /dev/sda1' from the GRUB command line
D.Use 'systemctl rescue' from the boot prompt
E.At GRUB, edit the kernel line and add 'single' to boot into single-user mode
AnswersA, B, E

From a live environment, you can repair the initramfs or kernel modules.

Why this answer

At the GRUB menu, editing boot parameters to add 'rd.break' drops into an emergency shell; adding 'single' boots into single-user mode; booting from a live CD allows chroot and repair.

957
Multi-Selecthard

A DevOps team uses Podman to run containers rootlessly. Which TWO of the following characteristics apply to rootless Podman compared to Docker? (Select TWO).

Select 2 answers
A.It can only run containers as root
B.It requires a running daemon at all times
C.It uses the same CLI syntax as Docker
D.It supports running containers without root privileges
E.It relies on a central registry for all images
AnswersC, D

Podman is designed to be a drop-in replacement for Docker CLI.

Why this answer

Podman does not require a daemon (no central daemon), and it can run containers without root privileges by default using user namespaces.

958
MCQeasy

An administrator wants to ensure that only users in the 'wheel' group can use the sudo command. Which directive in /etc/sudoers enables this?

A.%wheel ALL=ALL
B.@wheel ALL=(ALL) ALL
C.%wheel ALL=(ALL) ALL
D.wheel ALL=(ALL) ALL
AnswerC

This allows all members of the wheel group to run any command as any user.

Why this answer

%wheel ALL=(ALL) ALL grants sudo access to all members of the wheel group.

959
MCQhard

During boot, the system stops at a shell with limited functionality. The administrator suspects the root filesystem is corrupted. Which target should the system be booted into to perform recovery?

A.rescue.target
B.multi-user.target
C.graphical.target
D.emergency.target
AnswerD

Emergency target provides the most minimal recovery environment.

Why this answer

emergency.target provides a minimal environment with a single-user shell, suitable for filesystem repairs without starting other services.

960
MCQmedium

A system administrator needs to check the kernel ring buffer for hardware error messages. Which command should be used?

A.dmesg
B.journalctl -k
C.vmstat
D.lsof
AnswerA

dmesg reads the kernel ring buffer for hardware and driver messages.

Why this answer

The `dmesg` command is the standard tool for printing the kernel ring buffer, which contains messages from the kernel, including hardware error messages, device driver initialization, and system boot logs. It directly reads from `/dev/kmsg` or the syslog system call, making it the correct choice for diagnosing hardware issues at the kernel level.

Exam trap

Cisco often tests the distinction between `dmesg` and `journalctl -k`, where candidates mistakenly choose `journalctl -k` because it also shows kernel messages, but the question specifically asks for the kernel ring buffer, which `dmesg` accesses directly without requiring systemd journal services.

How to eliminate wrong answers

Option B is wrong because `journalctl -k` displays kernel messages from the systemd journal, but it relies on the journal daemon being active and may not capture early boot or pre-journal kernel ring buffer messages; it is an indirect method compared to `dmesg`. Option C is wrong because `vmstat` reports virtual memory statistics, process activity, and CPU usage, not kernel ring buffer or hardware error messages. Option D is wrong because `lsof` lists open files and the processes using them, which is unrelated to kernel ring buffer content.

961
MCQmedium

A security audit reveals that the /etc/shadow file has permissions 0644 and is owned by root:shadow. The auditor states that this is a security risk because any local user can read password hashes. The administrator wants to fix the permissions to ensure that only root and the shadow group can read the file, and no one else can read it. Additionally, the administrator wants to set the immutable attribute on the file to prevent accidental modification. Which set of commands achieves the desired state?

A.chmod 640 /etc/shadow; chattr +i /etc/shadow
B.chmod 640 /etc/shadow; chattr +a /etc/shadow
C.chmod 640 /etc/shadow; chmod +i /etc/shadow
D.chmod 600 /etc/shadow; chattr +i /etc/shadow
AnswerA

Sets permissions to owner rw, group r, others none; then sets immutable attribute.

Why this answer

Option A is correct because chmod 640 sets the file permissions to read/write for root (owner) and read-only for the shadow group, while removing all access for others. chattr +i sets the immutable attribute, which prevents any modifications (including deletion, renaming, or content changes) even by root until the attribute is removed. This satisfies the requirement that only root and the shadow group can read the file, and no one else can read it, while also protecting against accidental modification.

Exam trap

CompTIA often tests the distinction between chmod (file permissions) and chattr (extended attributes), and the trap here is that candidates may confuse the immutable attribute (+i) with the append-only attribute (+a) or mistakenly use chmod to set it.

How to eliminate wrong answers

Option B is wrong because chattr +a sets the append-only attribute, which only allows data to be appended to the file (e.g., for log files), but does not prevent modification or deletion of existing content, so it does not fully protect against accidental modification. Option C is wrong because chmod +i is not a valid command; the immutable attribute is set via chattr, not chmod. Option D is wrong because chmod 600 sets permissions to read/write only for root, removing read access for the shadow group, which violates the requirement that the shadow group should still be able to read the file.

962
MCQmedium

An administrator needs to run a script '/usr/local/bin/cleanup.sh' every day at 2:30 AM. Which crontab entry is correct?

A.2 30 * * * /usr/local/bin/cleanup.sh
B.*/30 2 * * * /usr/local/bin/cleanup.sh
C.30 * * * * /usr/local/bin/cleanup.sh
D.30 2 * * * /usr/local/bin/cleanup.sh
AnswerD

Correct syntax for 2:30 AM daily.

Why this answer

The correct crontab syntax is `minute hour day month weekday command`. Option D specifies minute 30, hour 2, and asterisks for all other fields, which means the script runs at 2:30 AM every day. This matches the requirement exactly.

Exam trap

CompTIA often tests the order of minute and hour fields in crontab entries, and the trap here is that candidates may swap them (placing hour first) or use `*/30` thinking it means 'at 30 minutes past the hour' rather than 'every 30 minutes'.

How to eliminate wrong answers

Option A is wrong because it places the hour (2) in the minute field and the minute (30) in the hour field, causing the script to run at 30 minutes past every hour on the 2nd day of the month. Option B is wrong because `*/30` in the minute field means 'every 30 minutes' and `2` in the hour field means 'only during hour 2', so the script runs at 2:00 AM, 2:30 AM, and 2:00 AM again (due to the 30-minute interval), not just once at 2:30 AM. Option C is wrong because it sets minute 30 and hour as `*` (every hour), so the script runs at 30 minutes past every hour, i.e., 24 times per day.

963
MCQhard

A Linux security administrator needs to generate a self-signed certificate for a web server. They want to create a private key and a certificate signing request (CSR) in one step. Which OpenSSL command should be used?

A.openssl genrsa -out key.pem 2048 && openssl req -new -key key.pem -out req.pem
B.openssl req -new -key key.pem -out req.pem
C.openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
D.openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem
AnswerD

This creates a new private key and CSR.

Why this answer

The 'req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem' command generates a new private key and CSR. The other options either generate a self-signed certificate directly or are incomplete.

964
Multi-Selecthard

Which THREE of the following are valid ways to define environment variables in a Docker container? (Choose three.)

Select 4 answers
A.Passing with docker run -e VAR=value
B.Including in a docker-compose.yml under services: environment:
C.Using the ARG instruction in Dockerfile
D.Using the ENV instruction in Dockerfile
E.Using --env-file option with docker run
AnswersA, B, D, E

Overrides or sets variable at runtime.

Why this answer

Option A is correct because the `docker run -e VAR=value` syntax directly sets an environment variable inside the container at runtime. This overrides any ENV instruction in the Dockerfile for that specific run, giving the operator flexibility without modifying the image.

Exam trap

CompTIA often tests the distinction between build-time (`ARG`) and runtime (`ENV`, `-e`, `--env-file`) variable definitions, and candidates mistakenly think `ARG` persists into the running container.

965
MCQmedium

A systems administrator needs to ensure that a custom service runs with a specific priority on a Linux server. Which command should the administrator use to achieve this?

A.renice -10 -p 1234
B.ionice -c 2 -n 0 -p 1234
C.nice -n -10 /usr/local/bin/myservice
D.chrt -r 99 /usr/local/bin/myservice
AnswerC

nice runs a command with a modified scheduling priority.

Why this answer

Option C is correct because the `nice` command adjusts the CPU scheduling priority of a process at launch time. Using `nice -n -10` sets a higher priority (lower nice value) for the new service, ensuring it runs with the specified priority from the start. This directly meets the requirement to run a custom service with a specific priority.

Exam trap

The trap here is that candidates confuse `nice` (for CPU priority at launch) with `renice` (for adjusting an already running process) or `ionice` (for I/O priority), leading them to select an option that does not set the priority at service start.

How to eliminate wrong answers

Option A is wrong because `renice` changes the priority of an already running process (by PID), not at launch time; the question asks to ensure the service runs with a specific priority, implying it should be set when the service starts. Option B is wrong because `ionice` sets I/O scheduling priority, not CPU priority; the question asks for a specific priority (likely CPU priority), and `ionice` controls disk I/O bandwidth, not CPU scheduling. Option D is wrong because `chrt -r 99` sets a real-time scheduling policy (SCHED_RR) with maximum priority, which is for real-time processes and can cause system instability if misused; the question does not specify real-time requirements, and `nice` is the standard tool for adjusting CPU priority in a non-real-time context.

966
Multi-Selectmedium

An administrator is investigating a security incident and needs to list all open network connections on a server, including listening and established connections, with process information. Which TWO commands can provide this information?

Select 3 answers
A.tcpdump -i any
B.lsof -i -P -n
C.netstat -tulpn
D.ss -tulpn
E.nmap -sT localhost
AnswersB, C, D

lsof with -i shows network connections; -P -n avoid resolution.

Why this answer

ss with appropriate options shows socket statistics including process info; lsof -i lists network connections with process names.

967
MCQmedium

An administrator needs to configure SELinux to allow the Apache HTTP server to connect to a database server. Which SELinux boolean should be enabled?

A.httpd_can_network_connect
B.httpd_enable_cgi
C.httpd_use_nfs
D.httpd_can_network_connect_db
AnswerD

This boolean specifically allows Apache to connect to database servers.

Why this answer

The SELinux boolean `httpd_can_network_connect_db` specifically allows the Apache HTTP server to make outbound TCP connections to database servers (e.g., MySQL, PostgreSQL). This is required when a web application needs to query a remote database. The other booleans control different aspects of httpd's behavior and do not grant network connectivity to databases.

Exam trap

Cisco often tests the distinction between `httpd_can_network_connect` and `httpd_can_network_connect_db` — the trap here is that candidates may choose the more general boolean, not realizing the exam specifically requires the database-targeted boolean for a database connection scenario.

How to eliminate wrong answers

Option A is wrong because `httpd_can_network_connect` allows general outbound network connections (e.g., to any TCP port), which is broader than needed and may introduce unnecessary risk; it does not specifically target database connections. Option B is wrong because `httpd_enable_cgi` controls whether httpd can execute CGI scripts, not network connectivity. Option C is wrong because `httpd_use_nfs` allows httpd to access files on NFS mounts, not to connect to a database server over the network.

968
MCQmedium

A Linux engineer is investigating high disk I/O on a server. Which command provides disk I/O statistics including %util, await, r/s, and w/s?

A.iostat -x 1
B.sar -b
C.vmstat 1 5
D.free -h
AnswerA

iostat -x provides extended disk I/O stats including %util, await, r/s, w/s.

Why this answer

iostat reports CPU and disk I/O statistics, with columns like %util, await, r/s, and w/s.

969
MCQmedium

A Linux administrator is troubleshooting a server that intermittently becomes unresponsive. The administrator suspects a memory leak. Which command should be used to monitor memory usage over time and identify the consuming process?

A.free -h
B.top
C.ss -tuln
D.df -h
AnswerB

Displays real-time process list with memory usage.

Why this answer

The `top` command provides a real-time, dynamic view of system processes, including memory usage (RES, VIRT, %MEM) and can be sorted by memory consumption. It updates continuously, making it ideal for monitoring memory usage over time and identifying the specific process responsible for a suspected memory leak.

Exam trap

The trap here is that candidates confuse system-wide memory reporting (`free -h`) with per-process monitoring (`top`), or mistake disk usage commands (`df -h`) or network tools (`ss`) for memory diagnostics.

How to eliminate wrong answers

Option A is wrong because `free -h` shows total, used, and available memory in human-readable format, but it does not display per-process memory consumption or allow monitoring over time. Option C is wrong because `ss -tuln` lists listening and connected sockets (TCP/UDP) with numeric addresses; it is a network socket statistics tool, not a memory monitoring command. Option D is wrong because `df -h` reports filesystem disk space usage, not memory (RAM) usage, and cannot identify processes consuming memory.

970
MCQeasy

A process has become unresponsive and is in a zombie state. Which action should the administrator take to remove the zombie process?

A.kill -18 <PID>
B.kill -9 <PID>
C.Wait for the init process to clean it up; no action needed
D.Kill the parent process of the zombie
AnswerD

When the parent process dies, the zombie is inherited by init, which reaps it immediately.

Why this answer

A zombie process is a child process that has terminated but whose exit status has not been read by its parent. The only way to remove it is to kill the parent process (using kill -9 or similar), which causes the zombie to be re-parented to init (PID 1), which then automatically reaps it by calling wait(). Option D is correct because directly killing the zombie (kill -9) has no effect—the zombie is already dead and cannot receive signals.

Exam trap

Cisco often tests the misconception that you can kill a zombie process directly with kill -9, but the trap is that a zombie is already dead and only its parent's termination (or explicit wait) can remove it from the process table.

How to eliminate wrong answers

Option A is wrong because kill -18 sends SIGCONT, which continues a stopped process; a zombie is already dead and cannot be continued. Option B is wrong because kill -9 sends SIGKILL, which cannot be caught or ignored, but a zombie process is already terminated and cannot be killed again—it is a process table entry, not a running process. Option C is wrong because the init process only cleans up zombies that are orphaned (i.e., whose parent has died); if the parent is still alive, init will not reap the zombie until the parent terminates or explicitly calls wait().

971
MCQeasy

A system administrator needs to find out which process is using a particular file. Which command should they use?

A.fuser /path/to/file
B.lsof /path/to/file
C.ps aux | grep file
D.stat /path/to/file
AnswerB

lsof lists all open files and the processes that opened them.

Why this answer

The `lsof` command (list open files) is the correct tool because it displays information about files opened by processes, including the specific file path. When given a file path, `lsof` lists the PID and process name that currently have that file open, directly answering the administrator's need.

Exam trap

The trap here is that candidates may confuse `fuser` with `lsof` because both can identify processes using a file, but `lsof` provides more comprehensive output and is the standard tool for detailed process-to-file mapping in the XK0-005 exam.

How to eliminate wrong answers

Option A is wrong because `fuser` identifies processes using a file or socket, but it does not provide the detailed process information (like command name) that `lsof` does; `fuser` is more suited for identifying PIDs to kill processes. Option C is wrong because `ps aux | grep file` searches for the string 'file' in the process list, which may match process names or arguments containing 'file' but does not reliably identify which process has a specific file open; it relies on grep pattern matching, not kernel-level file descriptor tracking. Option D is wrong because `stat` displays file metadata (size, permissions, timestamps) and does not show which processes are using the file.

972
MCQmedium

A system administrator notices that the root filesystem is at 95% capacity. Which command should be used to identify the directories consuming the most space?

A.df -h
B.du -sh /*
C.fdisk -l
D.ls -la /
AnswerB

Shows size of each top-level directory.

Why this answer

B is correct because `du -sh /*` calculates disk usage for each top-level directory under root, showing human-readable sizes. This directly identifies which directories consume the most space, allowing the administrator to pinpoint the source of the 95% capacity issue.

Exam trap

The trap here is that candidates often confuse `df -h` (filesystem-level overview) with `du -sh` (directory-level detail), mistakenly thinking `df` can pinpoint which directories are consuming space.

How to eliminate wrong answers

Option A is wrong because `df -h` shows filesystem-level disk usage (capacity, used, available) but does not drill down into directories to identify which ones are consuming space. Option C is wrong because `fdisk -l` lists partition tables and disk geometry, not directory-level disk usage. Option D is wrong because `ls -la /` lists file names, permissions, and metadata but does not calculate or display the actual disk space consumed by each directory.

973
Multi-Selecthard

Which TWO tools are specifically designed to detect rootkits on a Linux system?

Select 2 answers
A.lsof
B.rkhunter
C.netstat
D.clamav
E.chkrootkit
AnswersB, E

Rootkit hunter tool.

Why this answer

B is correct because rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits by comparing file hashes, checking for hidden processes, and analyzing system binaries for known rootkit signatures. It is specifically designed to detect rootkits on Linux systems.

Exam trap

The trap here is that candidates may confuse general system monitoring tools (lsof, netstat) or general antivirus (ClamAV) with specialized rootkit detection tools, but only rkhunter and chkrootkit are explicitly designed for that purpose.

974
MCQmedium

Refer to the exhibit. What is the total amount of RAM installed on the system?

A.7.7G
B.7.5G
C.8.0G
D.0.1G
AnswerA

The total column shows 7.7G.

Why this answer

The output of `free -h` shows the total memory in the 'total' column of the 'Mem:' row, which is 7.7G. This value represents the total physical RAM installed and available to the system, as reported by the kernel from the hardware.

Exam trap

The trap here is that candidates confuse the 'total' column with the nominal hardware capacity (e.g., 8 GB) or mistakenly pick the 'used' or 'available' values, not realizing that `free -h` reports the kernel's view of installed RAM after hardware reservations.

How to eliminate wrong answers

Option B (7.5G) is wrong because it corresponds to the 'used' column, not the 'total' column, and represents memory currently in use by processes and the kernel. Option C (8.0G) is wrong because it might be the nominal installed RAM (e.g., 8 GB stick), but the system reports 7.7G due to reserved memory for hardware, firmware, or the kernel (e.g., BIOS, GPU, or kernel memory reservation). Option D (0.1G) is wrong because it is the 'available' column, which estimates memory available for starting new applications, not the total installed RAM.

975
MCQmedium

A Linux system has a directory with permissions drwxr-xr-x. A user in the group 'dev' tries to create a new file inside this directory. Which permission is missing that prevents the user from creating the file?

A.Write permission for the owner
B.Sticky bit is set
C.Write permission for the group
D.Execute permission for the group
AnswerC

The group lacks write permission on the directory.

Why this answer

The directory has write permission for the owner, but only read and execute for the group. To create a file, the user needs write permission on the directory, which is not granted to the group.

Page 12

Page 13 of 14

Page 14